Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Sure What I Have


  • This topic is locked This topic is locked
11 replies to this topic

#1 Richard1279

Richard1279

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 22 September 2006 - 10:47 AM

Yesterday I came home to find my pc infected with stonedrv.exe, as well as a few other files. I ran adaware, and trendmicro's housecall (online AV scan) to clean the system. Housecall froze, and the PC restarted. After the restart I manually opened task manager, ended stonedrv.exe, then deleted the file, then went into regedit and deleted the entry in HKCU and HKLM. Then Restarted the pc again.
After this restart I looked closely at the task manager and noticed IEXPLORE.EXE was running, but not under my name...it was running under the user "SYSTEM" (it started up with the pc)... I know that's not supposed to happen, but unfortunately that's the limit of my knowledge with PCs...I do not know how to find WHY it got itself there, WHAT it's doing, or HOW to get rid of it. I'm pretty sure there are infections still on my pc...I ran HJT and this is the log for it:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:52 AM, on 9/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Phoenix\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://pximg2.photo.epson.com/pixami/PixamiEpson.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://brianodom.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} (Yahoo! Photos Print-at-Home Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...printathome.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/dinerdas...sh.1.0.0.72.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D55115D9-49E1-4974-90F8-3C0D0CC131D7}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



Any help would be GREATLY appreciated!!!

- Richard

P.S. Don't know if this info will be of any help...
This file DID get flagged by housecall as a malware, but I don't remember the type of malware it was flagged as (the PC crashed and restarted when housecall tried to repair/remove it):
"O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll"
I could not manually delete it either.

Edited by Richard1279, 23 September 2006 - 08:09 AM.


BC AdBot (Login to Remove)

 


#2 Richard1279

Richard1279
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 23 September 2006 - 12:00 PM

Hi all, me again!

I tried that combofix (spelling?) program that I saw were being recommened in some of the other posts, and my pc kept restarting on it's own, and not letting the program finish it's scan! Well, while reading some of the other posts here and other websites that were advertising programs to fix my pc, I had a thought "why not use MS DOS to fix my problem", since that pesky artm_new.dll file seems to start when windows starts...even in safe mode!

So, I pulled out an old windows95 start-up disk I had created many many months ago (my bro's pc needed fixing...but that's another story). now because the file itself has that hidden attribute set, I could not delete it. So, instead of trying to attack the file, I attacked the whole directory (since it was the only file in it). Using the 16-bit name format, I used the deltree.exe command to delete the directory that contained the dll file (command: "deltree c:\docume~1\alluse~1\docume~1\settings" deleting the "settings" directory completely).

Then I thought about iexplore, and how it started as a system process. Then it came to me..."windows cannot start a program that does not exist!", SO, I went into IEXPLORE.EXE's directory (c:\progra~1\intern~1) then used the rename command to change the name of the file (I typed in "rename iexplore.exe trythis", effectively renaming iexplore.exe to "trythis" with no 3-character extension).

I then restarted my pc normally and opened up task manager. And, as I had hoped, iexplore did not start as a system process!!! :huh: I also opened up "my computer" and browsed into the folder that contained artm_new.dll to see if it was written back into the folder. SUCCESS!!! :thumbsup: the folder remained non-existent!!! Then I ran HiJackThis and found the entry for the pesky dll file (which now had that "(file missing)" notation added to the end of it), checked it, and had HJT remove it from the registry.

I restarted the pc, then used "my computer" to go to where iexplore was located (program files\internet explorer), found the file "trythis" that I had renamed, and I renamed it back to "iexplore.exe" and restarted the pc. After the restart, iexplore no longer started up as a system process! :flowers:

Now, after 2 hours, and 6 restarts (just to make sure), the problem seems to be fixed! :huh:

I think I will give it a day, and check for problems tomorrow. Hopefully it won't reappear. This is my HJT log, Please someone check to see if there is anything I missed (I know, I'm being overly cautious):

Logfile of HijackThis v1.99.1
Scan saved at 12:27:04 PM, on 9/23/06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Phoenix\Desktop\Shortcuts\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://pximg2.photo.epson.com/pixami/PixamiEpson.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://brianodom.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thanks,
- Rich :huh:

Edited by Richard1279, 23 September 2006 - 12:09 PM.


#3 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 26 September 2006 - 01:23 PM

Welcome Richard1279! :thumbsup:

Sorry about the wait. Since it has been three days can you please post a fresh Hijackthis log and then we can continue.

Thanks
Jamie

Edited by jamielaw, 26 September 2006 - 02:53 PM.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#4 Richard1279

Richard1279
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 27 September 2006 - 08:38 AM

Hi Jamie,
Thanks for replying! Here's a fresh hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:13 AM, on 09/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Phoenix\Desktop\Shortcuts\HiJackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://pximg2.photo.epson.com/pixami/PixamiEpson.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://brianodom.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D55115D9-49E1-4974-90F8-3C0D0CC131D7}: NameServer = 205.188.146.145
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thanks!
- Rich :-)

#5 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 28 September 2006 - 01:56 PM

Hey Richard1279

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Wareout:

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved. Please post the contents of this text file (C:\fixwareout\report.txt) in your next reply.

Update Java:

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 5.0 Update 8 ). Please install it and then reboot your computer.

Remove the older versions of Java:
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except J2SE Runtime Environment 5.0 Update 8
Fix the HJT entries:
  • Open hijackthis and select the DO A SYSTEM SCAN ONLY option.
  • Place a check next to the following items:

    O1 - Hosts: localhost 127.0.0.1
  • Close all open browsers and windows, except hijackthis. Then select fix checked . Now close HJT.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Kaspersky Online Scanner
Go to http://www.kaspersky.com/virusscanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post with another HJT log.
I need the following logs:

C:\fixwareout\report.txt
Kaspersky log
A new Hijackthis log


Thanks
Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#6 Richard1279

Richard1279
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 30 September 2006 - 11:45 AM

Hi Jamie!

Sorry for the delay in my reply. I did what you instructed me to do, but some things were different from your instructions.

First one was the java update...the website had JRE 5.0 Update 9, so I installed that one.

I did the HJT scan, but found that the entry in question (01 - Hosts: localhost 127.0.0.1) was no longer there!

Here's the logs you requested:


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

Misc files.

Checking for older varients covered by the Rem3 tool.



------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER REPORT
September 30, 2006 12:31:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 30/09/2006
Kaspersky Anti-Virus database records: 227625


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\

Scan Statistics
Total number of scanned objects 143711
Number of viruses found 13
Number of infected objects 20 / 0
Number of suspicious objects 1
Duration of the scan process 00:50:50

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\ldEA48.tmp Infected: Trojan-Downloader.Win32.Zlob.pg skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\Phoenix\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Temp\Perflib_Perfdata_43c.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\History\History.IE5\MSHist012006093020061001\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Phoenix\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Phoenix\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Phoenix\ntuser.dat Object is locked skipped

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Sinowal.aq skipped

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll Infected: Trojan-PSW.Win32.Sinowal.ay skipped

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll Infected: Trojan-PSW.Win32.Sinowal.k skipped

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll Infected: Trojan-PSW.Win32.Sinowal.ay skipped

C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped

C:\Program Files\America Online 8.0\idb\sysnews.lst Object is locked skipped

C:\Program Files\America Online 8.0\idb\sap.dat Object is locked skipped

C:\Program Files\America Online 8.0\idb\APP10393.LST Object is locked skipped

C:\Program Files\America Online 8.0\idb\STYLE.LST Object is locked skipped

C:\Program Files\America Online 8.0\idb\Apps.Lst Object is locked skipped

C:\Program Files\America Online 8.0\idb\spool.lst Object is locked skipped

C:\Program Files\America Online 8.0\idb\Toolbar.lst Object is locked skipped

C:\Program Files\America Online 8.0\idb\main.idx Object is locked skipped

C:\Program Files\America Online 8.0\idb\APP10653.LST Object is locked skipped

C:\Program Files\America Online 8.0\idb\Diction.lst Object is locked skipped

C:\Program Files\America Online 8.0\organize\wizard1279 Object is locked skipped

C:\Program Files\America Online 8.0\organize\wizard1279.aby Object is locked skipped

C:\Program Files\America Online 8.0\organize\wizard1279.abi Object is locked skipped

C:\Program Files\America Online 8.0\storage\stdout.txt Object is locked skipped

C:\Program Files\America Online 8.0\storage\stderr.txt Object is locked skipped

C:\Program Files\America Online 8.0\storage\server.lock Object is locked skipped

C:\Program Files\America Online 8.0\storage\cache.db Object is locked skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\3.tmp Infected: Worm.Win32.VB.an skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\11.tmp Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\13.tmp Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\14.tmp Infected: Trojan.Java.ClassLoader.Dummy.d skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\15.tmp Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1C.tmp Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\30.tmp Suspicious: Exploit.Win32.IMG-WMF skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\4E.tmp Infected: Trojan-Clicker.Win32.Small.kg skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\19.tmp Infected: Exploit.Win32.IMG-WMF.u skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1D.tmp Infected: Exploit.Win32.IMG-WMF.u skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp/BlackBox.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp ZIP: infected - 3 skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\1A.tmp CryptFF.b: infected - 3 skipped

C:\Program Files\Trend Micro\Internet Security 2005\Quarantine\37.tmp Infected: Trojan-Downloader.Win32.Small.dkt skipped

C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP11\change.log Object is locked skipped

Scan process completed.



--------------------------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 12:40:13 PM, on 09/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFAGENT.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Documents and Settings\Phoenix\Desktop\Shortcuts\MemTurbo\memturbo.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Phoenix\Desktop\Shortcuts\HiJackThis\HJT.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://pximg2.photo.epson.com/pixami/PixamiEpson.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://brianodom.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D55115D9-49E1-4974-90F8-3C0D0CC131D7}: NameServer = 205.188.146.145
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thanks for taking the time to help!
- Richard

Edited by Richard1279, 30 September 2006 - 11:47 AM.


#7 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 01 October 2006 - 03:05 AM

Hey Richard1279

First one was the java update...the website had JRE 5.0 Update 9, so I installed that one.


Nice move! Thanks for notifying me of that I wasn't aware they had updated Java :thumbsup:

I did the HJT scan, but found that the entry in question (01 - Hosts: localhost 127.0.0.1) was no longer there!


Don't worry about that its fine.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ldEA48.tmp
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please could you also empty the Trend Micro quarantine.

Are you experiencing any problems?
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#8 Richard1279

Richard1279
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 01 October 2006 - 03:23 PM

Hi Jamie

Killbox worked without any problems, and restarted my pc. I also deleted everything in the Trend Micro quarantine folder.
Yesterday I had noticed it took a while for IE to show webpages when I typed in a new URL in the address bar. After Killbox restarted the pc, I tried IE again, and noticed the delay is no longer there. :thumbsup:

As far as I can tell, I'm not experiencing any problems :flowers:

Edited by Richard1279, 01 October 2006 - 03:23 PM.


#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 02 October 2006 - 01:17 AM

Hey Richard1279

I just want to see one more log to be double sure your absolutely clean.

SmitFraudFix:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#10 Richard1279

Richard1279
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 02 October 2006 - 01:42 PM

HI Jamie!

Okay, I ran it, and this is the log it showed:


SmitFraudFix v2.104

Scan done at 14:37:30.91, 10/02/2006
Run from C:\Documents and Settings\Phoenix\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\1024\ FOUND !

C:\Documents and Settings\Phoenix


C:\Documents and Settings\Phoenix\Application Data


Start Menu


C:\DOCUME~1\PHOENIX\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Documents and Settings\\Phoenix\\My Documents\\My Pictures\\phoenixoftheflame.gif"
"SubscribedURL"="C:\\Documents and Settings\\Phoenix\\My Documents\\My Pictures\\phoenixoftheflame.gif"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Documents and Settings\\Phoenix\\Desktop\\your name buddy2.bmp"
"SubscribedURL"="C:\\Documents and Settings\\Phoenix\\Desktop\\your name buddy2.bmp"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="C:\\Documents and Settings\\Phoenix\\Desktop\\Copy of your name buddy2.bmp"
"SubscribedURL"="C:\\Documents and Settings\\Phoenix\\Desktop\\Copy of your name buddy2.bmp"
"FriendlyName"=""

Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End



Thanks again for all your time and patience with me and my pc :thumbsup:

- Rich :flowers:

#11 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 02 October 2006 - 03:09 PM

Hey Richard1279! :thumbsup:

Please could you delete this folder: C:\WINDOWS\system32\1024

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Please pay particular attention to Step A & G!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - You should disable and re-enable system restore to make sure there are no infected files found in a restore point. Sometimes viruses can hide in there and if you ever needed to restore your system you would then re-infect your self
    You can find instructions on how to enable and re enable system restore here:Windows XP System Restore Guide

    Or simply follow these instructions:
    • Click Start, run and type SYSDM.CPL
    • Select the System Restore Tab
    • Check the box to Turn off System Restore on all drives
    • Click Apply and then OK to the confirmation window
    • Then uncheck the box, click apply and then OK.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  • Install HostsMan - HostsMan will add a large list of restricted websites to your hosts file. This will prevent you from visiting some bad websites.
    Download Hostsman here!
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Stand up and be Counted.

NOW is the time you can start to hit back at the people who infected you.
Posted Image
Please take the time to go and complain - that forum has a topic for your infection which is ................ please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.


Happy Surfing!

Jamie
My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#12 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:05:16 AM

Posted 05 October 2006 - 10:55 AM

as the problem seems resolved...this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

glad we could help :thumbsup:

thank you jamielaw :flowers:
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users