Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mp3fax.exe and netcmd.exe


  • This topic is locked This topic is locked
9 replies to this topic

#1 benwai123

benwai123

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 11 November 2004 - 11:20 AM

Irecently my PC has become slow. After anti-virus and Spy-bot, in ocassions the CPU usage was jig up to above 80%. Task manager process lists showed that mp3fax.exe and netcmd.exe are suspect. Further investigation showed mp3fax was hidden file in /windows/system32. Tried manually remove from registry via regedit but still could not get rid of it. here below is the hijackthis log. PLease have a look and advice what to do to clear them out.

Thanks


Replies: 0
Views: 16 Hi, I ma new here and I am having problem with a taks named "mp3fax.exe" which from time to time eats up to 80% of CPU power. I found this in the machine registry and exe file with hidden attritude in the \windows\systems

I tried removing the registry and file with "hijackthis", killbox and even with regedit. But the registry was still there when rebooted. Here below is my hijackthis log. Please give me some hint what to do.

Thanks a lot

Ben

--------------------------------------------------------------------
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\IMWEBSTA.EXE
E:\utilities\Winamp\Winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\Config\mp3fax.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\QTRAYIME.EXE
C:\Program Files\Yahoo!\YPSR\ypsr.exe
C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\ycomp_5.5.7.0_ypsr_1.8_setup_.exe
C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\GLB2F.tmp
C:\WINDOWS\System32\wuauclt.exe
E:\Netscape\Netscape 6\Netscp.exe
E:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\IBMUSER\Application Data\Mozilla\Profiles\default\655cj03t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IBMUSER\Application Data\Mozilla\Profiles\default\655cj03t.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\xaf3pm.dat
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\aluesm.dat
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "E:\utilities\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [imjpmig] E:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\AppPatch\dllms.exe
O4 - HKLM\..\Run: [*netcmd] C:\WINDOWS\repair\netcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe
O4 - HKLM\..\RunOnce: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\Registration\dlldvd.exe ren time:1100138307
O4 - Startup: Q9 Tray.lnk = C:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\Common Files\Microsoft Shared\TextConv\PDF32\IEShellExt.dll /101
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAD6C79-6B22-40BD-8C87-A5A402C19123}: NameServer = 203.80.96.10,205.252.144.77,
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:47 PM

Posted 11 November 2004 - 04:01 PM

Hi benwai123,

Please do not try to remove anything. It will make the malware more difficult to remove.

1. Very important: REBOOT your computer and

2. Please post a fresh HijackThis log.

Please post the complete log.
Never trim the Hijackthis Log. We need all information contained in that log, so please include everything from the original log.

Run HijackThis again. Press the Scan button, then Save Log.
Notepad will open.

In Notepad click
Edit menu --> Select All
then
Edit menu --> Copy

When responding to a post from one of our HJT Team members, please reply in the same topic - click the Add Reply button. Do not create a new topic for your reply. This will cause confusion and only cause a delay in the help you are receiving.

Right click in the message area and click on the paste option to paste the log into the post.

Edited by cryo, 11 November 2004 - 04:02 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 benwai123

benwai123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 11 November 2004 - 09:26 PM

Hi, 2383, thanks for the advice.

I have reboot the XP and reun hijackthis. The log is as attached.

Thanks a lot

Attached Files



#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:47 PM

Posted 12 November 2004 - 04:28 AM

Hi

Please follow carefully each step. Double check it.

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Skip if KillBox is present.
Download KillBox here:
KillBox. Unzip it to your desktop.

Disconnect from the Internet.

Note: please read this carefully, as the steps do repeat a few times, but the last step does change a bit.
Copy & paste the path + filename in Killbox "Full path of file to delete" field.

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\Documents and Settings\IBMUSER\Local Settings\Temp\lituteni.dat

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

2. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\Documents and Settings\IBMUSER\Local Settings\Temp\xaf3pm.dat

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

3. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\Documents and Settings\IBMUSER\Local Settings\Temp\aluesm.dat

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

4. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\AppPatch\dllms.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

5. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\repair\netcmd.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

6. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\Config\mp3fax.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

7. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\Registration\mfclog.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

8. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\hostx.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

Connect to the Internet.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 benwai123

benwai123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 12 November 2004 - 05:31 AM

Hi, thanks I have done as told accordingly and reboot the PC. Task manager shows no more mp3fax nor netcmd. But "hijacjthis" logs still shows the "lituteni.dat","xaf3pm.dat,etc with "file misisng". I think these requiring handle. right.
attached is the hijackthis log.

thanks

Attached Files



#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:47 PM

Posted 12 November 2004 - 05:34 AM

Logfile of HijackThis v1.98.2
Scan saved at 18:26:10, on 12/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IreIKE.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\IPSecMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Norton Internet Security\SymProxySvc.exe
E:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\IMWEBSTA.EXE
E:\utilities\Winamp\Winampa.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\Norton Internet Security\IAMAPP.EXE
E:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\QTRAYIME.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\inf\bastcp.exe
E:\Netscape\Netscape 6\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\IBMUSER\Application Data\Mozilla\Profiles\default\655cj03t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://E%3A%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\IBMUSER\Application Data\Mozilla\Profiles\default\655cj03t.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat (file missing)
O2 - BHO: CATLEvents Object - {8109AF33-6949-4833-8881-43DCC232B7B2} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\lituteni.dat (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\pctsab.dat
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\IBMUSER\LOCALS~1\Temp\aluesm.dat (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\StorageGuard\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IMWEBSTA.EXE] IMWEBSTA.EXE START
O4 - HKLM\..\Run: [WinampAgent] "E:\utilities\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [imjpmig] E:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp4.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iamapp] E:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [*dllms] C:\WINDOWS\AppPatch\dllms.exe
O4 - HKLM\..\Run: [*netcmd] C:\WINDOWS\repair\netcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [*mp3fax] C:\WINDOWS\Config\mp3fax.exe
O4 - HKLM\..\RunOnce: [*bastcp] C:\WINDOWS\inf\bastcp.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [*WinLogon] C:\WINDOWS\System32\bkinst.exe ren time:1100255059
O4 - Startup: Q9 Tray.lnk = C:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonicWALL VPN Client.lnk = C:\Program Files\SonicWALL\SonicWALL VPN Client\SafeCfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\Common Files\Microsoft Shared\TextConv\PDF32\IEShellExt.dll /101
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{6AAD6C79-6B22-40BD-8C87-A5A402C19123}: NameServer = 203.80.96.10,205.252.144.77,
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C38DC91-BB3F-4CA0-B9E8-B6540D24E640}: NameServer = 61.93.230.187,203.80.96.9,203.80.96.10
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:47 PM

Posted 12 November 2004 - 05:42 AM

Hi

Virtumondo is still there.

Please follow carefully each step. Double check it.
Please do not try to do something else. It will only make the malware more difficult to remove !!!

Skip if SSS is present.
Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Skip if KillBox is present.
Download KillBox here:
KillBox. Unzip it to your desktop.

Disconnect from the Internet.

Note: please read this carefully, as the steps do repeat a few times, but the last step does change a bit.
Copy & paste the path + filename in Killbox "Full path of file to delete" field.

Start Killbox.exe

Select the Delete on reboot option.

1. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\Documents and Settings\IBMUSER\Local Settings\Temp\pctsab.dat

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

2. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\AppPatch\dllms.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

3. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\repair\netcmd.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

4. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\Config\mp3fax.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

5. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\inf\bastcp.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

6. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\bkinst.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the NO button.

7. Copy and paste the line below in the field labeled "Full path of file to delete"
C:\WINDOWS\System32\hostx.exe

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, press the YES button.

Your computer will reboot.

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files
Press the Clear Selected Items button.
Close the program.

Connect to the Internet.

Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#8 benwai123

benwai123
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 12 November 2004 - 10:31 AM

Hi, thank you for the advice. I follow you the instructions to delete files. But some were unable to delete. Searching through directories with dos command shows there was no such file in path e.g. "mp3fax.exe" instead I found that there was "xaf3pm.ini"

You see, the file name portion was reverse and extension was ini rather than exe. Attribute of the file was hidden. Anyway I enter it into "killbox" item list to e deleted at boot up. This works! it removed the mp3fax process from tarsk manager lsiting. Then i applied the same to those unfound .exe files. They all existed in "reverse name order and "ini" externsion.

ss3 was executed to remove temp files after reboot. Here attached is the hijackthis log. Please check if still any virus existing.

Thanks

Attached Files



#9 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:47 PM

Posted 12 November 2004 - 11:02 AM

Perform a full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
- Disinfect automatically
- Scan compressed files
- Scan e-mail files
- Neutralize Trojans
and let him remove anything he finds.

! This is very important !: Update your Windows. Doing this will make your computer more secure. Please visit Windows Update (follow this link: http://www.windowsupdate.com) to update Windows. Follow the instructions on the screen. You may have to visit more then once Windows Update to install all updates.
Not updating Windows will leave your computer vulnerable to malware and attacks.

Install Service Pack 1 and all critical updates.

After the installation of the last update make sure you REBOOT the computer, run HijackThis again and post a new log please.

Edited by cryo, 12 November 2004 - 11:04 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:02:47 PM

Posted 02 December 2004 - 02:04 AM

Due to the lack of feedback this topic is closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users