Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winhound And Root Kit


  • Please log in to reply
9 replies to this topic

#1 Lorilaf2

Lorilaf2

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 20 March 2006 - 02:32 PM

Once before I had Winhound and removed it via a post here but it is back!


I went thru all the stuff in the “preparation Guide” and all in “removing Winhound” section. Most of the scanning programs find nothing or cannot remove what they find.


================
No matter how many times I run Ad-ware SE Personal and click remove, this object is always there on the next scan.

Name:Malware.Psguard
Category:Malware
Object Type:Regkey
Size:0 Bytes
Location:software\winhound.com\
Last Activity:3-19-2006
Relevance:Low
TAC index:7
Comment:
Description:Program masks as doing one thing, but does another.



EWIDO finds:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:05:24 PM, 3/19/2006
+ Report-Checksum: 416534B3

+ Scan result:

HKLM\SOFTWARE\WinHound.com -> Adware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound -> Adware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound -> Adware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound\License -> Adware.WinHound : Cleaned with backup


::Report End

SPYSWEEPER finds:


Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Updating spyware definitions from Webroot.com
Please wait... This may take a few minutes...
Your definitions are up to date.

To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: C:
Also sweeping: Memory, Cookies, Registry
System Monitor found: potentially rootkit-masked files
Full Sweep has completed. Elapsed time 00:42:38
Traces Found: 1184

Additionally and of great concern to me,
When I click on Accessories>System Information in the start menu, nothing (visible) happens. And, Windows Security says it is unable to turn on its firewall . Windows Media Player is not functioning...
Lord knows what other system functions are not functioning!

Attached is the hijackthis log after running smitrem. I thought smitrem produced a log too but I cannot find it.
Thanks for your help!
Lori

Logfile of HijackThis v1.99.1
Scan saved at 11:07:16 AM, on 3/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: AudioHQ - {9F681C6C-DEFB-FD32-B122-3F1C37D9FDED} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\wlrzb32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

Thanks again, Lori

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 27 March 2006 - 11:00 AM

Hi Lorilaf2,

Sorry for the delay. If you are still having this problm could you post a new HJT log, please. This will also tell us if anything has changed since your initial post.

The thing about people

is they change

when they walk away.--Mipso


#3 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 27 March 2006 - 01:14 PM

Hi Lorilaf2,

Sorry for the delay. If you are still having this problm could you post a new HJT log, please. This will also tell us if anything has changed since your initial post.



Yes. Still having the problem. Thanks for the help. Here is a new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:10:08 AM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: AudioHQ - {9F681C6C-DEFB-FD32-B122-3F1C37D9FDED} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\wlrzb32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 28 March 2006 - 01:57 AM

Hi Lori,

I think you just have some leftovers of the Winhound/PSGuard infection but you do have a Remote Access Trojan (RAT), which is bad news. You can read about it here: http://www.sophos.com/virusinfo/analyses/trojircbotfp.html

There are also signs of a root kit. That and the RAT means your system has been compromised and I can't guarantee that you can remove everything and get the system back to where you can trust it again. My advice is that you seriously consider a reformat. I'll help you clean what we can find, but if you use your PC for online banking, business or store any other type of financial and otherwise sensitive data, that information is probably already in the hands of someone else and if we miss anything any new data could be lost as well.

You also have a file that has been added since your last log session that I can find no information about. So the first oder of business is to find out if it is good or bad. Have you installed a sound card with an AudioHQ driver?

Please go to Jotti and browse to the following file in bold and click on the Submit button.

c:\program files\common files\instal~1\engine\6\intel3~1\wlrzb32.dll

Note: Windows abbreviates long file names with a ~, so two of the folder names will beging with instal and intel3

Please post back the results of the scan. If you have any problems with Jotti being busy, try Virustotal instead.

Click to download the FixWHreg.reg file attached below and save it to your desktop.

Please download SmitRem again to make sure you have the latest version as it is constantly being updted. Get it here: http://www.downloads.subratam.org/smitRem.exe

While you are downloading, please also make sure that ewido is updated.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.

It is also important you don't miss a step and perform everything in the right order!

Double-click the FixWHreg.reg you just saved to your desktop and allow it to merge with your registry.

Scan again with HijackThis and check the following:

O23 - Service: Windows Log - Unknown owner - C:\WINDOWS\system32\nvsvcd.exe (file missing)

With all other windows closed click on the Fix checked button.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot your computer into Safe Mode and delete the following files if they exist:

C:\WINDOWS\system32\nvsvcd.exe
C:\WINDOWS\system32\netf.dll

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. the log will be in your root folder: C:\smitfiles.txt, please post this log in your next reply.

Now scan with Ewido and post that log as well.

Reboot back into normal mode.

Perform an onlinescan with Panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report.

The trojan you have is known to disable security software. You may need to reinstall Trend Micro. You also need to get a real firewall installed. I believe you mentioned that the Windows irewall had been disabled and Trend's doesn't have a good reputation. Also the window's firewall doesn't prevent outgoing traffic, which may could have prevented any data going out to a remote computer, and also can give you an idea when you've become infected.

Please install one of the following free firewalls:

Kerio Personal Firewall
OutPost Firewall Free
ZoneAlarm

Understanding and Using Firewalls

Only run one firewall at a time. Make sure the Windows firewall is set to disabled, as well as Trend's. With Trend you might want to forego installing the firewall when you reinstall, if you decide to go that route at this time.

Now scan again with HijackThis and post a new log.

So in your next post I'll need to see the following logs in this order:

1. Jotti results
2. SmitRem
3. Ewido
4. Panda
5. HijackThis.

Let me know if you run into any problems and if you see an improvment. There may be more to do as I would like to look further for rootkits.

Attached Files


The thing about people

is they change

when they walk away.--Mipso


#5 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 28 March 2006 - 02:46 PM

Okay, I am at a loss here.
I tried to follow your instructions but got unexpected results.
1. Jotti did nothing when I entered the browse path and hit submit.
2. I did the downloads as asked and then clicked on FixEHreg.reg which asked if I want to add it to the registry - I said yes.
3. In Hijack this I checked the 023 entry you indicated and clicked the fix button
4. In safe mode I did not find the two files mentioned - yes I did re-check that I had the settings to allow viewing hidden files.
5. The smitrem log is below.
6. Ewido log is below
7. Rebooted and tried to run Panda scan: had to change to IE as I use Mozilla but did not work.
8. I went thru Spybot, Spysweeper, and trend to allow active x and also disabled them
9. Tried Panda again and no deal. I get the arrow that says to 'click on the bar above to start download, but there is no bar to click...

I downloaded the Kerio Firewall but have no restarted yet

The Hijack log after is also below

SMITREM.txt

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 03/28/2006
The current time is: 9:23:06.04

Running from
C:\Documents and Settings\Lori Fackenthall\Desktop\Security stuff\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 796 'explorer.exe'
Killing PID 796 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:



====================
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:32:33 AM, 3/28/2006
+ Report-Checksum: FAED824B

+ Scan result:

C:\Program Files\Dell Support\yfymo32.dll -> Proxy.Agent.jm : Cleaned with backup


::Report End
=========


Logfile of HijackThis v1.99.1
Scan saved at 11:39:45 AM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Icons\SetIcon.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Second Nature\Snsicon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Desktop Alert\desktopalert_1635512.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: Desktop Alert.lnk = C:\Program Files\Desktop Alert\desktopalert_1635512.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snsicon.lnk = C:\Program Files\Second Nature\Snsicon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120334569109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,21/mcgdmgr.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: AudioHQ - {9F681C6C-DEFB-FD32-B122-3F1C37D9FDED} - c:\progra~1\common~1\instal~1\engine\6\intel3~1\wlrzb32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe


=================
So now I have downloaded all sorts of stuff as you asked and also from the time before when I had Winhound--- should I keep all this stuff ? I have more anti spyware than I know what to do with and probably some of that is blocking th Panda scan - and who knows what else.

I'll finish set up of the Kerio as soon as this is sent and I reboot.

I do appreciate your help and I do hope I do not hace to reformat!!

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 28 March 2006 - 11:32 PM

You're doing fine, Lori. You shouldn't have any notices about WinHound now and running SmitRem again has confirmed that active infection is gone. You just had some leftover reg entries and the reg file took care of that.

You also may not be as bad off as I suspected, but I want to be as sure as possible. Your anitvirus seems to be working properly and may have deleted some of the files I'm looking at. And left some orphaned reg entries that show up in HijackThis. Sometims those lines that say (file missing) doesn't actually mean that, but may in your case. Makes it kind of tricky. :thumbsup:

1. On the Jotti scan, did you type in the path? If so you may have mistyped so it is better to use the Browse button to navigate to the file. My aplogies if you've already done that, it has "file missing" by it also so it's possible it's already deleted. Could you look in My Computer/Windows Explorer and tell me if you can see the file wlrzb32.dll? Or try this as a shortcut.

Start>Run, copy the following bold text, paste it in the Run box and hit Enter:

c:\progra~1\common~1\instal~1\engine\6\intel3~1

If it's not there it's not there. But if you do find it please try Jotti and if any problems at all, try Virustotal. Any information you can give me. There should be something on the net if it was legit--if it's not we'll need to fix that reg entry with HJT. So do you remember installing a sound card or AudioHQ driver--anything intel since you posted your previous log thread?

2. Don't worry about the Panda Scan--I tried to run it and got the same thing so I think it's a problem on their end. I'll check with some others on that but we can use some other scanners later. They also use ActiveX so you will need to use IE and I don't recommend totally disabling ActiveX because it's also needed when you update Windows.

With the wlrzb32.dll and the yfymo32.dll file ewido found and deleted (after not finding it before) being in folders that sound legit makes me think there may still be something going on, so let's look for a root kit.

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
  • Please download and unzip Rootkit Revealer to your desktop.
  • Please leave the defaults set as they are to:
    • Hide NTFS Metadata Files: this option is on by default
    • Scan Registry: this option is on by default.
  • Launch rootkit revealer on the system and press the Scan button.
    RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
  • The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
  • Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
Leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose rename yet! I want to see the log first, because legit items can also be present such as "wbemtest.exe".
There should be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stands for numbers).
Copy and paste this log along with the rootkit revealer log.

So now I have downloaded all sorts of stuff as you asked and also from the time before when I had Winhound--- should I keep all this stuff ? I have more anti spyware than I know what to do with and probably some of that is blocking th Panda scan - and who knows what else.

SmitRem and the regfile you can go ahead and delete now. And any other specilized removal tool. I'm not sure what all you have downloaded before, but unfortunately it is best to keep more than one scanner on your system for a layered approach to help keep your system secure. If you've paid for SpySweeper, i would definetly keep it--if just a trial uninstall it when that runs out. Ewido I would definetly keep and probably Ad-Aware. You might want to read this article for why more than one scanners are needed now: http://www.misec.net/papers/trojanexplosion/

Today there are so many variants than no scanner can detect them all, even combinations of scanners are common to have misses.


The thing about people

is they change

when they walk away.--Mipso


#7 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 29 March 2006 - 03:45 PM

I copied the path for Jotti and when I hit submit I get:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

So, I tried Virus total and got: File size cannot be more than 10 megabytes, try compressing it. Go back.

I tried compressing in the windows explorer folder and the message says it is compressed 'on the disk' but when I try again on virustotal I get the same message. Perhaps the location on the disk is different from where it was compressed from???

I cannot log on to my computer as administrator except in SAFE MODE. (When I try to go to Control Panel>User Accounts to fix that I get he message: Wrong number of arguments or invalid property assignment. In both modes it is the same message) So I downloaded it in safe mode and then went back to regular mode to run it.
the results:
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 3/29/2006 12:12 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 3/12/2006 11:44 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\ntuser.dat.LOG:KAVICHS 3/29/2006 12:12 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\NTUSER.DAT:KAVICHS 3/19/2006 3:59 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\Lori Fackenthall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS 3/29/2006 12:12 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\Lori Fackenthall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat:KAVICHS 3/24/2006 1:10 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\Lori Fackenthall\ntuser.dat.LOG:KAVICHS 3/29/2006 12:13 PM 36 bytes Hidden from Windows API.
C:\Documents and Settings\Lori Fackenthall\ntuser.dat:KAVICHS 3/24/2006 12:36 PM 36 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb:KAVICHS 3/29/2006 12:13 PM 36 bytes Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log:KAVICHS 3/29/2006 12:13 PM 36 bytes Hidden from Windows API.


That's it. None of t he entries you said I could remove.

Here is the log from blacklight , it said nothing was found. Should I have run it in safemode?
03/29/06 12:36:31 [Info]: BlackLight Engine 1.0.33 initialized
03/29/06 12:36:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/29/06 12:36:32 [Note]: 7019 4
03/29/06 12:36:32 [Note]: 7005 0
03/29/06 12:37:19 [Note]: 7006 0
03/29/06 12:37:19 [Note]: 7011 2032
03/29/06 12:37:20 [Note]: FSRAW library version 1.7.1015
==============


I really appreciate your time. If didn't have so much data on here I'd reformat in a minute! Guess I'll have to start backing it all up to cds in preparation for that!

Lori

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 30 March 2006 - 12:45 AM

OK, well, you don't have a root kit showing according to RKR and Blacklight--it's still possible tho one has gotten around those.

Some of the problems you're mentioning are going to take some time to research. Let's back up a bit and just answer me these questions so I can understand better what's going on in order to be able to help you better.

1. Did you ever at any time have Kaspersky Antivirus 5 installed?

RKR is showing iChecker/iStreams attached to some of your files. This shouldn't cause a problem, but it's strange that they are only attached to files related to your user profile and you are now having problems with it. You can however have problems when you install KAV 5 while running firewalls because KAV includes an IDS system that conflicts. i know this from personal experience as KAV is my AV of choice--and I had problems that were very strange that I haven't seen documented elsewhere.

Hmm, tell you what--I know I said I was just going to ask questions, but let's try running a cleanup tool for what KAV left behind. Go to the following page--it will also give you more info on what's going on--and run the cleanup tool according to the instructions there: http://www.kaspersky.com/faq?qid=156666512,y

2. Assuming you did use KAV at one time, did you have a firewall installed at the time when you installed it? Please give detailes if so, which firewall, was Windows firewall enabled, etc.

3. When you installed Kerio, did you make sure Trend's firewall was disabled?

4. Concerning the problem with User Account:

I cannot log on to my computer as administrator except in SAFE MODE. (When I try to go to Control Panel>User Accounts to fix that I get he message: Wrong number of arguments or invalid property assignment. In both modes it is the same message)


A. Are you running XP Home or Pro?

B. Did you have any other profiles/acounts established or you just log on to one? Let me know what accounts are established and what rights they have. I'm trying to figure out what has changed. IOW, were you running your Lori account as an administrator, Power user (XP Pro only) or limited? And you're trying to change one account from limited to Administrator when you get that message? Or something changed the account from Adminitrator to limited?

C. Did this just start happening or can you relate it to something we've done in this thread, such as installing the firewall?

5. I really need an answer to this one--that file I've been trying to get scanned could be a new legit product and I don't want to fix it if so as it could cause more problems. So...

Did you or anyone else install a new soundcard or AudioHQ drivers?

I don't know what is going on with that file but it doesn't sound good. I would like for you to submit it so I can take a closer look myself. So please do this:

Please create a folder called c:\submit. Now copy the following files into that directory (I'm assuming you found the file):

c:\program files\common files\instal~1\engine\6\intel3~1\wlrzb32.dl

To copy the files simply navigate to the directory they are in and right click on the file name, and then click Copy. Now go back to the c:\submit folder. Right click the folder and select Paste.


Once the files are all copied zip the folder and rename submit.zip to Lorilaf2.zip. If you are not sure how to send the files to a zip folder click the following link for a tutorial:
How to create and extract a ZIP File in Windows 95/98/2000

If you have any problems zipping, just submit the folder as is.

When the files are zipped click this link to go to the BC submisions page:
http://www.bleepingcomputer.com/submit-malware.php

1. Fill in the required fields and then click the Browse button.
2. Navigate to Lorilaf2.zip and click the Send File button.

Go ahead and backup your data--it's always a good idea to do that anyway--but these other problems may be fixable. You may just have a corrupted user account. However, besides the possible compromise of the PC, a fresh start will solve a lot of those issues. I know reformatting is a PIA and you'll probably lose some data you forget to backup or transfer, but if the issues are building up... To help you make that decision, could you list what all you're having problems with? So this would be the last question.

6. Please make a list of the issues you're experiencing. So far you've listed these, is there anything else youve noticed?

Can't access System Information
Can't turn on Windows Firewall

You're welcome for the help so far and i hope we can get this all straightened out. :thumbsup:
Can't use Windows Media Player (this could also be from a corrupted profile
Can't log on as Administrator in normal mode.

The thing about people

is they change

when they walk away.--Mipso


#9 Lorilaf2

Lorilaf2
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 30 March 2006 - 08:07 AM

WOW. A lot of questions. I cannot really answer at the moment - I am about to catch a flight to Virginia and won't be back until the 30th. My husband may use the computer during that time but only for email - should be no problem.

Most things seem better so we are on the right path.

Thanks again and I'll get to this as soon as I get back.
Lori

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,586 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:17 AM

Posted 30 March 2006 - 10:34 AM

OK, have a good time in Virginia. :thumbsup:

I will have to ask you to do one more thing for me when you get back. Scan again with HijckThis and post a new log. Any time on line could bring changes so I'll need to recheck.

Hope your trip is not all business--wish I could go to VA. :flowers:

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users