Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Infected With Spybot Worm


  • This topic is locked This topic is locked
19 replies to this topic

#1 Boyo

Boyo

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 20 May 2006 - 11:59 AM

Here is a copy of my HijackThis log. These are the following programs that I have run to help clean my system: PC-Cillin, BitDefender online, Ewido, A-sqaured, CW Shredder, Ad-Aware, Spybot and Spy Sweeper.

Looking at lines 02; 04; 09- it appears that I am still infected. Please help me as I am unable to get my PC totally clean.

Logfile of HijackThis v1.99.1
Scan saved at 11:43:40 AM, on 5/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9BC6C4C-E3F1-419B-B6B8-1226E8F69E6A}: NameServer = 38.9.212.2,38.9.213.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Windows Update Service (muamgrd) - Unknown owner - C:\WINDOWS\System32\muamgrd.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 04:02 AM

Hello,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O4 - HKLM\..\Run: [OEM32 Tools] sres32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe
O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe
O23 - Service: Windows Update Service (muamgrd) - Unknown owner - C:\WINDOWS\System32\muamgrd.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Go to start > run and copy and paste next command in the field:

sc delete muamgrd hit enter.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 21 May 2006 - 11:40 AM

Hi miekiemoes, and thank you very much for responding to my plea for help. Sorry for the delay in response, but it is due to me living in the US and the time difference. I made all the changes to the HijackThis that you directed, and I ran the Kaspersky Webscan. The Kaspersky scan was clean so there was no file to save, but below is a new HijackThis log.

This is actually my dad's laptop, and his Trend Micro subscription ran out, so I downloaded the trail version of BitDefender 9 to provide some protection in the interim. So the HijackThis log will appear a little different with those changes.

Thank you again for your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:29:30 AM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\NETGEAR\MA521 Configuration Utility\wlancfg5.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [BDNewsAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\PROGRA~1\Softwin\BITDEF~1\bdswitch.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: MA521 Configuration Utility.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9BC6C4C-E3F1-419B-B6B8-1226E8F69E6A}: NameServer = 38.9.212.2,38.9.213.2
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 12:39 PM

Hello,

Good that Kaspersky showed clean. What hijackthis showed previously were only orphaned leftovers, so they are gone as well now. So hijackthislog looks clean also. :thumbsup:

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 21 May 2006 - 01:05 PM

Hi miekiemoes,

I'm glad the hijackthis is clean! BUT, if I do a search for OEM32 Tools in regedit, it's all over the place. It's in so many folders I won't bother listing them. Same with sres32.exe and muamgrd.exe.

What should I do???
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 01:35 PM

Hi,

Only list the entries with sres32.exe and muamgrd.exe in it. OEM32 is only a display name and searching for that could show legit entries.
But reboot first, because some keys get deleted from the registry after reboot, since the main one is already gone.
After reboot, to make things easier for you..

Download the Registry Search Tool.
http://www.billsway.com/vbspage/
Unzip it and run it.
If your antivirus interferes, you have to disable script blocking in the antivirus.
Put the following in the search box:

sres32.exe

It will create a log. Save that log;

Then perform the same for muamgrd.exe.

paste both logs in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 21 May 2006 - 02:06 PM

Wow, what a great tool. Using the registry was actually easy for once. Thanks!

I have 9 folders. Here is the list.

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "sres32.exe" 5/21/2006 1:54:59 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM32 Tools"="sres32.exe"

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="sres32.exe"

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\1_OEM32 Tools]
"path"="sres32.exe"

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\1_OEM32 Tools]
"command"="sres32.exe"

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\2_OEM32 Tools]
"path"="sres32.exe"

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\2_OEM32 Tools]
"command"="sres32.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM32 Tools"="sres32.exe"

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "muamgrd.exe" 5/21/2006 1:58:10 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="muamgrd.exe"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"="muamgrd.exe"
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 02:09 PM

Hello,

Open notepad and copy and paste next from the quotebox in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM32 Tools"=-

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Microsoft\Search Assistant\ACMru\5603]
"001"=-

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\1_OEM32 Tools]
"path"=-

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\1_OEM32 Tools]
"command"=-

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\2_OEM32 Tools]
"path"=-

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\2_OEM32 Tools]
"command"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM32 Tools"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"=-


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

That should delete the leftovers. :thumbsup:

Edited by miekiemoes, 21 May 2006 - 02:10 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 21 May 2006 - 02:32 PM

I don't know what is wrong, but everytime I doubleclick, I get a regedit application error.
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 02:39 PM

What exact error do you get?
Make sure you copy and pasted it right... don't paste 'quote' from above in it. A missing tag or whatever can already cause that error.

Edited by miekiemoes, 21 May 2006 - 02:40 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 21 May 2006 - 02:48 PM

I'm making double sure I am copying the correct text. The message I get is:

regedit.exe- Application error
The application failed to initialize properly (0x0000005)
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 02:52 PM

Hi, I tried it myself and also get an application error... strange though.
I tried to find the cause and it looks like next key is responsible for that error:
HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006
So it should work if you only copy and paste next below:


REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM32 Tools"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"OEM32 Tools"=-

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update"=-


Let me know if that worked.

I wouldn't worry about the others I left out though..
The first one is from the regsearch you performed, and the other ones are the ones that spysweeper disabled at startup.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Boyo

Boyo
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Location:Chicago
  • Local time:01:30 AM

Posted 21 May 2006 - 02:58 PM

Sorry, no luck. Same error. Should I go into regedit and manually make some changes? I just feel uncomfortable with those left over in the registry.
AMD Athlon 64 X2 4400+ @2.64GHz|AC Freezer 64 Pro|Asus A8N32-SLI Deluxe|Corsair 2GB PC3500LLPRO|eVGA 7900GT CO Superclocked|SB Audigy 2 ZS|Logitech MX1000|WD 74GB Raptor|WD 320GB Caviar SE16|WD 250GB Caviar RE16 eSATA Mobile |Lite-On DVD/CD with Lightscribe|Enermax Liberty 620W|Lian Li PC7 Plus II

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 03:04 PM

Strange works fine here though..

yes, if you are comfortable with the registry, you can try it manually.
But make sure you backup your registry first!

Actually next keys (marked in bold) may get deleted (looks like I only added the value in my previous fix to delete it)

[HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\1_OEM32 Tools <= will look like a folder in the registry

HKEY_USERS\S-1-5-21-2533905383-1593984774-1283055196-1006\Software\Webroot\SpySweeper\Startup\2_OEM32 Tools <= will look like a folder in the registry
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:30 AM

Posted 21 May 2006 - 03:10 PM

Wait a minute.. most probably you were dealing with the Alcan/alcra worm as well, this one creates a regedit.com, so when you use regedit, it will load the regedit.com instead. This is a 0 bytes file which may explain the regedit error..

So I recommend you perform next as well:

* Download AlcanShorty from here.
  • Click the download button below and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe
  • Where it says "Destination Folder", clear the field and copy and paste next in the field: C:\ Then click install.
  • This will create a new folder on your C:\ called alcanshorty_en
  • Open that folder and doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
  • Wait for the complete script execution box to popup and press OK.
  • Press exit to terminate the BFU program.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users