Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

funbangladesh

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

funbangladesh

Unread postby ommi » November 23rd, 2005, 9:34 am

VoG here is hte log from HJT:
Logfile of HijackThis v1.99.1
Scan saved at 13:43:35, on 23/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\mplayer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Joe\Local Settings\Temp\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\tftp.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft sdDDE Control] mdl.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region

Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region

Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [sqlREG] C:\mplayer.exe
O4 - HKLM\..\Run: [WinSecure] C:\621.exe
O4 - HKLM\..\Run: [System Service] real.exe
O4 - HKLM\..\RunServices: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\RunServices: [Microsoft sdDDE Control] mdl.exe
O4 - HKLM\..\RunServices: [WinSecure] C:\621.exe
O4 - HKLM\..\RunServices: [System Service] real.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe"

/boot
O4 - HKCU\..\RunServices: [Windows Ocx Service] winocx.exe
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program

files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program

files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -

http://eu-housecall.trendmicro-europe.c ... ctivex/hcI

mpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer =

217.145.4.33 217.145.4.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer =

217.145.4.33 217.145.4.34
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer =

217.145.4.33 217.145.4.34
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am
Advertisement
Register to Remove

Unread postby VopThis » November 24th, 2005, 10:13 am

Remove 'Spyware Cleaner'. First try Add/Remove option (Control Panel).

It is a "Spyware remover" of dubious repute:
http://castlecops.com/s11563-SpywareCleaner_Exe.html





Run the following malware scanning tools - retain any available results for feedback posting. Fix anything found:

Symantec Security Check
http://security.symantec.com/default.asp
REBOOT.

eTrust AntiVirus Web Scanner
http://www3.ca.com/virusinfo/virusscan.aspx
REBOOT



There are no obvious or clearly definitive Google references for the following file(s) unless you know specifically what they are:

Accordingly, recommend that you paste the complete file PATH or locate (Start>Search) and submit, as needed, the following FILES to http://virusscan.jotti.org/ for possible viruses/Trojans detection analysis and immediate feedback:

HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here

mdl.exe
C:\mplayer.exe
real.exe
(all instances)


Let us know what the results/details were for the file(s) in question.



Post any available feedback (such as logs) and a new HJT log
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » November 24th, 2005, 3:32 pm

Thanks Vop This.
Browsing thru' the mail in the forum I found a mention of Ewido prog. I gave it a try and left it to do its job. It found 60 threats which it removed. And the blasted bangladesh with them. Hope it will not return!!

As a side issue Ewido found some threats which cannot be removed cos they were in winsos.exe! What on earth is this and can I remove them too cos my permission was asked for.
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby ommi » November 24th, 2005, 3:34 pm

BTW forgot to tell I removed Spyware Cleaner!
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » November 24th, 2005, 4:09 pm

As a side issue Ewido found some threats which cannot be removed cos they were in winsos.exe! What on earth is this and can I remove them too cos my permission was asked for.

Some files come inside a packaging file such as a zip or compressed file. Generally at least one or more bad files is sufficient to condemn the containing file. If in doubt, send the file off to JOTTI for another opinion (15MB limit per file).


No one scan can guarantee that all malware has been identified and removed. Even the absence of any obvious problems is not necessarily an all clear sign either.

Recommend that you post your latest HJT log.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » November 25th, 2005, 9:13 am

OK Vop This. Here we go withthe HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 14:11:56, on 25/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\msni.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\621.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft sdDDE Control] mdl.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [WinSecure] C:\621.exe
O4 - HKLM\..\Run: [System Service] real.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AdobeReader] msni.exe
O4 - HKLM\..\RunServices: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\RunServices: [Microsoft sdDDE Control] mdl.exe
O4 - HKLM\..\RunServices: [WinSecure] C:\621.exe
O4 - HKLM\..\RunServices: [System Service] real.exe
O4 - HKLM\..\RunServices: [AdobeReader] msni.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\RunServices: [Windows Ocx Service] winocx.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer = 217.145.4.33 217.145.4.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer = 217.145.4.33 217.145.4.34
O17 - HKLM\System\CS2\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer = 217.145.4.33 217.145.4.34
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

;)
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby ommi » November 25th, 2005, 9:27 am

Symantec scan result (all Greek to me :lol: )




More about your Hacker Exposure Check results

The Hacker Exposure Check tests whether ports commonly used by Internet applications are open, closed, or stealth
Understanding your results: An open port responds to port probes and acknowledges the port's availability. Open ports are dangerous because they're an easy and attractive means of entry for hackers.

A closed port is visible but not open to attack. Although this is a safe state, a hacker can use closed ports to detect the existence of your computer and potentially target it for attack.

A stealth port is safest of all. Stealth means your computer doesn't respond to port probes and you are virtually invisible to hackers scanning the Internet for potential targets. Although this is a very safe result, a stealth port may cause performance problems for some Internet applications.


Your Results:
Port Description Status

ICMP Ping Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer.


21 FTP (File Transfer Protocol). FTP is used to transfer files between your computer and other computers. Port 21 should be open only if you're running an FTP server.


22 SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server.


23 Telnet. Telnet can be used to log into your computer from a terminal anywhere in the world. This port should be open only if you're running a Telnet server.


25 SMTP (Simple Mail Transfer Protocol). A protocol for host-to-host mail transport. This port should be open only if you're running a mail server.


79 Finger. Finger is an Internet utility that allows someone to obtain information about you, including your full name, logon status, and other profile information.


80 HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you're running a Web server.


110 POP3 (Post Office Protocol). Internet mail servers and mail filter applications use this port. This port should be open only if you're running a mail server.


113 Ident / Authentication. This service is required by some mail, news, or relay chat servers to allow access. A stealth result on this port could cause performance problems.


119 NNTP (Network News Transfer Protocol). A service used by News servers to distribute Usenet articles to newsreader applications and between other servers.


135 Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.


139 NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information. To learn more about preventing connections to your NetBIOS ports, see: NetBIOS Information and Configuration Instructions


143 IMAP (Internet Message Access Protocol). IMAP is a sophisticated protocol for electronic mail delivery. This port should be open only if you're running an IMAP server.


443 HTTP over TLS/SSL. A protocol for providing secure HTTP communication. It should be open only if you're running a Web server.


445 Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.


1080 SOCKS. This protocol allows computers access to the Internet through a firewall. It is used when one IP address is shared among several computers. Generally this protocol only allows access out to the Internet. However, it is frequently configured incorrectly to allow hackers to pass traffic inwards through the firewall.


1723 PPTP (Point-to-Point Tunneling Protocol). This service is used for virtual private networking connections.


5000 UPnP (Universal Plug and Play). This service is used to communicate with any UPnP devices attached to your network.


5631 pcAnywhere. This port is used by Symantec pcAnywhere when in host mode.





Back to top






Back

More about your Hacker Exposure Check results

The Hacker Exposure Check tests whether ports commonly used by Internet applications are open, closed, or stealth
Understanding your results: An open port responds to port probes and acknowledges the port's availability. Open ports are dangerous because they're an easy and attractive means of entry for hackers.

A closed port is visible but not open to attack. Although this is a safe state, a hacker can use closed ports to detect the existence of your computer and potentially target it for attack.

A stealth port is safest of all. Stealth means your computer doesn't respond to port probes and you are virtually invisible to hackers scanning the Internet for potential targets. Although this is a very safe result, a stealth port may cause performance problems for some Internet applications.


Your Results:
Port Description Status

ICMP Ping Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer.


21 FTP (File Transfer Protocol). FTP is used to transfer files between your computer and other computers. Port 21 should be open only if you're running an FTP server.


22 SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server.


23 Telnet. Telnet can be used to log into your computer from a terminal anywhere in the world. This port should be open only if you're running a Telnet server.


25 SMTP (Simple Mail Transfer Protocol). A protocol for host-to-host mail transport. This port should be open only if you're running a mail server.


79 Finger. Finger is an Internet utility that allows someone to obtain information about you, including your full name, logon status, and other profile information.


80 HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you're running a Web server.


110 POP3 (Post Office Protocol). Internet mail servers and mail filter applications use this port. This port should be open only if you're running a mail server.


113 Ident / Authentication. This service is required by some mail, news, or relay chat servers to allow access. A stealth result on this port could cause performance problems.


119 NNTP (Network News Transfer Protocol). A service used by News servers to distribute Usenet articles to newsreader applications and between other servers.


135 Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.


139 NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information. To learn more about preventing connections to your NetBIOS ports, see: NetBIOS Information and Configuration Instructions


143 IMAP (Internet Message Access Protocol). IMAP is a sophisticated protocol for electronic mail delivery. This port should be open only if you're running an IMAP server.


443 HTTP over TLS/SSL. A protocol for providing secure HTTP communication. It should be open only if you're running a Web server.


445 Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.


1080 SOCKS. This protocol allows computers access to the Internet through a firewall. It is used when one IP address is shared among several computers. Generally this protocol only allows access out to the Internet. However, it is frequently configured incorrectly to allow hackers to pass traffic inwards through the firewall.


1723 PPTP (Point-to-Point Tunneling Protocol). This service is used for virtual private networking connections.


5000 UPnP (Universal Plug and Play). This service is used to communicate with any UPnP devices attached to your network.


5631 pcAnywhere. This port is used by Symantec pcAnywhere when in host mode.





Back to top






Back

More about your Hacker Exposure Check results

The Hacker Exposure Check tests whether ports commonly used by Internet applications are open, closed, or stealth
Understanding your results: An open port responds to port probes and acknowledges the port's availability. Open ports are dangerous because they're an easy and attractive means of entry for hackers.

A closed port is visible but not open to attack. Although this is a safe state, a hacker can use closed ports to detect the existence of your computer and potentially target it for attack.

A stealth port is safest of all. Stealth means your computer doesn't respond to port probes and you are virtually invisible to hackers scanning the Internet for potential targets. Although this is a very safe result, a stealth port may cause performance problems for some Internet applications.


Your Results:
Port Description Status

ICMP Ping Ping. Ping is a network troubleshooting utility. It asks your computer to acknowledge its existence. If your computer responds positively to a ping, hackers are more likely to target your computer.


21 FTP (File Transfer Protocol). FTP is used to transfer files between your computer and other computers. Port 21 should be open only if you're running an FTP server.


22 SSH. TCP connections to this port might indicate a search for SSH, which has a few exploitable features. SSH is a secure replacement for Telnet. The most common uses of SSH are to securely login and copy files from a server.


23 Telnet. Telnet can be used to log into your computer from a terminal anywhere in the world. This port should be open only if you're running a Telnet server.


25 SMTP (Simple Mail Transfer Protocol). A protocol for host-to-host mail transport. This port should be open only if you're running a mail server.


79 Finger. Finger is an Internet utility that allows someone to obtain information about you, including your full name, logon status, and other profile information.


80 HTTP (Hypertext Transfer Protocol). HTTP is used to transfer Web pages over the Internet. Port 80 should be open only if you're running a Web server.


110 POP3 (Post Office Protocol). Internet mail servers and mail filter applications use this port. This port should be open only if you're running a mail server.


113 Ident / Authentication. This service is required by some mail, news, or relay chat servers to allow access. A stealth result on this port could cause performance problems.


119 NNTP (Network News Transfer Protocol). A service used by News servers to distribute Usenet articles to newsreader applications and between other servers.


135 Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.


139 NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information. To learn more about preventing connections to your NetBIOS ports, see: NetBIOS Information and Configuration Instructions


143 IMAP (Internet Message Access Protocol). IMAP is a sophisticated protocol for electronic mail delivery. This port should be open only if you're running an IMAP server.


443 HTTP over TLS/SSL. A protocol for providing secure HTTP communication. It should be open only if you're running a Web server.


445 Windows NT / 2000 SMB. A standard used to exchange Server Message Blocks, and can be exploited in multiple ways, including gaining your passwords.


1080 SOCKS. This protocol allows computers access to the Internet through a firewall. It is used when one IP address is shared among several computers. Generally this protocol only allows access out to the Internet. However, it is frequently configured incorrectly to allow hackers to pass traffic inwards through the firewall.


1723 PPTP (Point-to-Point Tunneling Protocol). This service is used for virtual private networking connections.


5000 UPnP (Universal Plug and Play). This service is used to communicate with any UPnP devices attached to your network.


5631 pcAnywhere. This port is used by Symantec pcAnywhere when in host mode.





Back to top
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » November 25th, 2005, 10:32 am

The Hacker Exposure Check tests whether ports commonly used by Internet applications are open, closed, or stealth

Any port numbers found to be needlessly showing as open or closed can draw the attention of hackers or exploitation attempts on your PC.


Please complete the previously requested procedures found below:

There are no obvious or clearly definitive Google references for the following file(s) unless you know specifically what they are:

Accordingly, recommend that you paste the complete file PATH or locate (Start>Search) and submit, as needed, the following FILES to http://virusscan.jotti.org/ for possible viruses/Trojans detection analysis and immediate feedback:

HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here

mdl.exe
C:\mplayer.exe
real.exe (all instances)


Let us know what the results/details were for the file(s) in question.



You have several likely and apparent malware items currently listed in your HJT log, including one still for 'Spyware Cleaner':

Locate and submit the following files to JOTTI, as well:
winocx.exe
C:\621.exe



Once you provide any malware details, we will be able to provide comprehensive fix instructions as needed.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » November 27th, 2005, 9:34 am

OK here we go:
I made sure (as per instructions) that ALL hidden files and extension are shown and the result was: (If I remember correctly I removed real.exe)

mdl.exe could not be found.
real.exe could not be found

mplayer.exe C:\Prog files\Windows Media Player
wmplayer.exe-18DDEF9C.pf C:\Windows\Prefetch
wmplayer.exe C:\Windows\system 32\dllcache
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby ommi » November 27th, 2005, 10:25 am

As regards the other files here are:

winocx.exe cannot be found

621.exe C:\ (that's all) and
621.exe-363F69E1.pf C:\Windows\Prefetch

Now that you mention it when windows is started a box comes up saying that an error has occured in 621.exe and has to close down. This happens every time W is started.
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » November 27th, 2005, 12:11 pm

Read over the following directions. Ask if anything appears unclear to you.


Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat



We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKLM\..\Run: [WINDOWS OCX SERVICE] winocx.exe
O4 - HKLM\..\Run: [MICROSOFT SDDDE CONTROL] mdl.exe
O4 - HKLM\..\Run: [WINSECURE] C:\621.exe
O4 - HKLM\..\Run: [SYSTEM SERVICE] real.exe
O4 - HKLM\..\RunServices: [WINDOWS OCX SERVICE] winocx.exe
O4 - HKLM\..\RunServices: [MICROSOFT SDDDE CONTROL] mdl.exe
O4 - HKLM\..\RunServices: [WINSECURE] C:\621.exe
O4 - HKLM\..\RunServices: [SYSTEM SERVICE] real.exe
O4 - HKCU\..\Run: [WINDOWS OCX SERVICE] winocx.exe
O4 - HKCU\..\Run: [SPYWARE CLEANER] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\RunServices: [WINDOWS OCX SERVICE] winocx.exe


Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
  • Temporary Internet Files
  • Downloaded Program Files
  • Recycle Bin
  • Temporary Files
Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:
C:\621.exe



DELETE APPLICATION FOLDERS
  1. Go to Add/Remove Programs
    In Control Panel>Add/Remove Programs look for any related entries for unwanted items listed below (or anything else you need to investigate or did not put in there).

  2. UNINSTALLER Alternate SEARCH: Otherwise, advisable to locate and try right-clicking on any of the given SEARCH FOLDER items below and further search (tick include subdirectories) for the following exact text:

    UN*.EXE, *UN*.EXE

    This may reveal an uninstaller with label terms such as '...uninstall...EXE', ‘unins000’, or 'unwise.EXE'. Double-click that EXE, if one is found. Thereafter, check to ensure that the folder is completely gone. Otherwise, consider deleting the folder in question.


-----> C:\Program Files\Spyware Cleaner




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » November 28th, 2005, 8:58 am

Thanks a million Vop This. You've sent in quite aq mouthful he he! But i'll oblige and do as you told me. Hope I succeed. Wish me luck!! :?
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby ommi » November 29th, 2005, 8:43 am

Mission completed (I think!!). Hee are the results:
Logfile of HijackThis v1.99.1
Scan saved at 13:18:57, on 29/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
D:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [AdobeReader] msni.exe
O4 - HKLM\..\RunServices: [AdobeReader] msni.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.c ... hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer = 217.145.4.33 217.145.4.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0BB94FA1-F80F-412A-A7B9-B8EBA9C37E3D}: NameServer = 217.145.4.33 217.145.4.34
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Now re the UN*.exe etc the search found these which some of them at least seem to be valid. What shall I do with them??

uninstal coder.exe C:\abisoft\coder
uninst.exe C:\Prog files\ABC Chaos
unins000.exe C:\Prog files\Spybot
unlodctr.exe C:\Win\sys32
Unwise.exe C:\Prog files\AsmwSoft
Uninstall.exe C:\Prog files\ewido security
unwise.exe C:\Prog files\Jasc Software
unregaaw.exe C:\Prog files\Lavasoft\Ad-aware
unwise.exe C:\Prog files\Lavasoft\Ad-aware
unsecapp.exe C:\Win\sys32\wbem
unpack200.exe C:\Prog files\Java\jre1.5.0_05\bin
Unpack.exe C:\Prog files\Microsoft Office\Office11\...
unpack200.exe bin
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am

Unread postby VopThis » November 29th, 2005, 5:59 pm

Now that you are reasonably clean, you need to address the fact that 'critical security updates' for XP are not evident on your PC. XP and Internet Explorer needs to updated to SP1 at least (can leave SP2 til later if you want):

http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp




Now re the UN*.exe etc the search found these which some of them at least seem to be valid. What shall I do with them??

Yes many of them are CLEARLY or LIKELY valid.
unins000.exe C:\Prog files\Spybot
Uninstall.exe C:\Prog files\ewido security
unregaaw.exe C:\Prog files\Lavasoft\Ad-aware
unwise.exe C:\Prog files\Lavasoft\Ad-aware
unpack200.exe C:\Prog files\Java\jre1.5.0_05\bin
Unpack.exe C:\Prog files\Microsoft Office\Office11\...

unlodctr.exe C:\Win\sys32
--> check this link and JOTTI below --> http://www.processlist.com/info/unlodctr.html

Submit any possible suspect file to JOTTI for evaluation:
http://virusscan.jotti.org/

unsecapp.exe C:\Win\sys32\wbem
--> http://www.processlibrary.com/directory/files/unsecapp/


You want to focus your investigation on those that you did not knowingly download or are unsure as to their purpose/validity. Which do you recognize as legitimate or necessary and which do you not?

uninstal coder.exe C:\abisoft\coder
uninst.exe C:\Prog files\ABC Chaos
Unwise.exe C:\Prog files\AsmwSoft
unwise.exe C:\Prog files\Jasc Software
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby ommi » November 30th, 2005, 10:13 am

Thanks a lot for your valuable help. On my own I wouln't have ever got up to here!

Now re the uninstall group I removed the first two and left the last two viz.
asmw which is the internet eraser (cookies temp files etc. Is there a better one freeware if poss!!)

unwise Jasc software which is a photo manipulation prog.

RE the windows updates I will install them as soon as possible (both of them)

Re the JOTTI link how do I post a file cos I tried a lot and never succeeded.

As a point of information: This Paintshop Pro (Jasc prog) runs extremely well if the PC is free of every hitch. But as soon as a virus or whatever crops in it freezes. Has this got anything to do with the present situation? Usually I run AVAST twice or thrice until it finds something, it is removed and then it runs perfectly. In fact it froze again while doing some work before I received this last post.
ommi
Regular Member
 
Posts: 36
Joined: November 23rd, 2005, 9:25 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware