Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repost Of Service.exe Problem


  • Please log in to reply
11 replies to this topic

#1 smoak86

smoak86

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 01 April 2006 - 12:16 AM

Originally in WinXP. Enthusiast advised to repost here.

A few weeks ago I started having problems with Internet Explorer causing errors even though I wasn't using it. Svchost runs it constantly. If you kill iexplore.exe in the processes, it just starts back. I've looked through this site and appreciate the info here. It looks like Service.exe is at least one problem. It may be service.exe that creates the other .exe's that run at startup, it may not. Unfortunately I've done everything I can think to do, and frankly I'm tired of trying the same things over and over without it working. This is what I've done so far (multiple times),

1. Run Ad-Aware and clean what it finds regularly.
2. Run Spybot S&D and clean what it finds regularly.
3. Run Getservices.bat and checked everything. Service was the only thing I found that I couldn't account for.
4. Used HJT and Autoruns to get rid of the .exe process associated with the problem. (probably 10+ so far)
5. Gone into Safe Mode and removed in regedit:
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\SERVICES\SERVICE (redundant, but who cares)
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_SERVICE
HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET002\ENUM\ROOT\LEGACY_SERVICE (again)
Anything else I could find referring to Service.exe and the associated .exe's (SHELL, USERINIT, ETC.)
6. Used Killbox to delete C:\windows\system32\service.exe and
C:\windows\system32\randomfilethat'sdrivingmecrazy.exe (both delete on reboot)
7. Reboot in Safe Mode, looked for offending files and not found them.
8. Reboot in Normal Mode to have Zone Alarm ask for permission for the New .exe.
9. Looked and found that all my deleting was worthless.
10. Cursed. A lot.

Here are a few of the .exe's wiped so far. Each time I reboot, it starts back under the new file:
gephaaa.exe, ilscdlg.exe, mll_ycfg.exe, mm5.exe, mm6.exe, nvapqmgr.exe, phuvmaxb.exe, rasassec.exe, richbdvd.exe, spupemui.exe, v7vgcp70.exe

The latest version is tmp9ueng.exe.

Here's the latest HJT.

Logfile of HijackThis v1.99.1
Scan saved at 10:02:24 PM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\tmp9ueng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\tmp9ueng.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} (CouponBar) - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O21 - SSODL: IEFilter - {CFD48922-C34E-48DB-921F-435CCD88DDDD} - C:\WINDOWS\system32\IEFilter.dll
O21 - SSODL: Connection Explorer - {04EA0BCA-B633-4273-BCE9-4533E84C028E} - C:\WINDOWS\system32\wshowwin.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


The R1's and R0's I'm not sure about.
I know I'm obviously missing something. I'm open to any ideas at this point.

Thanks in advance,

Smoak

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:54 PM

Posted 03 April 2006 - 03:40 AM

Hello Smoak

I understand your frustration, it's awful when something like this happens. Firstly, how do you know that the Service.exe is a bad file? It sure looks bad but I think we should check it first.

Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\WINDOWS\system32\Service.exe
Click Open
Please let me know the results.

You do have noticable malware on your system, but we'll deal with that a bit later. I want to find out the status of that Service.exe first. If it is bad we can try a number of advanced methods to remove it - if Killbox delete on reboot doesn't work we'll have to get out the big guns!

For the moment I want you to leave the system alone and don't go around deleting things. I understand that you know your stuff, but to help me it would be best if you don't do anything unless instructed. In this situation where lots of new files are created and core malware cannot be removed a rootkit is very possible so I think we should also do a preliminary scan for them:

Please download and Save blacklight to your C:\ Important!!.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Then go to start > run and copy and paste next command in the field:

C:\blbeta.exe /expert

This should open your blacklight.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

Also, I want you to run a free Panda scan. This will unearth some of the other malware files on your system:

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new Hijackthis log, and the BlackLight log. Also post the Jotti scan results.

David

#3 smoak86

smoak86
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 04 April 2006 - 08:47 AM

Hello D-T,

Thanks for the reply. Most of what I've learned about this has come from this site, so thanks again. I'll give these a shot and repost Wed. morning to let you know what I find.

Smoak

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:54 PM

Posted 04 April 2006 - 09:14 AM

Good luck! :thumbsup:
David

#5 smoak86

smoak86
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 05 April 2006 - 12:42 AM

Good Morning David,

I decided to go ahead and try this tonight. I ran service.exe through jotti and found something I should have seen before. The file is 0 bytes. Nothing there. While I was there, I put the tmp9ueng.exe in and it came up as:

AntiVir Found Backdoor-Server/PPdoor.BC.16 backdoor
ArcaVir Found Trojan.Ppdoor.Bc
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.EV
ClamAV Found nothing
Dr.Web Found BackDoor.Srvlite
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.PPdoor.bc
NOD32 Found Win32/PPdoor.BC
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.PPdoor.bc

I dl'ed blacklight and ran it. It came up with nothing, which I guess is a good thing. That's when the headache started. I attempted the Panda scan. Then I tried it again, and again... you get the picture. Internet explorer kept causing errors and closing down. At the farthest point into the scan (maybe halfway through) it was showing 15 viruses and 4 spyware. After a couple additional attempts, I got the 15,4 scanned, was able to stop the scan, view and save the report. Here it is although it is not a full scan. For space, Nd is Not dissinfected.


Incident Status Location

Virus:Bck/PPDoor.GX Nd Operating system
Adware:adware/cws Nd C:\Documents and Settings\b\Favorites\Health
Adware:adware/savenow Nd Windows Registry
Spyware:Cookie/Microsofte Nd C:\Documents and Settings\b\Cookies\b@microsofteup.112.2o7[1].txt
Spyware:Cookie/Apmebf Nd C:\Documents and Settings\b\Cookies\b@apmebf[2].txt
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\kbdbtobj.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\mspbfwci.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\tmp9ueng.exe
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\odtereg.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\dpnscdef.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\nvgacomp.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\setvtacl.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\remogr32.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\wscrgsvc.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\kbdftl32.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\wshowwin.dll
Virus:Trj/SrchSpy.F Nd C:\WINDOWS\SYSTEM32\IEFilter.dll
Virus:Trj/SrchSpy.F Nd C:\WINDOWS\SYSTEM32\MSIEHelper.dll
Virus:Bck/PPDoor.GX Nd C:\WINDOWS\SYSTEM32\hpsjscom.dll

Sorry this wasn't a complete scan. Maybe when we clear some of the backdoor problem up, IE will have fewer errors and I can get a full Panda. Here is the latest HJT (tmp9ueng.exe process was already stopped, as was iexplore.exe):

Logfile of HijackThis v1.99.1
Scan saved at 1:14:08 AM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\b\Desktop\procexp.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
F2 - REG:system.ini: Shell=Explorer.exe,tmp9ueng.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\tmp9ueng.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} (CouponBar) - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O21 - SSODL: IEFilter - {CFD48922-C34E-48DB-921F-435CCD88DDDD} - C:\WINDOWS\system32\IEFilter.dll
O21 - SSODL: Connection Explorer - {04EA0BCA-B633-4273-BCE9-4533E84C028E} - C:\WINDOWS\system32\wshowwin.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


In addition to these scans, Windows defender also found two new items this evening. They are Trojan.Delf.EF (with associated files) :
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017307.exe
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0016314.exe
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP140\A0016297.exe
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017330.exe

and
KREPPER (with)
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017326.dll

I haven't seen either of these before today.

Sorry to put up so much info at once, but thanks for continuing to help.

Smoak

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:54 PM

Posted 05 April 2006 - 03:31 AM

Hello dizlizzi!

Sorry for the delay in getting back to you. I've been mulling over the best way to do this. It's good news that the blacklight log was clear - it shows that Qoologic isn't trying to hide anything from us.
Here goes:

It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

Download KillBox from here --> KillBox
Unzip the folder to your desktop.
Don't run it yet.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

F2 - REG:system.ini: Shell=Explorer.exe,tmp9ueng.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\tmp9ueng.exe
O16 - DPF: {5BED3930-2E9E-76D8-BACC-80DF2188D455} (CouponBar) - http://ftp.coupons.com/CouponsBarXML/CouponBarIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O21 - SSODL: IEFilter - {CFD48922-C34E-48DB-921F-435CCD88DDDD} - C:\WINDOWS\system32\IEFilter.dll
O21 - SSODL: Connection Explorer - {04EA0BCA-B633-4273-BCE9-4533E84C028E} - C:\WINDOWS\system32\wshowwin.dll
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\Service.exe
C:\WINDOWS\SYSTEM32\kbdbtobj.dll
C:\WINDOWS\SYSTEM32\mspbfwci.dll
C:\WINDOWS\SYSTEM32\tmp9ueng.exe
C:\WINDOWS\SYSTEM32\odtereg.dll
C:\WINDOWS\SYSTEM32\dpnscdef.dll
C:\WINDOWS\SYSTEM32\nvgacomp.dll
C:\WINDOWS\SYSTEM32\setvtacl.dll
C:\WINDOWS\SYSTEM32\remogr32.dll
C:\WINDOWS\SYSTEM32\wscrgsvc.dll
C:\WINDOWS\SYSTEM32\kbdftl32.dll
C:\WINDOWS\SYSTEM32\wshowwin.dll
C:\WINDOWS\SYSTEM32\IEFilter.dll
C:\WINDOWS\SYSTEM32\MSIEHelper.dll
C:\WINDOWS\SYSTEM32\hpsjscom.dll


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

When you restart please Reboot into SAFE MODE
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

If it does not work on the first try, reboot and try again, as you have to be quick when you press it. After the restart (important) :

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open Ewido anti-malware
Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

* Please now reboot back into normal windows mode.

* The infection you have has very similar patterns to an infection called Qoologic, so I want to do a scan for that infection also...It's better to be safe than sorry in my opinion:

Download FindQool.zip --> save it to your C:\.
http://downloads.subratam.org/Lon/FindQool.zip

Extract (unzip) the files inside into their own folder called FindQool.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html

This folder should be present on your C:\
In case it's not present there, move the FindQool folder to C:\ otherwise it won't work.
Then open the FindQool folder.
Locate and double-click the Qlocate.bat file to run it.

This will scan your system.
Wait until a text opens.
Post this in your next reply

* Please download the attachment I have made for you here:
[attachment=788:attachment]
Please download it to your desktop, then double click on it to open it. After it finishes a text file will open. Please save that infomation to your desktop, as I will need it later.

* Please run panda scan again and save the log it creates.

Please post back with the following logs:
1) New Panda Scan log
2) The look.bat results file
3) The FindQool results
4) A new Hijackthis Log.
5) The Ewido results

David

#7 smoak86

smoak86
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 05 April 2006 - 10:11 AM

Hey David,

I'm getting ready to run through the list now. What about:

O4 - HKLM\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe
O4 - HKCU\..\Run: [Update Component] C:\WINDOWS\system32\tmp9ueng.exe

Should I have HJT clean these as well?

Smoak

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:54 PM

Posted 05 April 2006 - 01:33 PM

Yes please include that smoak86. They must have popped up since the last hijackthis log you posted.
Good luck!
David

#9 smoak86

smoak86
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 05 April 2006 - 09:31 PM

David,

Here are the results of the scans:

* 1. Panda


Incident Status Location

Adware:adware/cws Nd C:\Documents and Settings\b\Favorites\Health
Adware:adware/savenow Nd Windows Registry
Spyware:Cookie/Doubleclick Nd C:\Documents and Settings\b\Cookies\b@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Nd C:\Documents and Settings\b\Cookies\b@questionmarket[1].txt
Spyware:Cookie/Apmebf Nd C:\Documents and Settings\b\Cookies\b@apmebf[2].txt
Spyware:Cookie/Doubleclick Nd C:\Documents and Settings\b\Cookies\b@doubleclick[1].txt
Spyware:Cookie/QuestionMarket Nd C:\Documents and Settings\b\Cookies\b@questionmarket[1].txt
Spyware:Cookie/Apmebf Nd C:\Documents and Settings\b\Cookies\b@apmebf[2].txt
Spyware:Cookie/QuestionMarket Nd C:\Documents and Settings\b\Application Data\Mozilla\Firefox\Profiles\mhdc4chg.Default User\cookies.txt[]
Virus:Bck/PPDoor.GX Nd C:\!KillBox\hpsjscom.dll
Virus:Trj/SrchSpy.F Nd C:\!KillBox\MSIEHelper.dll
Virus:Trj/SrchSpy.F Nd C:\!KillBox\IEFilter.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\wshowwin.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\kbdftl32.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\wscrgsvc.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\remogr32.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\setvtacl.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\nvgacomp.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\dpnscdef.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\odtereg.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\mspbfwci.dll
Virus:Bck/PPDoor.GX Nd C:\!KillBox\kbdbtobj.dll

* 2. Look.bat:

[SC] DeleteService SUCCESS

* 3. FindQool:

Wed 04/05/2006
Running from: C:\FindQool
PLEASE NOTE: LEGIT FILES MIGHT BE LISTED. IF YOU ARE UNSURE OF WHAT IS LISTED LEAVE THEM ALONE.

Checksums....

Files found with locate com.
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\POWERR~1.EXE
Re-check using dir /a:-d
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
08/08/2004 10:14 PM 256,000 PowerReg Scheduler.exe
01/28/2006 12:33 PM 1,552 NkbMonitor.exe.lnk
...

[-HKEY_CLASSES_ROOT\CLSID\{incert HKCR\*\shellex csdl above here if present}]

...
Runs, Listed here as a Doublecheck for the locate com results
HKLM
HKCU
...

Files In Winlogon shell and userinit
Listed here as a Doublecheck for the locate com results
shell REG_SZ explorer.exe
userinit REG_SZ C:\WINDOWS\SYSTEM32\Userinit.exe,
...
SWReg utility
Written by Bobbi Flekman © 2005
Findqool edited 4/05/2006


* 4. New HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:28 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YT.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: IEFilter - {BC5B8F0C-F852-4677-A8A6-2EAF0D849EC8} - C:\WINDOWS\system32\IEFilter.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


* 5. Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:56:31 AM, 4/5/2006
+ Report-Checksum: CE37AABC

+ Scan result:

HKU\S-1-5-21-1343024091-776561741-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BED3930-2E9E-76D8-BACC-80DF2188D455} -> Adware.CouponBar : Cleaned with backup
HKU\S-1-5-21-1343024091-776561741-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A} -> Adware.Generic : Cleaned with backup
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp15.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp1B.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp1F.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp2A.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp24.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp29.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp30.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp33.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp38.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Local Settings\Temp\tmp3C.tmp -> Backdoor.PPdoor.al : Cleaned with backup
C:\Documents and Settings\b\Cookies\b@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\b\Cookies\b@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\b\Cookies\b@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lauren\Cookies\lauren@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP140\A0016295.exe -> Logger.Delf.ig : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP140\A0016297.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0016313.exe -> Logger.Delf.ig : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0016314.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017305.exe -> Logger.Delf.ig : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017307.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017325.exe -> Downloader.CWS.s : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017326.dll -> Adware.Ihbo : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017328.exe -> Logger.Delf.ig : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017329.exe -> Logger.Delf.ig : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP141\A0017330.exe -> Worm.Delf.i : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP148\A0017566.exe -> Trojan.KillAV.ft : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP150\A0017605.EXE -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP150\A0017615.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP152\A0017670.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017731.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017733.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017736.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017784.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017786.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017787.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017809.exe -> Trojan.Agent.fd : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017815.exe -> Trojan.KillAV.ft : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017821.exe -> Downloader.CWS.s : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017824.exe -> Downloader.CWS.s : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP153\A0017825.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017870.exe -> Trojan.Agent.fd : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017878.exe -> Trojan.Agent.fd : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017879.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017907.exe -> Trojan.Agent.fd : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017909.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017936.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP155\A0017939.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\System Volume Information\_restore{A84EA1D8-7811-4489-839E-24797389176D}\RP159\A0018098.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\!KillBox\imapacct.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\!KillBox\v7vgiext.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\!KillBox\slbisc.exe -> Backdoor.PPdoor.bc : Cleaned with backup
C:\!KillBox\tmp9ueng.exe -> Backdoor.PPdoor.bc : Cleaned with backup


::Report End




I'm assuming I need to find and clear the backups for all the scans. I know you'll let me know what's next.

Thanks

Smoak

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:54 PM

Posted 06 April 2006 - 03:43 AM

Hello there.

Excellent work there, and thanks for setting it out so nicely. Everything that was bad is now gone. The bad service.exe and it's leftovers are gone also.

Please delete this folder:
C:\Documents and Settings\b\Favorites\Health

Please empty this folder:
C:\!KillBox

Fix this entry in Hijackthis using the same method as before:
O21 - SSODL: IEFilter - {BC5B8F0C-F852-4677-A8A6-2EAF0D849EC8} - C:\WINDOWS\system32\IEFilter.dll (file missing)

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please reboot and let me know how the computer is running.
David

#11 smoak86

smoak86
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 13 April 2006 - 08:33 PM

Hi David,

Hope your holiday went well. Just wanted to let you know everything is running fine now. It's nice not having IE cause errors every thirty seconds. I really appreciate all the help. It's good to know people out there are willing and capable of helping.

Thanks,

Smoak

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:54 PM

Posted 17 April 2006 - 04:00 PM

Hello,

Glad I could help you. :thumbsup:
The fact that your system got so infected in the first place shows me that you are lacking slightly in protection. Follow this list and your potential for being infected again will reduce dramatically.

Now that you are clean, lets reset your system restore points please follow these simple steps in order
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Clickthe System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer
  • Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Un-Check Turn off System Restore.
  • Click Apply, and then click OK.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: hide
    Click here for more information on -> Computer Safety On line - Anti-Virus

    I would recommend Grisofts© AVG or AVAST©. As these are the more secure and better ones.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Click here for more information on -> Computer Safety On line - Software Firewalls
    I would recommend ZoneAlarm© as a firewall as it's easy to use. But for a more secure firewall, Sunbelts Kerio© is the one.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly
  • Install Spybot© - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Lavasofts© Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Javacools© SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Click here for more info -->Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users