Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help needed on security2k.net

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help needed on security2k.net

Unread postby henkomannen » September 19th, 2005, 4:28 am

Hi, I have read the instructions for this forum regarding hijackthis, and here is my log:


Logfile of HijackThis v1.99.1
Scan saved at 10:08:07, on 2005-09-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\mysql41\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\mysql40\bin\winmysqladmin.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
c:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp6F49.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [floAt's Media Control] C:\Program Files\FMA 2\sframework\helper\floAtMediaCtrl.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql40\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = halmstad.infogate.se
O17 - HKLM\Software\..\Telephony: DomainName = halmstad.infogate.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = halmstad.infogate.se
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache13\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Tomcat41\bin\tomcat.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: MySql - Unknown owner - C:/mysql41/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe


Thanks in advance!!

/Henrik
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am
Advertisement
Register to Remove

Unread postby henkomannen » September 19th, 2005, 6:42 am

The scenario I am having is that every now and then a Security Alert is poped up in the system tray as a baloon telling me that I have got virus, worms and spyware / adware in my system that needs to be removed. I am then directed to either SpyTrooper or PSGuard via IE.

Also, every time I start IE it is directed to this http://www.security2k.net site no matter what homepage i specify. It also redirects to http://www.security2k.net if i specify certain addresses like windows update or pandas online scan. I have come through this by stopping the redirection (Stop button in browser) and by slightly changing the URL and pressing enter.

I just finnished running TrojanHunter with the following result:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\smitRem\LTDFix.exe (InfoFtp.100)
Found trojan file: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP328\A0095168.exe (InfoFtp.100)
Found trojan file: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP329\A0095234.exe (InfoFtp.100)
Found trojan file: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP330\A0095278.exe (InfoFtp.100)
Found trojan file: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP331\A0095322.exe (InfoFtp.100)
Found trojan file: C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP331\A0106648.exe (InfoFtp.100)
6 trojan files found


And I cleaned them all away. Next I ran the HijackThis again that logged the following:


Logfile of HijackThis v1.99.1
Scan saved at 12:32:34, on 2005-09-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\mysql41\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebDrive\wdservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\mysql40\bin\winmysqladmin.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp6F49.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [floAt's Media Control] C:\Program Files\FMA 2\sframework\helper\floAtMediaCtrl.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql40\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = halmstad.infogate.se
O17 - HKLM\Software\..\Telephony: DomainName = halmstad.infogate.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = halmstad.infogate.se
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache13\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache Tomcat 4.1 - Unknown owner - C:\Tomcat41\bin\tomcat.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: MySql - Unknown owner - C:/mysql41/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe


Would appreciate any help! Thanks!

/Henrik
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am

Unread postby wng_z3r0 » September 19th, 2005, 11:55 am

hi :)

This is a realatively new bundle, so we need to gather some info before cleaning your computer.

Please download SilentRunners from here

double click it and let it run. Your AV may complain, but make sure that silentrunners runs freely.

When it's done, a text window will pop up. Paste the entire contents here.

thanks.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby henkomannen » September 19th, 2005, 2:00 pm

Thanks for your reply! :)

Here is the log from the silent runner execution:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"seticlient" = "C:\Program Files\SETI@home\SETI@home.exe -min" ["University of California, Berkeley"]
"Google Desktop Search" = ""C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup" [null data]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"nvctrl.exe" = "nvctrl.exe" [null data]
"kernel32.dll" = "C:\WINDOWS\system32\mssearchnet.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\quickset.exe" [empty string]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon" [MS]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"WebDriveTray" = "C:\Program Files\WebDrive\webdrive.exe /trayicon" [null data]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}" = "C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe" ["Google Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{893fad3a-931e-4e53-b515-b1426d63799b}\(Default) = "HomepageBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hpB6E1.tmp" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{04466240-beb3-11d1-be1c-00aa006b77f4}" = "WebDrive Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "rfshext.dll" ["South River Technologies, LLC"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
-> {CLSID}\InProcServer32\(Default) = "rfshext.dll" ["South River Technologies, LLC"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
-> {CLSID}\InProcServer32\(Default) = "rfshext.dll" ["South River Technologies, LLC"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\SETIhome.scr" [" "]


DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------

C:\Program Files\Dell\Bluetooth Software\My Bluetooth Places\DESKTOP.INI
[.ShellClassInfo]
CLSID={6af09ec9-b429-11d4-a1fb-0090960218cb}
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\btneighborhood.dll" ["WIDCOMM, Inc."]


Startup items in "henrikj" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\henrikj\Start Menu\Programs\Startup
"Mozilla Thunderbird" -> shortcut to: "C:\Program Files\Mozilla Thunderbird\thunderbird.exe" ["Mozilla.org"]
"WinMySQLadmin" -> shortcut to: "C:\mysql40\bin\winmysqladmin.exe" ["MySQL AB"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"BTTray" -> shortcut to: "C:\Program Files\Dell\Bluetooth Software\BTTray.exe" ["WIDCOMM, Inc."]
"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll [null data], 01 - 02, 08
%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Bluetooth Service, btwdins, "C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Broadcom ASF IP monitoring service v6.0.3, BAsfIpM, "C:\WINDOWS\System32\basfipm.exe" ["Broadcom Corp."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
LucentIKE, LucentIKE, "C:\Program Files\IPSec Client\LucentIKESvc.exe" [null data]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
MySql, MySql, "C:/mysql41/bin/mysqld-nt.exe" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
WebDrive Service, WebDriveService, "C:\Program Files\WebDrive\wdservice.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 946 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 26 seconds.
---------- (total run time: 1014 seconds)
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am

Unread postby wng_z3r0 » September 19th, 2005, 2:22 pm

Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then, go to start-->run

and type this in:
notepad

Paste this into the box:
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file


Now double click on fixreg.reg and insert it into the registry.



Then, go here:
c:\windows\system32

and look for these file:
nvctrl.exe
mssearchnet.exe

If you find them, please zip them up and send them to me at
wng_z3r0 (at) carmainc (dot) org


Next: are you using your computer as a server of any kind?
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby henkomannen » September 19th, 2005, 3:09 pm

I stepped through the regedit tips of yours. Should it be followed by an instant reboot? (The behavior still exist when opening IE.)

I tried to e-mail you the zipped nvctrl.exe file but with no success, or did you receive it? The mailscanner at srv01.carmains.org detected the virus and returned me an explaining email. Well. Just tell me if I should go for another try and maybe rename the file.

Yes. I use my computer in development purpose and it acts as a server.
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am

Unread postby wng_z3r0 » September 19th, 2005, 3:12 pm

ok: i got your email with the attachment removed. I emailed the admin of my webaccount, so she should be able to get it back for me.

Alternatively, could you also upload the file here?

http://www.thespykiller.co.uk/forum/index.php?board=1.0

I will be able to access it from there.
Thanks for your cooperation so far.
wng

edit:
Yes. I use my computer in development purpose and it acts as a server.


that would include running Mysql? Just double checking.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby henkomannen » September 19th, 2005, 3:18 pm

It is me that should be thankful! :) Thanks a lot for your help and time.

I will give it a go to try to upload the file to the specified location.

Yes, I'm running mysql, among others. Just ask if you need any specific info.

/Henrik
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am

Unread postby wng_z3r0 » September 19th, 2005, 3:32 pm

the upload worked :)
I'm looking at the file now.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby henkomannen » September 19th, 2005, 4:41 pm

Hi again,

just FYI: the problem is still there after a register edit and a reboot. I even removed the file nvctrl.exe from System32 but without success.

Symantecs online virus scan pointed me out to the following viruses:

Download.Trojan and
Trojan.Startpage

Maybe this info could be useful to you:

http://securityresponse.symantec.com/avcenter/venc/data/download.trojan.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.html

/Henrik
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am

Unread postby wng_z3r0 » September 19th, 2005, 4:51 pm

yes the problem should still be there. that file is jsut the tip of the iceburg of this installer.

I guess we might as well go ahead and clean up your computer as I can get the files on my test box now :)

So: here we go

1.
We are going to install Ewido AV. I have included instructions below, but there is also a PDF created by Spydie here if that suits you better.


Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

2.
Download Ad-aware Second Edition here and install it. If you already have Ad-aware Second Edition skip to the next step.

Open adaware and Click the "Check for updates now" line on the main screen. CLick the "Connect" button on the webupdate screen.

If an update is available download it and install it. Click the "Finish" button to go back to the main screen.

Click on the "Settings" button (gear symbol in the upper right corner of the main status screen) in the quick launch toolbar to open the General settings screen. Make sure the "Automatically quarantine objects prior to removal" setting is checked green and then click "Proceed" to save your changes.

Click the "Scan now" button in the main menu on the left side of the main status screen or use the "Start" button in lower right corner. This will open the Preparing System Scan screen. Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. Leave the option for low-risk threats unchecked also. Then select "Use custom scanning options" and click "CUstomize". This will open the "Scan Settings Page. Make sure all of the following are On with a green checkmark:

  • Scan within archives

Then click on the "Tweak" Button to open up the tweak settings.

Open up the Scanning Engine section and make sure all of the following are On with a green checkmark:
  • Scan registry for all users instead of current user only
Make sure the following is unchecked with a red X:
  • Unload recognized processes & modules during scan.
Open up the Cleaning Engine section and make sure all of the following are On with a green checkmark:

  • Always try to unload modules before deletion
  • During Removal, unload Explorer and IE if necessary
  • Let Windows remove files in use at next reboot.

Click the "Proceed" button to save settings. Click next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to "Scan Complete".

Click the "Next" button to get to the Scanning Results screens where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them to open up the selection screen. Click the "Select All" button to select all entries. Then all are selected Click "Next" and then "OK" in the pop-up window to confirm the removal.

3.
Spybot S & D available from here.

1. Downloaded and Install Spybot S&D, accepting the Default Settings

2. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.

3. Close ALL windows except Spybot S&D

4. Click the button to ‘Search for Updates’ then download and install the Updates.

5. Next click the button ‘Check for Problems'

6. When Spybot is complete, it will be showing ‘RED’ entries bold 'Black' entries and ‘GREEN’ entries in the window

7. Make certain there is a check mark beside all of the RED entries ONLY.

8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

9. REBOOT to complete the scan and clear memory.

4.
Now for the manual cleaning:
Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then, go to start-->run

and type this in:
notepad

Paste this into the box:
Code: Select all
REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\paint.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\explorer\notepad2.exe]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Enable Browser Extensions"="REG_SZ:no"


Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file


REALLY IMPORTANT: DON'T DOUBLECLICK ON THIS FILE YET. WE WILL DO THIS IN SAFE MODE

5. Then reboot your computer
As soon as it starts to boot, rapidly press the f8 key.
select safe mode from the menu
If you are still unsure, see here
IF you don't end up in safe mode, shut the computer down and try again.

6.
Now double click on HijackThis.
Click "open the misc tools section"
Click "open process manager"
highlight this file by clicking it:
c:\windows\system32\intmonp.exe

then press and hold the ctrl key on your keyboard. WHile still holding down the ctrl key, select this file with your mouse:
C:\WINDOWS\System32\hp5066.tmp

Both files should now be highlited.

While still holding the ctrl key, select these files as well:
c:\widnows\system32\intmon.exe
popuper.exe
C:\WINDOWS\System32\msole32.exe

Then release the ctrl key and press the "kill process" button. you should get a warning. click ok. Now exit HijackThis.

7. Restart HijackThis.

Then click on the button that says run a system scan
Then place a check next to the following items and click "fix"

O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hp6F49.tmp




8.We need to do a search. Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

c:\windows\system32\hhk.dll
c:\windows\system32\intmonp.exe
C:\WINDOWS\System32\hp5066.tmp
c:\widnows\system32\intmon.exe
sites.ini
popupper.exe
C:\WINDOWS\System32\wtssu.exe
C:\WINDOWS\System32\msole32.exe

If any of these files are found please delete them.


9.Now, please click on that fixreg.reg file that you created on your desktop and merge it into the registry.

Now reboot into normal mode.


10.Restoration: You may notice that some of your programs don't work correctly with the internet. This is because an infection has deleted the Browser Helper Objects. Some common BHO's that may have been deleted:
Spybot's resident IE\
Acrobat
super popup blocker
all the different download accelarators
yahoo/google toolbars
ebay toolbar
as well as others. If you suspect a program has been damaged by the trojan, the best thing to do is to uninstall the program and reinstall it.


Lastly, do you recognize this?
halmstad.infogate.se

Please give me an ewido log, and a new HijackThis log, and whether you recognize that domain.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby henkomannen » September 19th, 2005, 7:04 pm

*bow* Thank you so very much! All problems seem to be removed now and my computer also seems much faster and resonsive than before. Great and structured guidance! :)

Here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 00:58:11, on 2005-09-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\mysql41\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\WebDrive\wdservice.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\WebDrive\webdrive.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\jre1.5.0_04\bin\jusched.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\Bluetooth Software\BTTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\mysql40\bin\winmysqladmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Total Commander\TOTALCMD.EXE
c:\Program Files\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\WebDrive\webdrive.exe /trayicon
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql40\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = halmstad.infogate.se
O17 - HKLM\Software\..\Telephony: DomainName = halmstad.infogate.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = halmstad.infogate.se
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINDOWS\System32\btxppanel.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Apache13\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Apache Tomcat 4.1 - Unknown owner - C:\Tomcat41\bin\tomcat.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: MySql - Unknown owner - C:/mysql41/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\WebDrive\wdservice.exe

Clean and nice, huh?

The Ewido scan removed all cookies set in my quest for the virus source before, and nothing else.

Yes, halmstad.infogate.se is something i recognize. :) Never mind that.

Again, thank you! We appreciate you!

/Henrik
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am

Unread postby wng_z3r0 » September 19th, 2005, 7:14 pm

Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



We need to re hide system files. To do so, please follow the steps below:
  1. Double-click My Computer.
  2. Click the Tools menu, and then click Folder Options.
  3. Click the View tab.
  4. Put a check by "Hide file extensions for known file types."
  5. Under the "Hidden files" folder, select "Show hidden files and folders."
  6. Check "Hide protected operating system files."
  7. Click Apply, and then click OK.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

If the service pack 2 download is too large, you can get a FREE copy on cd from microsoft here

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • Download Adaware
    Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
    The program is available for download here
  • Download Spybot
    Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
    To see how to set this up as well as more spybot features, see here
    Spybot can be downloaded at this location
  • Download SpywareBlaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
  • Download iespyad
    It puts many bad webpages on your restricted zones list. This means that you can still view the "bad" webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
    If you need help understanding how it works, there is a tutorial here
    Download it here
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok

  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - List of free Anti virus programs
  • Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here to choose one
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    See here to choose one



Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.




Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
wng 8)

(Parts of all clean speech courtesy of Chris RLG)
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby wng_z3r0 » September 19th, 2005, 7:38 pm

oh, and one more thing!

Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export
Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL

Then, go to start-->run

and type this in:
notepad

Paste this into the box:
Code: Select all
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000000
"SearchHidden"=dword:00000000
"IncludeSubFolders"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000000
"ShowSuperHidden"=dword:00000000


Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file


Now double click on fixreg.reg and insert it into the registry.
Then reboot yoru computer.


This is to rehide the system files that we exposed during cleaning.
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby henkomannen » September 20th, 2005, 3:53 am

Thanks again,

my system is behaving just normal. I have no more problems, as I can see it. Thanks for all instructions.

/Henrik
henkomannen
Active Member
 
Posts: 9
Joined: September 19th, 2005, 4:24 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware