Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Problem


  • This topic is locked This topic is locked
8 replies to this topic

#1 maddawg08

maddawg08

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 29 May 2006 - 12:16 PM

my dad has troj_hijack.j on his computer and i've tried deleting/removing/cleaning it and non of them worked, it just said unable to delete. i also coudln't start in safemode, when i click to start in safe mode it shows all of the files on the screen running by and then it never starts up windows. i was wondering if you guys could analyze my hijack this log and tell me what things look supicious because there is ovbiously something something deeper then just that one trojan <3.

Logfile of HijackThis v1.99.1
Scan saved at 1:20:12 PM, on 5/29/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\atlyb.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ACTNSTA.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Documents and Settings\pap\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\system32\ipau32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\natspeak.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Documents and Settings\pap\Desktop\HijackThis.exe
C:\Program Files\Trend Micro\OfficeScan Client\TSC.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddazc.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddazc.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddazc.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {A5D041F1-3116-D1DA-4877-515DA73CA3B5} - C:\WINDOWS\system32\mfcov.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTNSTA.EXE] ACTNSTA.EXE START
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [ntug.exe] C:\WINDOWS\ntug.exe
O4 - HKLM\..\Run: [ntuc.exe] C:\WINDOWS\ntuc.exe
O4 - HKLM\..\Run: [netra.exe] C:\WINDOWS\system32\netra.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\pap\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\ereg.ini"
O4 - HKLM\..\Run: [ipau32.exe] C:\WINDOWS\system32\ipau32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\natspeak.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O15 - Trusted Zone: *.camperconnection.net
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pwrlaw.local
O17 - HKLM\Software\..\Telephony: DomainName = pwrlaw.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pwrlaw.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pwrlaw.local
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\atlyb.exe
O23 - Service: Abm156 - Unknown owner - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:14 PM

Posted 30 May 2006 - 09:31 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

Download AboutBuster.
Unzip AboutBuster.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
You may not run it aboutbuster yet, that's for later.

* Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Please reboot your system into SAFE MODE.
To get into the Windows XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start hijackthis and click scan and put a checkmark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ddazc.dll/sp.html#88449%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ddazc.dll/sp.html#88449%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ddazc.dll/sp.html#88449%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Class - {A5D041F1-3116-D1DA-4877-515DA73CA3B5} - C:\WINDOWS\system32\mfcov.dll
O4 - HKLM\..\Run: [ntug.exe] C:\WINDOWS\ntug.exe
O4 - HKLM\..\Run: [ntuc.exe] C:\WINDOWS\ntuc.exe
O4 - HKLM\..\Run: [netra.exe] C:\WINDOWS\system32\netra.exe
O4 - HKLM\..\Run: [ipau32.exe] C:\WINDOWS\system32\ipau32.exe
O15 - Trusted Zone: *.camperconnection.net
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\atlyb.exe
O23 - Service: Abm156 - Unknown owner - (no file)


* Close all open windows except hijackthis and click 'Fix Checked'.

* Navigate to and delete the following files if present:

C:\WINDOWS\atlyb.exe
C:\WINDOWS\system32\ipau32.exe
C:\WINDOWS\ntug.exe
C:\WINDOWS\ntuc.exe
C:\WINDOWS\system32\netra.exe

* Start Aboutbuster and let it scan.
The log will be saved in the aboutbuster-folder
If you get any error using aboutbuster, it's important you let me know afterwards in your next reply.
So skip this step in case of error and proceed with the next step of this fix.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Now open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Reboot your PC back to normal.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply together with a new hijackthis-log
+ log from ewido and the aboutbuster-log which will be present in the aboutbuster-folder.

Edited by miekiemoes, 30 May 2006 - 09:32 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 maddawg08

maddawg08
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 03 June 2006 - 03:29 PM

Incident Status Location

Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
Adware:adware/searchaid Not disinfected C:\WINDOWS\n_ibwvce.log
Virus:Trj/Mitglieder.BO Disinfected Personal Folders\Inbox\price_08.zip[Loader/doc_01.exe]
Virus:W32/Mytob.EI.worm Disinfected Personal Folders\Inbox\jubynctk\account-details.zip[account-details.htm .exe]
Virus:W32/Mytob.EI.worm Disinfected Personal Folders\Inbox\SECURITY MEASURES\info-text.zip[info-text.htm .scr]
Virus:W32/Mytob.EI.worm Disinfected Personal Folders\Inbox\Notice: **Last Warning**\instructions.zip[instructions.doc .scr]
Virus:W32/Mytob.FR.worm Disinfected Personal Folders\Inbox\Important Notification\zybezuo.zip[zybezuo.txt .pif]
Virus:W32/Mytob.FR.worm Disinfected Personal Folders\Inbox\Members Support\document.zip[document.htm .scr]
Virus:W32/Mytob.FR.worm Disinfected Personal Folders\Inbox\Notice of account limitation\important-details.zip[important-details.doc .exe]
Virus:JS/Illwill.A Disinfected Archive Folders\Deleted Items\price2.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Archive Folders\Deleted Items\price2.zip[price/price.exe]
Virus:JS/Illwill.A Disinfected Archive Folders\Deleted Items\price2.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Archive Folders\Deleted Items\price2.zip[price/price.exe]
Virus:JS/Illwill.A Disinfected Archive Folders\Deleted Items\new__price.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Archive Folders\Deleted Items\new__price.zip[price/price.exe]
Virus:JS/Illwill.A Disinfected Archive Folders\Deleted Items\price_new.zip[price.html]
Virus:W32/Bagle.AM.worm Disinfected Archive Folders\Deleted Items\price_new.zip[price/price.exe]
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\pap\Cookies\pap@ccbill[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\pap\Cookies\pap@ccbill[2].txt
Spyware:Cookie/Outster Not disinfected C:\Documents and Settings\pap\Cookies\pap@outster[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\pap\Cookies\pap@banner[1].txt
Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\pap\Cookies\pap@c.fsx[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\pap\Cookies\pap@searchportal.information[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\pap\Cookies\pap@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\pap\Cookies\pap@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\pap\Cookies\pap@dist.belnk[2].txt
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\PPhillips\Local Settings\Temporary Internet Files\Content.IE5\UX2ZCDSX\nc[1].anr

Logfile of HijackThis v1.99.1
Scan saved at 4:29:31 PM, on 6/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ACTNSTA.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Dit.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Documents and Settings\pap\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\natspeak.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pap\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
O2 - BHO: (no name) - {A5D041F1-3116-D1DA-4877-515DA73CA3B5} - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTNSTA.EXE] ACTNSTA.EXE START
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\pap\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_41898] C:\WINDOWS\System32\ActiveScan\pavdr.exe xPanda ActiveScan 41898
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\natspeak.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pwrlaw.local
O17 - HKLM\Software\..\Telephony: DomainName = pwrlaw.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pwrlaw.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pwrlaw.local
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Abm156 - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:29:02 PM, 6/3/2006
+ Report-Checksum: 90D078A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{4DF5116B-0DFE-9D51-AA17-CE70AC5E652D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F9AD27F1-50B4-A52F-10E5-9CAEB34A9715} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\WinHound.com -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound -> Spyware.WinHound : Error during cleaning
HKLM\SOFTWARE\WinHound.com\WinHound\WinHound\License -> Spyware.WinHound : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@com[3].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@com[4].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\pap\Cookies\pap@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\StartMenuAllUsers -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\StartMenuCurrentUser -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\HKCURun -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\HKCURun\RunOnce -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\HKCURun\RunOnceEx -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\HKLMRun -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\HKLMRun\RunOnce -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\Autorun\HKLMRun\RunOnceEx -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\pap\Application Data\WinHound.com\WinHound\BrowserObjects -> Adware.WinHound : Cleaned with backup
C:\Documents and Settings\PPhillips\Cookies\pphillips@news.com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\PPhillips\Cookies\pphillips@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\PPhillips\Cookies\pphillips@programs.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup
:mozilla.13:C:\Documents and Settings\PPhillips\Application Data\Mozilla\Firefox\Profiles\3wdd0ap9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.16:C:\Documents and Settings\PPhillips\Application Data\Mozilla\Firefox\Profiles\3wdd0ap9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\System Volume Information\_restore{0C5726D2-A294-4817-9D88-5BB798D5FC4B}\RP391\A0010630.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0C5726D2-A294-4817-9D88-5BB798D5FC4B}\RP394\A0010751.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0C5726D2-A294-4817-9D88-5BB798D5FC4B}\RP407\A0011400.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0C5726D2-A294-4817-9D88-5BB798D5FC4B}\RP407\A0011402.dll -> Downloader.Agent.bc : Cleaned with backup
C:\System Volume Information\_restore{0C5726D2-A294-4817-9D88-5BB798D5FC4B}\RP408\A0011405.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{0C5726D2-A294-4817-9D88-5BB798D5FC4B}\RP408\A0011406.exe -> Trojan.Agent.bi : Cleaned with backup


::Report End

AboutBuster 6.02
Scan started on [6/3/2006] at [2:10:35 PM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
Removed File! : C:\WINDOWS\hnwkk.dat
Removed File! : C:\WINDOWS\cwdhwv.dat
Removed File! : C:\WINDOWS\gopmcr.dat
Removed File! : C:\WINDOWS\hhugmu.dat
Removed File! : C:\WINDOWS\hsaapy.dat
Removed File! : C:\WINDOWS\kqmpej.dat
Removed File! : C:\WINDOWS\fytouy.log
Removed File! : C:\WINDOWS\uojkhy.dat
Removed File! : C:\WINDOWS\yxnvmf.dat
Removed File! : C:\WINDOWS\ttswoi.dat
Removed File! : C:\WINDOWS\kpqinv.dat
Removed File! : C:\WINDOWS\opucwa.dat
Removed File! : C:\WINDOWS\oizwyd.dat
Removed File! : C:\WINDOWS\cqwucf.dat
Removed File! : C:\WINDOWS\ylueis.dat
Removed File! : C:\WINDOWS\ucqlcl.dat
Removed File! : C:\WINDOWS\exhvlp.dat
Removed File! : C:\WINDOWS\awqqdf.dat
Removed File! : C:\WINDOWS\bpvkfj.dat
Removed File! : C:\WINDOWS\jioakc.dat
Removed File! : C:\WINDOWS\vvvofp.dat
Removed File! : C:\WINDOWS\gzcpew.dat
Removed File! : C:\WINDOWS\hshjpz.dat
Removed File! : C:\WINDOWS\kvdwad.dat
Removed File! : C:\WINDOWS\ipcd.exe
Removed File! : C:\WINDOWS\dlbyin.dat
Removed File! : C:\WINDOWS\evoatr.dat
Removed File! : C:\WINDOWS\onhlky.dat
Removed File! : C:\WINDOWS\n_rqqjey.log
Removed File! : C:\WINDOWS\xyetwi.log
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:14:54 PM


while in safemode i ran hijack this and removed what you told me although i couldn't find some of them, also i removed O2 - BHO: (no name) - {A5D041F1-3116-D1DA-4877-515DA73CA3B5} - (no file) several times, and each time it came back. other then that i encountered no problems while following your instructions, thank you ahead of time for your help.
p.s one more thing, i ran spybot after posting this and without visting any websites or really using this computer and spybot is showing winhound and coolwww search, it seems almost impossible to remove winhound because everytime i run spybot its there and every time i choose the option to remove it it never can even if i choose the option to run spybot when windows starts, and coolwww search i remove every time and everytime there it is again.

Edited by maddawg08, 03 June 2006 - 06:54 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:14 PM

Posted 04 June 2006 - 02:21 AM

Hello,

It looks like your wininet.dll is infected as well.
So we'll deal with that - next fix also deals with the Winhound key in the registry...

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Download next attachement: [attachment=860:attachment]
Unzip it.

* Reboot into Safe Mode`: ( without networking support !)
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Open the delbho.zip folder and doubleclick delbho.bat

* Reboot back into Windows normal mode.

Post a new HijackThis Log and the contents of smitfiles.txt which is present on your Homedrive (C:\ in most cases)
in you next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 maddawg08

maddawg08
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 04 June 2006 - 07:37 PM

smitRem log file
version 2.9

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Sun 06/04/2006
The current time is: 20:28:32.27

Running from
C:\Documents and Settings\pap\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key

WinHound.com key present!



Running WinHound.com fix!



WinHound.com key was successfully removed! :thumbsup:


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 728 'explorer.exe'
Killing PID 728 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :flowers:


Logfile of HijackThis v1.99.1
Scan saved at 8:41:27 PM, on 6/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\soundman.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\ACTNSTA.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Dit.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
C:\Program Files\Handspring\Hotsync.exe
C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\natspeak.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\PROGRA~1\Dantz\RETROS~1\retrospect.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pap\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
O2 - BHO: (no name) - {A5D041F1-3116-D1DA-4877-515DA73CA3B5} - (no file)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTNSTA.EXE] ACTNSTA.EXE START
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPScheduler] "C:\Program Files\ScanSoft\PaperPort\PPScheduler.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [MXOBG] C:\Documents and Settings\pap\Local Settings\Temp\{231F68F4-70E4-41A6-BEDA-7E7934169B54}\MXOALDR.EXE
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\Dantz\RETROS~1\RetroExpress.exe /h
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\ereg.ini"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\8\Program\natspeak.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\devdtct2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Handspring\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.winbook.com
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = pwrlaw.local
O17 - HKLM\Software\..\Telephony: DomainName = pwrlaw.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = pwrlaw.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = pwrlaw.local
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Abm156 - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

thx for all your help :-)

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:14 PM

Posted 05 June 2006 - 02:55 AM

Hmm, strange next entry is still present there:

O2 - BHO: (no name) - {A5D041F1-3116-D1DA-4877-515DA73CA3B5} - (no file)

Was your Internet explorer closed when you used the delbho.reg?
Please check and fix above entry again.

If it won't remove, perform next:

* Download: Registrar Lite

* Start Registrar Lite
Copy and paste the next bold into the address bar on top in Registrar Lite:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5D041F1-3116-D1DA-4877-515DA73CA3B5}

Click the green Go button.
You'll see a purple/pink folder highlighted in the left pane with the name {A5D041F1-3116-D1DA-4877-515DA73CA3B5}
Rightclick and select Properties
Click the Permissions Button and a new window will open.
Click the Advanced button

Place a checkmark next to the following:
'Inherit from parent the permission entries that apply to child objects...'

Click OK, Ok again and rightclick on the purple/pink {A5D041F1-3116-D1DA-4877-515DA73CA3B5} and choose delete.

Please make sure your IE is closed before doing so!!

Let me know if that worked.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 maddawg08

maddawg08
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 05 June 2006 - 12:12 PM

when i right click the folder and click properties i get an error that says: 5: access denied. and yes i am logged into an admistrative account :-P. ill try it in safe mode and see if that helps if not ill wait until you reply :-). thx again for all your help.

p.s i was not running IE when i ran delbho.reg, and also i tried to remove the entry using hijack this again but when i scanned again there it was.

pps i tried it in safe mode and got the same error so that didn't help. also i have just noticed that service pack 2 isn't installed on this computer and neither are many other important updates, but because i don't want to change anything while we are trying to fix it i will wait until you reply before proceeding to install any further updates.

Edited by maddawg08, 05 June 2006 - 12:40 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:14 PM

Posted 06 June 2006 - 06:27 AM

Ok, let's try this in another way...
If that still fails, you really don't have to worry about that orphaned entry, because it won't do anything since nothing is attached to it anymore.

Perform next..

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Copy next text present in the quotebox below and paste it in the View/edit script Window:

    registry keys to delete:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5D041F1-3116-D1DA-4877-515DA73CA3B5}


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, briefly open a black command window on your desktop, this is normal.
  • After the restart, create a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of avenger.txt into your reply along with a fresh HJT log by using Add/Reply
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:14 PM

Posted 12 June 2006 - 05:26 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users