Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unspypc Infection


  • This topic is locked This topic is locked
10 replies to this topic

#1 td323i

td323i

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 19 April 2006 - 12:52 PM

Hello,
Can you please help me with this infection?

Logfile of HijackThis v1.99.1
Scan saved at 1:50:17 PM, on 4/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://infosource.bestsoftwareinc.com/self...e=1106752632781
R3 - URLSearchHook: (no name) - {A7A30FDE-234E-29BD-E037-661706732C9C} - trycrt.dll (file missing)
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\yybpq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\yybpq.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [gabber] TemplateDongle.exe
O4 - HKLM\..\Run: [WTFCTF] Trayz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [dePloy] gabber.exe
O4 - HKCU\..\Run: [BoundRec] lpt.exe
O4 - HKCU\..\Run: [SpyElim] Trayz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121190212656
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1446/ftp...02/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{03AADF90-5D32-402E-B1D0-B191E22F913A}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{0909D646-559B-4BE7-A865-06E779783236}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{293222C2-C06B-4DFF-B199-02948C291AF8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABCDCDB-E15E-48FB-95F6-342A86730345}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7E51E7-1E9A-4B08-AFDA-03B03A052B9F}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B2F9D42-F33A-470B-A335-2E0E76DF896D}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{983C4E22-9988-464B-975E-4C64D7B68070}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA95FE31-81F8-4E71-A647-DDE584D32F52}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B3585A-92C9-48EC-A105-C42D911E1122}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E1CDF5-07E2-4F40-852E-6C6B54518EE9}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3CD58FE-7141-414C-A2E3-D809E9629AC8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks,
Tony

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:31 AM

Posted 19 April 2006 - 03:27 PM

Click here to download ewido anti-malware - it is a trial version of the program.
  • Install ewido.
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen.
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Then:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Rescan with HJT and post a new log here together with the ewido log so that any remnants can be removed manually.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 20 April 2006 - 09:02 AM

Thanks Daemon,
I ran the edwido scan (not in safemode), and here is the log;


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:58:27 AM, 4/20/2006
+ Report-Checksum: CD594849

+ Scan result:

[676] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[700] VM_00C50000 -> Downloader.Agent.uj : Error during cleaning
[3120] VM_007A0000 -> Downloader.Agent.uj : Error during cleaning
[3284] VM_00390000 -> Downloader.Agent.uj : Error during cleaning
[3296] VM_00940000 -> Downloader.Agent.uj : Error during cleaning
[3332] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[3344] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[3360] VM_00880000 -> Downloader.Agent.uj : Error during cleaning
[3384] VM_00910000 -> Downloader.Agent.uj : Error during cleaning
[3416] VM_00880000 -> Downloader.Agent.uj : Error during cleaning
[3584] VM_00860000 -> Downloader.Agent.uj : Error during cleaning
[3720] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[4048] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\josephb\Cookies\josephb@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@c.enhance[2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\josephb\Cookies\josephb@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\System Volume Information\_restore{F85AF64B-3096-47AA-A7E1-A069BC4D9C84}\RP988\A0048833.dll -> Adware.SBSoft : Cleaned with backup


::Report End


Here is the log from HJT;[u]

Logfile of HijackThis v1.99.1
Scan saved at 10:00:20 AM, on 4/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://infosource.bestsoftwareinc.com/self...e=1106752632781
R3 - URLSearchHook: (no name) - {A7A30FDE-234E-29BD-E037-661706732C9C} - trycrt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [gabber] TemplateDongle.exe
O4 - HKLM\..\Run: [WTFCTF] Trayz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [dePloy] gabber.exe
O4 - HKCU\..\Run: [BoundRec] lpt.exe
O4 - HKCU\..\Run: [SpyElim] Trayz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121190212656
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1446/ftp...02/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{03AADF90-5D32-402E-B1D0-B191E22F913A}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{0909D646-559B-4BE7-A865-06E779783236}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{293222C2-C06B-4DFF-B199-02948C291AF8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABCDCDB-E15E-48FB-95F6-342A86730345}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7E51E7-1E9A-4B08-AFDA-03B03A052B9F}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B2F9D42-F33A-470B-A335-2E0E76DF896D}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{983C4E22-9988-464B-975E-4C64D7B68070}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA95FE31-81F8-4E71-A647-DDE584D32F52}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B3585A-92C9-48EC-A105-C42D911E1122}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E1CDF5-07E2-4F40-852E-6C6B54518EE9}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3CD58FE-7141-414C-A2E3-D809E9629AC8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Any information you can provide would be great.

Thanks,
Tony

#4 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 20 April 2006 - 10:30 AM

I reran edwido in safe mode. Here are the reports;
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:26:15 AM, 4/20/2006
+ Report-Checksum: 2A52DEDE

+ Scan result:

[240] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning
[264] VM_00C50000 -> Downloader.Agent.uj : Error during cleaning
[836] VM_007B0000 -> Downloader.Agent.uj : Error during cleaning


::Report End

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 11:32:06 AM, on 4/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://infosource.bestsoftwareinc.com/self...e=1106752632781
R3 - URLSearchHook: (no name) - {A7A30FDE-234E-29BD-E037-661706732C9C} - trycrt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [gabber] TemplateDongle.exe
O4 - HKLM\..\Run: [WTFCTF] Trayz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [dePloy] gabber.exe
O4 - HKCU\..\Run: [BoundRec] lpt.exe
O4 - HKCU\..\Run: [SpyElim] Trayz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121190212656
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1446/ftp...02/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{03AADF90-5D32-402E-B1D0-B191E22F913A}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{0909D646-559B-4BE7-A865-06E779783236}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{293222C2-C06B-4DFF-B199-02948C291AF8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABCDCDB-E15E-48FB-95F6-342A86730345}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7E51E7-1E9A-4B08-AFDA-03B03A052B9F}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B2F9D42-F33A-470B-A335-2E0E76DF896D}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{983C4E22-9988-464B-975E-4C64D7B68070}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA95FE31-81F8-4E71-A647-DDE584D32F52}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B3585A-92C9-48EC-A105-C42D911E1122}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E1CDF5-07E2-4F40-852E-6C6B54518EE9}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3CD58FE-7141-414C-A2E3-D809E9629AC8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#5 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:31 AM

Posted 20 April 2006 - 02:37 PM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load, this is normal.

At the end of the fix, you may need to restart your computer again. Reboot and post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#6 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 21 April 2006 - 08:40 AM

Hi Daemon,

Please see the following reports;

Fixwareout ver 1.003
Last edited 04/09/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\uwumd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmuwu.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

Search by size and names...
* csr.exe C:\WINDOWS\System32\CSMPF.EXE

Misc files

Checking for older varients covered by the Rem3 tool


HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:41:32 AM, on 4/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://infosource.bestsoftwareinc.com/self...e=1106752632781
R3 - URLSearchHook: (no name) - {A7A30FDE-234E-29BD-E037-661706732C9C} - trycrt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [gabber] TemplateDongle.exe
O4 - HKLM\..\Run: [WTFCTF] Trayz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [dePloy] gabber.exe
O4 - HKCU\..\Run: [BoundRec] lpt.exe
O4 - HKCU\..\Run: [SpyElim] Trayz.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121190212656
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1446/ftp...02/cpbrkpie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{03AADF90-5D32-402E-B1D0-B191E22F913A}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{0909D646-559B-4BE7-A865-06E779783236}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{293222C2-C06B-4DFF-B199-02948C291AF8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABCDCDB-E15E-48FB-95F6-342A86730345}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7E51E7-1E9A-4B08-AFDA-03B03A052B9F}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B2F9D42-F33A-470B-A335-2E0E76DF896D}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{983C4E22-9988-464B-975E-4C64D7B68070}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA95FE31-81F8-4E71-A647-DDE584D32F52}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B3585A-92C9-48EC-A105-C42D911E1122}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E1CDF5-07E2-4F40-852E-6C6B54518EE9}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3CD58FE-7141-414C-A2E3-D809E9629AC8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks,
Tony

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:31 AM

Posted 21 April 2006 - 01:11 PM

Hi Tony, do this. Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\System32\CSMPF.EXE

Click 'Exit' when done. With only HJT running, have it fix:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://infosource.bestsoftwareinc.com/self...e=1106752632781
R3 - URLSearchHook: (no name) - {A7A30FDE-234E-29BD-E037-661706732C9C} - trycrt.dll (file missing)
O4 - HKLM\..\Run: [gabber] TemplateDongle.exe
O4 - HKLM\..\Run: [WTFCTF] Trayz.exe
O4 - HKCU\..\Run: [dePloy] gabber.exe
O4 - HKCU\..\Run: [BoundRec] lpt.exe
O4 - HKCU\..\Run: [SpyElim] Trayz.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{03AADF90-5D32-402E-B1D0-B191E22F913A}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{0909D646-559B-4BE7-A865-06E779783236}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{293222C2-C06B-4DFF-B199-02948C291AF8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABCDCDB-E15E-48FB-95F6-342A86730345}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A7E51E7-1E9A-4B08-AFDA-03B03A052B9F}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B2F9D42-F33A-470B-A335-2E0E76DF896D}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{983C4E22-9988-464B-975E-4C64D7B68070}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA95FE31-81F8-4E71-A647-DDE584D32F52}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B3585A-92C9-48EC-A105-C42D911E1122}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8E1CDF5-07E2-4F40-852E-6C6B54518EE9}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3CD58FE-7141-414C-A2E3-D809E9629AC8}: NameServer = 85.255.116.34,85.255.112.231
O17 - HKLM\System\CS1\Services\Tcpip\..\{00535F7C-F568-4E9F-A732-12F12A6E9B8C}: NameServer = 85.255.116.34,85.255.112.231


Reboot, rescan with HJT and post a new log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 24 April 2006 - 10:21 AM

Hi Daemon,

Here is the latest report.

Logfile of HijackThis v1.99.1
Scan saved at 11:24:43 AM, on 4/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageEnterprise\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121190212656
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1446/ftp...02/cpbrkpie.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks Again,
Tony

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:31 AM

Posted 24 April 2006 - 10:27 AM

Looks better - how is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 td323i

td323i
  • Topic Starter

  • Members
  • 122 posts
  • OFFLINE
  •  
  • Local time:08:31 PM

Posted 24 April 2006 - 10:30 AM

Daemon,
Sofar so good. I nolonger get explorer.exe hangs on boot and it seems to run faster. I really appreciate your help. Thanks again

Thanks,
Tony

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:01:31 AM

Posted 24 April 2006 - 10:32 AM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users