Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32host.exe [RESOLVED]

Started by The Death , Sep 05 2006 07:49 AM

  • This topic is locked This topic is locked

#1
The Death
Posted 05 September 2006 - 07:49 AM

The Death

    Member

  • Member
  • PipPip
  • 11 posts
System infected by win32host.exe. Runs programs such as cmd.exe from time to time. Tried softwares as Ewidos, Regrun and others but the file still remains in the system. Have even reinstalled OS but to no use.

Logfile of HijackThis v1.99.1
Scan saved at 6:46:26 PM, on 9/5/2006
Platform: Windows 2000 SP4, RC 4.68 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ssmc.exe
C:\Documents and Settings\Nadir\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.pk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157456077174
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O20 - Winlogon Notify: WindowsUpdate - C:\WINNT\system32\pzspl.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINNT\system32\ssmc.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINNT\win32host.exe (file missing)
  • 0

Advertisements

#2
JSntgRvr
Posted 05 September 2006 - 08:57 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

Sounds spooky calling you "The Death", but welcome to Geeks to go.

Please download the Service Control (SC.EXE) from here. The download is a .zip file. Extract its contents to the C:\Winnt\System32 folder.

Then go to Start->Run, Type CMD and click OK. The MSDOS window will be displayed. At the prompt type the following and press Enter after each line:

SC Stop Win32Kernel
SC Delete Win32Kernel
Exit

Click here to download WinPFind .
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Reboot into Safe Mode

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
  • Double click WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete, restart the computer back in Normal Mode.
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next reply!

  • 0

#3
The Death
Posted 06 September 2006 - 05:28 AM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for all your help.
I reinstalled windows but the problem still hasnt gone away. The commands could not be run as till that time the virus had not been activated. however, processes like cmd.exe are running so the win32host.exe is likely to follow, which always happens after a fresh installation. The log file is below, what do you suggest to do now.

Logfile of HijackThis v1.99.1
Scan saved at 12:29:57 AM, on 11/26/1999
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nadir\Desktop\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.pk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157477642129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINNT\system32\ssmc.exe (file missing)
  • 0

#4
JSntgRvr
Posted 06 September 2006 - 01:59 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

There isn't that much we can do with that log. First of all you must install an Antivirus program. Then I need to see a Winpfind log as requested.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

go to Start->Run, Type CMD and click OK. The MSDOS window will be displayed. At the prompt type the following and press Enter after each line:

SC Stop lsass
SC Delete lsass
SC Stop "Remote Reader Machine"
SC Delete "Remote Reader Machine"
Exit

Plase post a Winpfind log and install an Ativirus program.
  • 0

#5
The Death
Posted 07 September 2006 - 03:39 PM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here's the WinPFind logfile:

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 11/26/1999 12:21:44 AM RHS 39936 C:\WINNT\win32host.exe ()

Checking %System% folder...
WSUD 4/22/2003 2:34:00 AM 1011764 C:\WINNT\SYSTEM32\mfc42u.dll (Microsoft Corporation)
Umonitor 4/22/2003 2:34:00 AM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL (Microsoft Corporation)
PECompact2 8/9/2006 12:03:06 PM 8325544 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 8/9/2006 12:03:06 PM 8325544 C:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
winsync 12/7/1999 4:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu ()
PEC2 4/19/2006 10:09:20 PM 619156 C:\WINNT\SYSTEM32\divx.dll (DivX, Inc.)
PECompact2 4/19/2006 10:09:20 PM 619156 C:\WINNT\SYSTEM32\divx.dll (DivX, Inc.)
UPX! 11/26/1999 12:21:44 AM 39936 C:\WINNT\SYSTEM32\eraseme_74226.exe ()

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
12/7/1999 4:00:00 AM HS 24076 C:\WINNT\winnt.bmp ()
12/7/1999 4:00:00 AM HS 48540 C:\WINNT\winnt256.bmp ()
9/5/2006 9:16:46 PM H 21692 C:\WINNT\folder.htt ()
9/5/2006 9:16:46 PM H 271 C:\WINNT\desktop.ini ()
11/26/1999 8:29:42 AM H 1196004 C:\WINNT\ShellIconCache ()
11/26/1999 12:21:44 AM RHS 39936 C:\WINNT\win32host.exe ()
9/5/2006 9:16:46 PM H 21692 C:\WINNT\system32\folder.htt ()
9/5/2006 9:16:46 PM H 271 C:\WINNT\system32\desktop.ini ()
9/5/2006 9:03:18 PM H 1024 C:\WINNT\system32\config\system.LOG ()
11/26/1999 2:53:44 AM H 1024 C:\WINNT\system32\config\software.LOG ()
11/26/1999 12:21:54 AM H 1024 C:\WINNT\system32\config\default.LOG ()
9/5/2006 9:03:18 PM H 1024 C:\WINNT\system32\config\userdiff.LOG ()
9/5/2006 9:03:14 PM H 0 C:\WINNT\system32\config\TempKey.LOG ()
11/26/1999 12:11:38 AM H 1024 C:\WINNT\system32\config\SECURITY.LOG ()
11/26/1999 12:01:52 AM H 1024 C:\WINNT\system32\config\SAM.LOG ()
9/5/2006 10:48:00 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\be59701c-9316-47d2-9439-2b97ed58dbcb ()
9/5/2006 10:48:00 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
9/5/2006 11:12:34 PM H 0 C:\WINNT\inf\oem1.inf ()
9/5/2006 11:06:46 PM H 0 C:\WINNT\inf\oem0.inf ()
12/7/1999 4:00:00 AM H 36672 C:\WINNT\Fonts\app850.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 6352 C:\WINNT\Fonts\cga40850.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 6336 C:\WINNT\Fonts\cga40woa.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 4320 C:\WINNT\Fonts\cga80850.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 4304 C:\WINNT\Fonts\cga80woa.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 23408 C:\WINNT\Fonts\coure.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 31712 C:\WINNT\Fonts\courf.fon (Microsoft Corporation)
9/5/2006 9:17:02 PM HS 67 C:\WINNT\Fonts\desktop.ini ()
12/7/1999 4:00:00 AM H 36656 C:\WINNT\Fonts\dosapp.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 8384 C:\WINNT\Fonts\ega40850.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 8368 C:\WINNT\Fonts\ega40woa.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5328 C:\WINNT\Fonts\ega80850.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5312 C:\WINNT\Fonts\ega80woa.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 24480 C:\WINNT\Fonts\marlett.ttf ()
12/7/1999 4:00:00 AM H 57936 C:\WINNT\Fonts\serife.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 81728 C:\WINNT\Fonts\seriff.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 26112 C:\WINNT\Fonts\smalle.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 64656 C:\WINNT\Fonts\sserife.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 89856 C:\WINNT\Fonts\sseriff.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 56336 C:\WINNT\Fonts\symbole.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5232 C:\WINNT\Fonts\vga850.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5360 C:\WINNT\Fonts\vgafix.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5168 C:\WINNT\Fonts\vgaoem.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 7280 C:\WINNT\Fonts\vgasys.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 10976 C:\WINNT\Fonts\8514fix.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 12288 C:\WINNT\Fonts\8514oem.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 9280 C:\WINNT\Fonts\8514sys.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 21504 C:\WINNT\Fonts\smallf.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5184 C:\WINNT\Fonts\vga860.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5200 C:\WINNT\Fonts\vga863.fon (Microsoft Corporation)
12/7/1999 4:00:00 AM H 5184 C:\WINNT\Fonts\vga865.fon (Microsoft Corporation)
9/5/2006 9:16:46 PM H 1316 C:\WINNT\Web\webview.css ()
9/5/2006 9:16:46 PM H 4659 C:\WINNT\Web\controlp.htt ()
9/5/2006 9:16:46 PM H 5296 C:\WINNT\Web\default.htt ()
9/5/2006 9:16:46 PM H 3210 C:\WINNT\Web\folder.htt ()
9/5/2006 9:16:46 PM H 13280 C:\WINNT\Web\nethood.htt ()
9/5/2006 9:16:46 PM H 11149 C:\WINNT\Web\recycle.htt ()
9/5/2006 9:16:46 PM H 6489 C:\WINNT\Web\schedule.htt ()
9/5/2006 9:16:46 PM H 8898 C:\WINNT\Web\dialup.htt ()
9/5/2006 9:16:46 PM H 8248 C:\WINNT\Web\wvleft.bmp ()
9/5/2006 9:16:46 PM H 54 C:\WINNT\Web\wvline.gif ()
9/5/2006 9:16:46 PM H 14865 C:\WINNT\Web\wvlogo.gif ()
9/5/2006 9:16:46 PM H 90056 C:\WINNT\Web\classic.bmp ()
9/5/2006 9:16:46 PM H 634 C:\WINNT\Web\classic.htt ()
9/5/2006 9:16:46 PM H 31080 C:\WINNT\Web\folder.bmp ()
9/5/2006 9:16:46 PM H 1024 C:\WINNT\Web\starter.htt ()
9/5/2006 9:16:46 PM H 31080 C:\WINNT\Web\starter.bmp ()
9/5/2006 9:16:46 PM H 31080 C:\WINNT\Web\preview.bmp ()
9/5/2006 9:16:46 PM H 16981 C:\WINNT\Web\imgview.htt ()
9/5/2006 9:16:46 PM H 830 C:\WINNT\Web\deskmovr.htt ()
9/5/2006 9:16:46 PM H 2913 C:\WINNT\Web\safemode.htt ()
9/5/2006 9:16:46 PM H 19355 C:\WINNT\Web\fsresult.htt ()
9/5/2006 9:16:46 PM H 28565 C:\WINNT\Web\standard.htt ()
9/5/2006 9:16:46 PM H 31438 C:\WINNT\Web\webview.js ()
9/5/2006 9:16:46 PM H 12403 C:\WINNT\Web\wvnet.gif ()
9/5/2006 9:16:46 PM H 2642 C:\WINNT\Web\exclam.gif ()
9/5/2006 9:16:46 PM H 842 C:\WINNT\Web\bullet.gif ()
9/5/2006 9:16:46 PM H 80 C:\WINNT\Web\plushot.gif ()
9/5/2006 9:16:46 PM H 59 C:\WINNT\Web\pluscold.gif ()
9/5/2006 9:16:46 PM H 77 C:\WINNT\Web\minhot.gif ()
9/5/2006 9:16:46 PM H 56 C:\WINNT\Web\mincold.gif ()
4/22/2003 2:34:00 AM H 11009 C:\WINNT\Web\ftp.htt ()
8/31/2005 6:44:32 AM H 14053 C:\WINNT\Web\printers.htt ()
12/7/1999 9:00:00 AM RH 65 C:\WINNT\Tasks\desktop.ini ()
11/26/1999 12:01:32 AM H 6 C:\WINNT\Tasks\SA.DAT ()
9/5/2006 10:23:04 PM H 65 C:\WINNT\Downloaded Program Files\desktop.ini ()
9/5/2006 10:23:04 PM H 65 C:\WINNT\Offline Web Pages\desktop.ini ()
11/26/1999 12:01:52 AM S 64 C:\WINNT\CSC\00000001 ()
11/26/1999 12:01:46 AM S 64 C:\WINNT\CSC\csc1.tmp ()
11/26/1999 12:01:52 AM S 64 C:\WINNT\CSC\00000002 ()

Checking for CPL files...
4/22/2003 2:34:00 AM 301328 C:\WINNT\SYSTEM32\appwiz.cpl (Microsoft Corporation)
4/22/2003 2:34:00 AM 237328 C:\WINNT\SYSTEM32\DESK.CPL (Microsoft Corporation)
12/7/1999 4:00:00 AM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 118032 C:\WINNT\SYSTEM32\intl.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 36112 C:\WINNT\SYSTEM32\irprops.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 122128 C:\WINNT\SYSTEM32\main.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 303888 C:\WINNT\SYSTEM32\mmsys.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 17168 C:\WINNT\SYSTEM32\ncpa.cpl (Microsoft Corporation)
4/22/2003 2:34:00 AM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 41232 C:\WINNT\SYSTEM32\nwc.cpl (Microsoft Corporation)
4/22/2003 2:34:00 AM 90896 C:\WINNT\SYSTEM32\powercfg.cpl (Microsoft Corporation)
10/30/2001 8:10:00 AM 326144 C:\WINNT\SYSTEM32\joy.cpl (Microsoft Corporation)
4/22/2003 2:34:00 AM 83216 C:\WINNT\SYSTEM32\sticpl.cpl (Microsoft Corporation)
4/22/2003 2:34:00 AM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL (Microsoft Corporation)
12/7/1999 4:00:00 AM 5904 C:\WINNT\SYSTEM32\telephon.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 61200 C:\WINNT\SYSTEM32\timedate.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 67344 C:\WINNT\SYSTEM32\access.cpl (Microsoft Corporation)
8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)
12/7/1999 4:00:00 AM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl (IBM Corporation)

Checking for Downloaded Program Files...
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.micros...b?1157477642129
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://fpdownload.ma...ent/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/26/1999 2:52:04 AM 708 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.microsoft...p...ER}&ar=home
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Default_Page_URL - http://www.microsoft...p...&ar=msnhome
\\Default_Search_URL - http://www.microsoft...amp;ar=iesearch
\\Local Page - %SystemRoot%\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://google.com.pk/
\\Search Page - http://www.microsoft...amp;ar=iesearch
\\Local Page - C:\WINNT\System32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn...st/srchcust.htm
\\SearchAssistant - http://ie.search.msn...st/srchasst.htm


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - @msdxmLC.dll,-1@1033,&Radio = C:\WINNT\System32\msdxm.ocx ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} - 8192 =
\\NEXTID - 8193

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINNT\System32\hticons.dll (Hilgraeve, Inc.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager - C:\WINNT\SYSTEM32\mobsync.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINNT\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\wzcnotif - wzcdlg.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{9A3B5785-811B-4782-908F-C533A0084126} - (Realtek RTL8139(A) PCI Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINNT\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Secondly, the commands could only delete the files successfully and failed to stop them. Here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 3:06:49 AM, on 11/26/1999
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\win32host.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nadir\LOCALS~1\Temp\Rar$EX00.749\WinPFind\winpfind.exe
C:\WINNT\notepad.exe
C:\Documents and Settings\Nadir\Desktop\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.pk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157477642129
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\lsass.exe (file missing)
  • 0

#6
JSntgRvr
Posted 07 September 2006 - 05:38 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

Click Here to download AVG Free as an Antivirus program. Install the application and update its definitions.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
Modification of the registry can be EXTREMELY dangerous if you do not know exactly what you are doing so follow the steps that are listed below EXACTLY. if you cannot preform some of these steps or if you have ANY questions please ask BEFORE proceeding.

Backing Up Your Registry
  • Go Here and download ERUNT
    (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
  • Install ERUNT by following the prompts
    (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
  • Start ERUNT
    (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
  • Choose a location for the backup
    (the default location is C:\WINDOWS\ERDNT which is acceptable).
  • Make sure that at least the first two check boxes are ticked
  • Press OK
  • Press YES to create the folder.
Registry Modifications

Download the enclosed file: [attachment=10617:attachment]
Save and extract its contents to the desktop. It is a folder containing two (2) files. A Registry Entries file, UserAgent.reg, and a Batch file, DelService.bat . Do nothing with these yet.

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Double click on the UserAgent.reg file and select Yes when prompted to merge it into the registry. Doubleclick on the DelService.bat file. The MSDOS window will flash for a second, that is normal.

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINNT\win32host.exe
C:\WINNT\SYSTEM32\eraseme_74226.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your next reply.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post a fresh Hijackthis log along with the c:\avenger.txt and ActiveScan reports.
  • 0

#7
The Death
Posted 08 September 2006 - 06:44 AM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi JSntgRvr,

AVG healed 13 viruses.

Heres the logfile for Avenger, it could not fix the problem:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Error: selected file does not appear to be a valid script.
Error code: 1813

Heres the logfile for Panda Scan:


Incident Status Location

Virus:W32/Sdbot.ftp.worm Disinfected C:\WINNT\system32\i
Virus:W32/Sdbot.IBR.worm Disinfected C:\WINNT\system32\eraseme_00557.exe
Virus:W32/Sdbot.IBR.worm Disinfected C:\WINNT\system32\eraseme_15548.exe
Adware:Adware/Webdir Not disinfected D:\Softwares\Multimedia\AVICodecPackPlus21.exe[VirtualDNS.dll]
Heres the Hijack This logfile:


Logfile of HijackThis v1.99.1
Scan saved at 5:28:02 PM, on 9/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ssmc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\recsl.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\kybrdff_17.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
c:\drsmartload.exe
c:\ac3_0010.exe
c:\ac3_0010.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\TmFkaXI\command.exe
C:\Documents and Settings\Nadir\Desktop\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.pk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [mysvcig38] recsl.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_17.exe
O4 - HKLM\..\RunServices: [mysvcig38] recsl.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157477642129
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TmFkaXI\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINNT\system32\ssmc.exe
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINNT\win32host.exe (file missing)

I'd like to know what is Bundle.zip and what does it do.
Also after completing the Panda scan drsmartload.exe was also seen running. Command prompt also executed some program called dwin.exe. Moreover, Internet connection Wizard, banners and other programs were run from time to time.

What do you suggest?

Thanks for all the help and support.
  • 0

#8
JSntgRvr
Posted 08 September 2006 - 09:02 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

I need to know why AVG is not running in the background. Every time you post a Hijackthis log, seems that you are being reinfected. The bundle.zip contained two (2) files to fix your registry and delete infected services in your computer. Right now, and after seeing your latest log, it will have no effect. You must have AVG running in the background to avoid being reinfected.

1. Download Ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete, run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet

2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

5. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop (This is important)
  • Close Ewido and reboot your system back into Normal Mode.
6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
  • 0

#9
The Death
Posted 08 September 2006 - 05:34 PM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi JSntgRvr,

Problem is that most of the antiviruses, like AVG, Sophos and others, consume too much memory on my system. So they are usually unistalled after a scan is done from time to time.

After scanning using Ewidos and rebooting in normal mode there were again instant warnings of the same viruses that had just been fixed. Ewidos would also just terminate during longer scans of the complete system. The log here is what I could got from scanning the drive where applications are and where windows is installed. Also pop ups appeared later just as same as before.

Logfile of Ewidos:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:25:34 AM 11/26/1999

+ Scan result:



C:\WINNT\TmFkaXI\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\dvserver.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\fp8m03l1e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\ignathlp.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\system32\rsuteext.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
[740] C:\WINNT\system32\ausldpc.dll -> Adware.Look2Me : Error during cleaning.
[848] C:\WINNT\system32\ausldpc.dll -> Adware.Look2Me : Error during cleaning.
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\ucmoreiex[1].exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\ucmoreiex[1].exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\ucmoreiex[1].exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator\INSTALL.LOG -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator\TBlogin.users.ucmore.com.4.5.40.0 -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator\UNWISE.EXE -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator\logo.ico -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Program Files\TheSearchAccelerator\toolbar.cfg -> Adware.UCmore : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UCmore - The Search Accelerator -> Adware.UCmore : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4T678LAZ\drsmartload195a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4T678LAZ\drsmartload46a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\drsmartload45a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KXYN0DQF\drsmartload849a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CB2P092Z\ac3[1].txt -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\WINNT\system32\aaa00000.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\WINNT\system32\wfa308b6.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\ac3_0010[1].exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\w0094be8.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\w009700d.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CB2P092Z\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KXYN0DQF\loader[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\C1QRGT6J\kybrdff_17[1].exe -> Downloader.VB.alg : Cleaned with backup (quarantined).
C:\Documents and Settings\Nadir\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end



Logfile of Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 5:09:56 AM, on 11/26/1999
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spreadno.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Nadir\Desktop\hjt.exe.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.pk/
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [winystems25] spreadno.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [winystems25] spreadno.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157477642129
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Explorer - C:\WINNT\system32\i4lo0e33eh.dll
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\mrapsspc.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Remote Reader Machine - Unknown owner - C:\WINNT\system32\ssmc.exe (file missing)
O23 - Service: Win32 Kernel Update (Win32Kernel) - Unknown owner - C:\WINNT\win32host.exe (file missing)
  • 0

#10
JSntgRvr
Posted 08 September 2006 - 05:58 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

Problem is that most of the antiviruses, like AVG, Sophos and others, consume too much memory on my system.


Nope. That is a bad idea. The fact is that you must always have an Antivirus program and a Firewall always present. Click Here to Download and install Zone Alarm as a firewall. None of these programs should deplete your resorces. Please keep these programs active at all times.

Click here to download Look2Me-Destroyer.exe and save it to your desktop.

Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from here and place it in your C:\Windows\System32 Folder.
  • 0

Advertisements

#11
The Death
Posted 10 September 2006 - 07:23 AM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi JSntgRvr,

I have just reinstalled windows as there was too much adware on my system all of a sudden, eventhough the system had been scanned with Ewidos. Im posting a Hijack This logfile of the system right after a fresh installation of windows:

Logfile of HijackThis v1.99.1
Scan saved at 6:20:28 PM, on 9/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
D:\Softwares\Security\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  • 0

#12
JSntgRvr
Posted 10 September 2006 - 08:40 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

The log looks clear but, unless you install an Antivirus program along with a Firewall, you will be reinfected in no time.

I will leave this topic open for a few days. Feel free to contact me in the event of an infection.

Best wishes!
  • 0

#13
The Death
Posted 12 September 2006 - 04:26 AM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello JSntgRvr,

This is the first problem I run into just after the installation. The first 2 processes I get running are cmd.exe and ftp.exe. From here, all the problems start. Why is it that even after these files are cleaned, but after a new installation they are running again?

Logfile of HijackThis v1.99.1
Scan saved at 4:22:45 PM, on 11/26/1999
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\ftp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Softwares\Security\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
  • 0

#14
JSntgRvr
Posted 12 September 2006 - 11:02 AM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, The Death :whistling:

You have some interesting files running in the background that I have only see in a Server. In addiditon I do not see any protection whatsoever. Without protecting your computer we are wasting our time.

You may be dealing with a Peer to Peer Network, and that could be the source of your problems. In a P2P Network your computer become a decentralized server and files will be shared without being filtered..

I can't continue to help you if you keep your Antivirus and Firewall inactive.
  • 0

#15
The Death
Posted 12 September 2006 - 02:55 PM

The Death

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi JSntgRvr,
I will get back to you after installing some protection. Thanks for all the advice up till now.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP