Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I can't open programs due to virus attack!!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I can't open programs due to virus attack!!

Unread postby Tommie » January 2nd, 2006, 11:58 am

Logfile of HijackThis v1.99.1
Scan saved at 11:55:48 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chan Liwei\Desktop\Programs For Virus\hijackthis_sfx\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: PC-cillin 2002.lnk = ?
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2210670561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7350786827
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashcasino.ladbrokes.com/insta ... lashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe


can someone pls help me?I tried all ways already.I can't even use Trend Micro or open Ewido Suite because of the virus attack!!Thank You.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am
Advertisement
Register to Remove

Unread postby VopThis » January 2nd, 2006, 3:01 pm

The following HJT line item indicates the presence of rootkit infection RootKit/KllExp.A:

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll



Let us analyse the nature of what may be present on your PC:

(BETA Rootkit Elimination Technology):
Note: The F-Secure BlackLight Beta only works on 32-bit Windows 2000, Windows XP and Windows 2003 Server. The current F-Secure BlackLight beta does not work on Windows NT, 95, 98, ME, or 64-bit Windows.



Please print out these instructions as you should have all open windows and programs closed when running the scan.

Step 1.
==========

- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========

- Double-click the blbeta.exe file on your Desktop and select ‘Run’.
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure "Scan through Windows Explorer (Recommended)" is selected\checked (if asked)
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan


- When the animated graphics, in the bottom right-hand corner disappears, click "Close" – VERY IMPORTANT: Do not proceed beyond this point on the initial first assessment – this is BETA software – need to proceed carefully


- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (i.e.: fsbl-20051017165931.log)
- Paste the contents of that log back here.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Can't.

Unread postby Tommie » January 3rd, 2006, 8:19 am

What happen is when I click RUN..nothing happened..That's why there are some installation files i can't run like Ewido. What should I do next? Thanks.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby VopThis » January 3rd, 2006, 8:42 am

What non-AV scans have you been able to run? Have you even been able to run SpyBot or Ad-Aware?




Lets try some initial cleaning:

Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat



We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
  • Temporary Internet Files
  • Downloaded Program Files
  • Recycle Bin
  • Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:
c:\secure32.html
C:\WINDOWS\SYSTEM32\avpe32.dll



POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.


Retry running Blacklight.


Otherwise, and/or in addition:

Please download this file:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to its own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby Tommie » January 3rd, 2006, 11:40 am

HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 1/3/2006 10:49 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Chan Liwei\Local Settings\Temp\~DF78C8.tmp 1/3/2006 10:54 PM 32.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 1/3/2006 10:51 PM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\avpe32.dll 1/2/2006 1:48 PM 39.08 KB Hidden from Windows API.
C:\WINDOWS\system32\avpe64.sys 1/2/2006 1:48 PM 21.30 KB Hidden from Windows API.
C:\WINDOWS\system32\klgcptini.dat 1/2/2006 1:48 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\qz.dll 1/2/2006 1:48 PM 39.08 KB Hidden from Windows API.
C:\WINDOWS\system32\qz.sys 1/2/2006 1:48 PM 21.30 KB Hidden from Windows API.
C:\WINDOWS\system32\stt82.ini 1/3/2006 10:47 PM 320 bytes Hidden from Windows API.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Tommie » January 3rd, 2006, 11:40 am

Logfile of HijackThis v1.99.1
Scan saved at 10:52:14 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Documents and Settings\Chan Liwei\Desktop\Programs For Virus\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: PC-cillin 2002.lnk = ?
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2210670561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7350786827
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://flashcasino.ladbrokes.com/insta ... lashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby Tommie » January 3rd, 2006, 11:41 am

I still can't. The 2 virus that u ask me to clean using hijackthis will alawys be there. So what should I do? Shall I restart the whole procedure again? It's so frustrating.Can you help me again? Thanks.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby VopThis » January 3rd, 2006, 1:22 pm

Please clean out your Temporary files.

C:\Documents and Settings\Chan Liwei\Local Settings\Temp\~DF78C8.tmp 1/3/2006 10:54 PM 32.00 KB Visible in Windows API, but not in MFT or directory index.


Analysis of hidden files:

C:\WINDOWS\system32\avpe32.dll 1/2/2006 1:48 PM 39.08 KB Hidden from Windows API.

http://www.sophos.com/virusinfo/analyse ... oorap.html
When Troj/Haxdoor-AP is installed the following files are created:
<System>\avpe32.dll
<System>\avpe64.sys
<System>\klgcptini.dat
<System>\qz.dll
<System>\qz.sys
<System>\stt82.ini


C:\WINDOWS\system32\avpe64.sys 1/2/2006 1:48 PM 21.30 KB Hidden from Windows API.
C:\WINDOWS\system32\klgcptini.dat 1/2/2006 1:48 PM 0 bytes Hidden from Windows API.
C:\WINDOWS\system32\qz.dll 1/2/2006 1:48 PM 39.08 KB Hidden from Windows API.
C:\WINDOWS\system32\qz.sys 1/2/2006 1:48 PM 21.30 KB Hidden from Windows API.
C:\WINDOWS\system32\stt82.ini 1/3/2006 10:47 PM 320 bytes Hidden from Windows API.



Options (review all available options first before proceeding):
  • In SAFE MODE, you could try to unhide all the above hidden files and delete them.

    HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

    Right click on each found file – click on properties and select delete and/or unselect ‘hidden’, if necessary.

  • http://www.scienceforums.net/forums/sho ... 116&page=2
    Review the process conducted to date in this work-in-progress fix and as yet incomplete thread. There may be some fine tuning tips to be determined here.

  • SpySweeper http://www.webroot.com/consumer/products/ appears to be able to deal with this one. However, their ‘free trial’ link (normally 30 days) appears to be constantly on the move seemingly in the hopes that frustrated users will forego the trial and just buy the tool. If you do find a link it will likely be the ‘scan only’ version. Weird business practices, although I do swear by this tool’s effectiveness for my own personal use:

    http://forums.spywareinfo.com/lofiversi ... 61699.html
    19:16: | Start of Session, 22 November 2005 |

    19:26: Found System Monitor: potentially rootkit-masked files
    19:26: qz.dll (ID = 0)
    19:26: qz.sys (ID = 0)
    19:26: avpe64.sys (ID = 0)
    19:26: avpe32.dll (ID = 0)
    19:26: stt82.ini (ID = 0)
    19:26: klgcptini.dat (ID = 0)
    19:26: File Sweep Complete, Elapsed Time: 00:06:39
    19:26: Full Sweep has completed. Elapsed time 00:10:41
    19:26: Traces Found: 27
    19:38: Removal process initiated
    19:38: Quarantining All Traces: potentially rootkit-masked files
    19:38: potentially rootkit-masked files is in use. It will be removed on reboot.
    19:38: avpe32.dll is in use. It will be removed on reboot.



Re-fix the two (2) returning HJT fix lines that still remain:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll



Tell us what you did choose to do and post a revised HJT log.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

BackLight Beta Scan Results

Unread postby Tommie » January 4th, 2006, 11:48 am

01/04/06 23:46:15 [Info]: BlackLight Engine 1.0.30 initialized
01/04/06 23:46:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/04/06 23:46:15 [Note]: 7019 4
01/04/06 23:46:15 [Note]: 7005 0
01/04/06 23:46:35 [Note]: 7006 0
01/04/06 23:46:35 [Note]: 7011 176
01/04/06 23:46:35 [Note]: FSRAW library version 1.7.1014
01/04/06 23:47:35 [Note]: 7007 0
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby VopThis » January 4th, 2006, 12:21 pm

Sounds like you may be a lot cleaner by virtue of even being able to run Blacklight (showing a favorable clean scan as well). Does 'rootkitrevealer' also scan clean, as well?


Please post a revised HJT log.



Please summarize what you did for the benefit of others - did you just delete the bad files? Do you have any remaining issues?
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby Tommie » January 4th, 2006, 1:09 pm

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 1/5/2006 12:27 AM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory 1/5/2006 12:21 AM 186 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath 1/5/2006 12:21 AM 200 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath 1/5/2006 12:21 AM 200 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath 1/5/2006 12:21 AM 200 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath 1/5/2006 12:21 AM 200 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\d347prt\Cfg\0Jf40 1/5/2006 12:19 AM 0 bytes Hidden from Windows API.


I rename the file using Microsoft Word and I delete it contents then I save it under the same file name. Then Reboot it. After that, go back to the location and u can delete it already. That's my method.

After scanning using RootkitRevealer, there is still problems. What should I do next?
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

New HJT log

Unread postby Tommie » January 4th, 2006, 1:10 pm

Logfile of HijackThis v1.99.1
Scan saved at 12:25:33 AM, on 1/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\sndvol32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Chan Liwei\Desktop\hijackthis_sfx\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: PC-cillin 2002.lnk = ?
O4 - Global Startup: Volume Control.lnk = C:\WINDOWS\system32\sndvol32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2210670561
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7350786827
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} - https://flashcasino.ladbrokes.com/insta ... lashAX.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby VopThis » January 4th, 2006, 1:41 pm

After scanning using RootkitRevealer, there is still problems. What should I do next?

Inconsistency (Directory Path - Internet CACHE) - I am not sure that you have an operational problem there - lets keep it mind, though. They are perhaps orphaned registry entries or a 'false positive' observation.

Additionally, I would not suggest running two (2) real-time malware scanners at the same time (MS Antispyware and SpySweeper) and running neither while trying to do any fixes.


Fix the following HJT item and delete the file again:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html



Let us know if you experience any continuing operational issues or cannot remove the above remaining item.
Last edited by VopThis on January 4th, 2006, 1:57 pm, edited 1 time in total.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby Tommie » January 4th, 2006, 1:51 pm

So is the results from the scan still virus or an error??
I have scanned and removed the c:/secure32 thing. but after i reboot. I scan again and the thing is still there. I tried it both in safe mode and in normal mode already.
Tommie
Regular Member
 
Posts: 116
Joined: September 22nd, 2005, 6:37 am

Unread postby VopThis » January 4th, 2006, 2:22 pm

PLEASE NOTE:I would not suggest running two (2) real-time malware scanners at the same time (MS Antispyware and SpySweeper) and running neither while trying to do any fixes.


Try doing as was done here:
http://www.delphifaq.com/faq/windows_user/f850.shtml
I had the paytime.exe file in my windows system32 directory. Everytime i deleted the c:\secure32.html in my reg and immeditaly did another search it was back again. After shutting down the paytime file in my task manager, I was able to remove it from my reg [or HJT line item]and then delete the file. seems to have cleaned it up. One thing to think about is that after you get a virus, doing a search by date on the system32 directory allows you to see file dates that were modified on the date of infection. It can help you find newly added files, which very well may be the virus files. It's how I found the Paytime file.


HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here

Scan unknown files for viruses/malware
Please go to this website and submit any suspect files (copy and paste each full file PATH) for possible Viruses/Trojans detection analysis and immediate feedback:
http://virusscan.jotti.org/
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 69 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware