Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can anyone help??

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can anyone help??

Unread postby goldfish » February 24th, 2006, 8:46 pm

Logfile of HijackThis v1.99.1
Scan saved at 01:32:00, on 25.02.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
C:\WINDOWS\System32\spoolsvv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\osaupd.exe
C:\WINDOWS\System32\shell386.exe
C:\Documents and Settings\Administrator\Lokale innstillinger\Temp\Midlertidig mappe 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=382
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=382
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - {1e1b2879-88ff-11d3-8d96-d7acac95951a} - (no file)
O2 - BHO: (no name) - {2bc43670-c0bd-4794-bb11-f60f3e001dc5} - (no file)
O2 - BHO: winapi32.MyBHO - {86A0607D-6126-45AE-8A29-46C181AFF4D6} - C:\WINDOWS\System32\winapi32.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9819c369-5f62-4d37-9a42-44043a742c1e} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-4D54434D5443} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D8274} - C:\WINDOWS\System32\spm8274.dll (file missing)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O2 - BHO: (no name) - {dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} - (no file)
O2 - BHO: (no name) - {f21bd77e-0cce-c6cd-4f85-aa3b7895988e} - (no file)
O2 - BHO: (no name) - {ff731508-cd28-e0b0-3e85-0cf55fde9fba} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [SHDOC] C:\WINDOWS\system32\shdocapi.exe home
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [cme] #WINSYS#\cme.exe
O4 - HKLM\..\Run: [cmesys] #WINSYS#\cmesys.exe
O4 - HKLM\..\Run: [cmeupd] #WINSYS#\cmeupd.exe
O4 - HKLM\..\Run: [gator] #WINSYS#\gator.exe
O4 - HKLM\..\Run: [gmt] #WINSYS#\gmt.exe
O4 - HKLM\..\Run: [Cydoor] #WINSYS#\cd_load.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] #WINSYS#\sysu.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: wupdmgr.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/au ... s-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
goldfish
Active Member
 
Posts: 5
Joined: February 24th, 2006, 8:44 pm
Advertisement
Register to Remove

Unread postby Susan528 » February 25th, 2006, 10:32 pm

Hello and Welcome to Malware Removal,

You have many malware items. I would like to warn you about this item:
C:\WINDOWS\wupdmgr.exe

Your computer is unsafe to contain any confidential data.
  • Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and what ever else seems appropriate.
http://www.trendmicro.com/vinfo/virusen ... .B&VSect=T
Backdoor Capability
Once active, this malware attempts to connect to an Internet Relay Chat (IRC) server where it joins a channel. Via IRC, it is able to receive commands from remote users, who in turn may perform any of the following:
• Steal Windows cached passwords
• Activate a keylogger remotely
• Act as Hyper Text Transfer Protocol (HTTP) Web page server
• Open and close CD-ROM tray
• Scan ports
• Download file(s)
• Perform Denial of Service (DoS) attack against other systems
• List and terminate running processes
• List system information
• Browse files on the compromised system
• Execute a file remotely
It may also allow remote users to issue a command that installs a copy of this malware on another host.

================================

You are running HijackThis from its zipped archive; please create a new folder for it and unzip the program into it. It is very important you do this since hijackthis in the zipped folder will not make back-ups.

STEP 1.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display "Update successful")
  5. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
  6. If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  7. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


STEP 2.
======
A2 Free

You will have to register name and email address but this is free too.
Download A2
and run. Post the results please.

Please post results from ewido and A2.
Post back a fresh HijackThis log and we will take another look.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby goldfish » February 26th, 2006, 12:39 pm

Thanks a lot for your reply. This computer belongs to a friend of mine, and as you can see he has not had any antivirusprogram installed. SP2 is not installed either.

After the last hijackthis-log I posted, I have installed Norton Antivirus 2006, run Spybot and Ad-Aware in addition to Ewido and a2 as you told me to do.
The logs of Ewido, a2 and hijackthis are posted below. Is it safe to install SP2 and other Windows updates now?

Again, thank you for helping me out on this case.


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 13:36:02, 26.02.2006
+ Report-Checksum: 3C87450C

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{dd6f50c0-9f8f-a41c-291e-7b3fb818ef18} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f21bd77e-0cce-c6cd-4f85-aa3b7895988e} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ff731508-cd28-e0b0-3e85-0cf55fde9fba} -> Adware.CoolWebSearch : Cleaned with backup
[1692] C:\WINDOWS\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup
[1700] C:\WINDOWS\osaupd.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\osaupd.exe -> Downloader.Small.ckc : Cleaned with backup
C:\WINDOWS\system32\birdasfihuy32.dll -> Proxy.Small.ct : Cleaned with backup
C:\WINDOWS\wupdmgr.exe -> Downloader.Small.ckc : Cleaned with backup


::Report End


a-squared Report
Scan started: 26.02.2006 17:17:12
Scan finished: 26.02.2006 17:30:34
Scan duration: 0h 13min 21sec
Scanned files: 87630
Infected files: 24

Object Diagnosis
C:\WINDOWS\system32\wstart.dll Trace.File.Agent
C:\WINDOWS\system32\cd_load.exe Trace.File.Cydoor
C:\WINDOWS\system32\ddmp.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\redirect.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\cd_clint.dll Trace.File.KaZaA
C:\WINDOWS\system32\bpkwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\systemwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\wstart.dll Trace.File.Agent
C:\WINDOWS\system32\cd_load.exe Trace.File.Cydoor
C:\WINDOWS\system32\ddmp.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\redirect.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\cd_clint.dll Trace.File.KaZaA
C:\WINDOWS\system32\bpkwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\systemwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\wstart.dll Trace.File.Agent
C:\WINDOWS\system32\cd_load.exe Trace.File.Cydoor
C:\WINDOWS\system32\ddmp.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\redirect.dll Trace.File.DynamicDesktopMedia
C:\WINDOWS\system32\cd_clint.dll Trace.File.KaZaA
C:\WINDOWS\system32\bpkwb.dll Trace.File.PersonalAntispy
C:\WINDOWS\system32\systemwb.dll Trace.File.PersonalAntispy
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt Trace.TrackingCookie
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt Trace.TrackingCookie
C:\Documents and Settings\Administrator\Skrivebord\smitRem\Process.exe Riskware.RiskTool.Win32.Processor.20


Logfile of HijackThis v1.99.1
Scan saved at 17:34:26, on 26.02.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\a-squared\a2start.exe
C:\Programmer\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [SHDOC] C:\WINDOWS\system32\shdocapi.exe home
O4 - HKLM\..\Run: [cme] #WINSYS#\cme.exe
O4 - HKLM\..\Run: [cmeupd] #WINSYS#\cmeupd.exe
O4 - HKLM\..\Run: [gmt] #WINSYS#\gmt.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] #WINSYS#\sysu.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/au ... s-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{981C7B34-FFD9-49CD-BD5F-9B050E7B6BAC}: NameServer = 195.159.0.100 195.159.0.200
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
goldfish
Active Member
 
Posts: 5
Joined: February 24th, 2006, 8:44 pm

Unread postby Susan528 » February 26th, 2006, 2:33 pm

Hello goldfish,

It is good that you installed an antivirus. But we need to make sure the computer is clean before installing SP2. Also did A2 free clean all those 24 infected files?

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O2 - BHO: (no name) - {8702d9e1-890b-4bf2-a233-fa44e582b2de} - (no file)
O2 - BHO: (no name) - {9EAC0102-5E61-2312-BC2D-000000000000} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-716d74632608} - (no file)
O2 - BHO: (no name) - {d53b810f-6219-11d4-95b6-0040950375e7} - (no file)
O4 - HKLM\..\Run: [SHDOC] C:\WINDOWS\system32\shdocapi.exe home
O4 - HKLM\..\Run: [cme] #WINSYS#\cme.exe
O4 - HKLM\..\Run: [cmeupd] #WINSYS#\cmeupd.exe
O4 - HKLM\..\Run: [gmt] #WINSYS#\gmt.exe
O4 - HKLM\..\Run: [Dynamic Desktop Media] #WINSYS#\sysu.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\system32\shdocapi.exe
#WINSYS#\cme.exe
#WINSYS#\cmeupd.exe
#WINSYS#\gmt.exe
#WINSYS#\sysu.exe

Exit Explorer

Blacklight

Download Blacklight Beta from here:
http://www.f-secure.com/blacklight/try.shtml
  • Hit I accept. It will take you to download page.
  • Download blbeta.exe and save it to the Desktop.
  • Once saved... double click blbeta.exe to install the program.
  • Click accept agreement and Click scan
    This app too may fire off a warning from antivirus. Let the driver load.
    Wait for it to finish.
  • If it displays any items...don't do anything with them yet. Just hit exit (close)
  • It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.
Please post a new hijackthis log also.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby goldfish » February 27th, 2006, 3:23 pm

As far as I could see A2 cleaned those files, yes.
I could not find "C:\WINDOWS\system32\shdocapi.exe" when I searched for it in safe mode, but I found the others and deleted them.

Blacklight log is posted below along with a new hijackthis log.

02/27/06 20:10:42 [Info]: BlackLight Engine 1.0.32 initialized
02/27/06 20:10:42 [Info]: OS: 5.1 build 2600 ()
02/27/06 20:10:43 [Note]: 7019 4
02/27/06 20:10:43 [Note]: 7005 0
02/27/06 20:10:47 [Note]: 7006 0
02/27/06 20:10:47 [Note]: 7011 1392
02/27/06 20:10:48 [Note]: FSRAW library version 1.7.1015
02/27/06 20:15:03 [Note]: 7007 0


Logfile of HijackThis v1.99.1
Scan saved at 20:21:57, on 27.02.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\MSN Messenger\MsnMsgr.Exe
C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
C:\Programfiler\ewido anti-malware\ewidoctrl.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programmer\Spyware og malwareprogrammer\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsiden.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programfiler\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Programfiler\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\j2re1.4.2_10\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programfiler\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Hurtigstart for Adobe Reader.lnk = C:\Programfiler\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_10\bin\npjpi142_10.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - https://java.sun.com/products/plugin/au ... s-i586.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\DJSNETCN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programfiler\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Best regards, goldfish!
goldfish
Active Member
 
Posts: 5
Joined: February 24th, 2006, 8:44 pm

Unread postby Susan528 » February 27th, 2006, 3:59 pm

Hi goldfish,

Your log appears to be clean and I am thankful there were no rootkits. :)
Good work! You need install Windows Updates now.
Please do the following:

STEP 1.
======
Cleanmgr
To clean temporary files:
  1. Go > start > run and type cleanmgr and click OK
  2. Scan your system for files to remove.
  3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  4. Click OK to remove those files.
  5. Click Yes to confirm deletion.

STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

STEP 3.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
    Turn off System Restore.
  1. On the Desktop, right-click My Computer.
  2. Click Properties.
  3. Click the System Restore tab.
  4. Check Turn off System Restore.
  5. Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  1. On the Desktop, right-click My Computer.
  2. Click Properties.
  3. Click the System Restore tab.
  4. UN-Check *Turn off System Restore*.
  5. Click Apply, and then click OK.

Update your Java to the latest version. Uninstall any and all versions you have listed in add/remove programs and install the latest version from here: http://www.java.com/en/


STEP 4.
======
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


  1. Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  2. Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  3. Test your Firewall - Please test your firewall and make sure it is working properly.
    Test Firewall

  4. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
    A tutorial on installing & using this product can be found here:
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  5. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    A tutorial on installing & using this product can be found here:
    Using SpywareBlaster to protect your computer from Spyware and Malware

  6. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  7. More info on how to prevent malware you can also find here (By Tony Klein)
    and here: http://wiki.castlecops.com/Malware_Prev ... -infection


Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby goldfish » February 27th, 2006, 6:47 pm

Hello Susan,

the pleasure is on my side.
I have now completely updated the computer and everything seems ok.
Thanks again for helping me out with these problems. Keep up the positive work :-)

goldfish
goldfish
Active Member
 
Posts: 5
Joined: February 24th, 2006, 8:44 pm

Unread postby NonSuch » March 7th, 2006, 4:31 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27229
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware