Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help Please: Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Bob4 » November 8th, 2006, 1:28 pm

If you havent started what I have removed from here let's hold off for a while. I will be back as soon as I can.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Unread postby srs » November 8th, 2006, 5:08 pm

Bob4

The last message I got from you was to use the Rustockb Removal tool. I did that last night, and posted the results. I have not done anything else since. I don't know what you removed. I didn'g get any message about it.

Thanks
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 8th, 2006, 7:35 pm

OK SRS. Heres the poop on this.
It is a very nasty infection. Not only that it is written very badly. This means it may not do what it is supposed to take up all sorts of CPU usage and it may crash your entire system at any time.


This is a quote from a very well respected expert that has worked with this infection on a machine of thier own.

When lauder.c infects the files...the infection is "buggy" and the infected files can't run. They are "running" but they can't do their job. They just run the cpu @ 100% and freeze up the system. Each reboot runs wservice again and infects more files.
Of course any copies in dllcache, i386 folder are infected too. So trying to replace ones in system32 from dllcache not possible.
Pretty much all exes and scr files infected.


So if certain files ( mandatory to windows) get infected you will find you can not boot the system. This infection .as you described, makes new files at each reboot.


I strongly encourage you to back up anything important to a cdrom or USB stick.
Do NOT backup any exe files or scr files.
Do NOT back up any entire folder that has any file in it that you do not know exactly what it is.




I will begin to work on a fix for us to try and clear this machine. But I can not in all reality make any promises. A reformat may be the easiest way out of this.
If you would like to try and clear this machine I will do my best to help you. Could be interesting.. Could be extremly frustrating...
I will leave that your call.


If you decide to fight this monster I ask that you take it off the net for the duration of the fix and download any files,programs anything at all we need from another machine and transfer them via USB stick or cd rom or floppy.
Just let me know what you decide to do.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 8th, 2006, 7:43 pm

Bob4

Thanks for that. I understand the situation. I have already made copies of my important files (word documents).

If you are willing, let's try and see if we can remove the infection. We can reassess if we don't make any progress.

Thanks again
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 8th, 2006, 8:37 pm

. Please download The Avenger by Swandog46] to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text in bold contained in the code box below to your Clipboard by highlighting it and right clicking and then copy:


Files to delete:

C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe
C:\WINDOWS\SYSTEM32\ApI4Lj7.exe
C:\WINDOWS\SYSTEM32\wservice.exe
C:\Documents and Settings\Suresh Senathirajah\x7e42bK.exe
C:\WINDOWS\SYSTEM32\cANncA3.exe
C:\Documents and Settings\Suresh Senathirajah\j4UAtiv.exe
C:\Documents and Settings\Suresh Senathirajah\xE5Rd5V.exe
C:\Documents and Settings\Suresh Senathirajah\wVBaF1V.exe
C:\Documents and Settings\Suresh Senathirajah\p821SnA.exe
C:\WINDOWS\SYSTEM32\l10Ji50.exe
C:\WINDOWS\SYSTEM32\enTe075.exe
C:\WINDOWS\SYSTEM32\x0Ebuh7.exe
C:\WINDOWS\SYSTEM32\tuo2jxP.exe
C:\WINDOWS\SYSTEM32\s0p3bJ2.exe
C:\Documents and Settings\Suresh Senathirajah\o2fT.exe
C:\WINDOWS\SYSTEM32\mI63sFj.exe
C:\WINDOWS\SYSTEM32\pk@4e68.exe
C:\Documents and Settings\Suresh Senathirajah\wlxM8g5.exe
C:\Documents and Settings\Suresh Senathirajah\MJ2ux0a.exe
C:\Documents and Settings\Suresh Senathirajah\FNKGgr8.exe
C:\Documents and Settings\Suresh Senathirajah\DOFo356.exe
C:\Documents and Settings\Suresh Senathirajah\dHQ5ud3.exe
C:\Documents and Settings\Suresh Senathirajah\AO6657j.exe
C:\Documents and Settings\Suresh Senathirajah\v460Pb6.exe
C:\WINDOWS\SYSTEM32\RfK3666.exe
C:\Documents and Settings\Suresh Senathirajah\eI07684.exe
C:\Documents and Settings\Suresh Senathirajah\kCehMIy.exe
C:\WINDOWS\SYSTEM32\WtPSfW4.exe
C:\Documents and Settings\Suresh Senathirajah\X1c4JV0.exe
C:\Documents and Settings\Suresh Senathirajah\u5X06rm.exe
C:\Documents and Settings\Suresh Senathirajah\r6Tix88.exe
C:\Documents and Settings\Suresh Senathirajah\aUDevp7.exe
C:\Documents and Settings\Suresh Senathirajah\bR2tPrp.exe
C:\WINDOWS\SYSTEM32\OtPt3F0.exe
C:\WINDOWS\SYSTEM32\DvppDbw.exe
C:\Documents and Settings\Suresh Senathirajah\nKuH8a2.exe
C:\WINDOWS\SYSTEM32\qSki12i.exe
C:\WINDOWS\SYSTEM32\tmp.reg
C:\WINDOWS\SYSTEM32\nAk41wF.exe
C:\WINDOWS\SYSTEM32\Jif567n.exe
C:\WINDOWS\SYSTEM32\u2EEBii.exe
C:\WINDOWS\soso333.exe
C:\Documents and Settings\Suresh Senathirajah\KAUm4f7.exe
C:\WINDOWS\SYSTEM32\win_3.exe
C:\Documents and Settings\Suresh Senathirajah\oodfoDe.exe
C:\Documents and Settings\Suresh Senathirajah\u4tMtvp.exe
C:\Documents and Settings\Suresh Senathirajah\RkFoEF6.exe
C:\Documents and Settings\Suresh Senathirajah\mbgEr52.exe
C:\Documents and Settings\Suresh Senathirajah\HgE8Wa8.exe
C:\Documents and Settings\Suresh Senathirajah\fD5QPru.exe
C:\WINDOWS\SYSTEM32\jN3JR3C.exe
C:\WINDOWS\SYSTEM32\win_4el.exe
C:\Documents and Settings\Suresh Senathirajah\rl7a6G7.exe
C:\WINDOWS\SYSTEM32\xuw122U.exe
C:\WINDOWS\SYSTEM32\suchost.exe
C:\WINDOWS\SYSTEM32\pneuxdn.dll
C:\WINDOWS\SYSTEM32\qizmquf.dll
C:\WINDOWS\SYSTEM32\aspi6611.exe
C:\WINDOWS\SYSTEM32\adirss.exe
C:\WINDOWS\SYSTEM32\se.exe.exe
C:\WINDOWS\SYSTEM32\emO81d5.exe
C:\WINDOWS\SYSTEM32\w.exe.exe
C:\WINDOWS\SYSTEM32\tmp_tg.exe
C:\tmmjcov.exe
C:\knrw.exe
C:\usddru.exe
C:\gseudw.exe
C:\hdeybmen.exe
C:\oxta.exe
C:\jtwcyl.exe
C:\bleobw.exe
C:\WINDOWS\SYSTEM32\ipv6monl.dll
C:\WINDOWS\SYSTEM32\syst7s8.exe
C:\explorer1.exe
C:\WINDOWS\\System32\taskdir.exe


Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) [*] On reboot, briefly open a black command window on your desktop, this is normal.[*] After the restart, create a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.[/list]

5. Please copy/paste the content of avenger.txt into your reply along with a fresh HJT log by using Add/Reply

____________________________________
Download this scanner: Dr.Web CureIT!
To Desktop
http://download.drweb.com/drweb+antivirus+free+services
Save the report and post it ...


______________

Run an online scan here. Accept the ActiveX and selete 'clean':
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
Save any report provided, and post it back here.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 9th, 2006, 3:03 am

Bob4

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dgwjpemg

*******************

Script file located at: \??\C:\Documents and Settings\dkjnpymi.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ApI4Lj7.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\wservice.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\x7e42bK.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\cANncA3.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\j4UAtiv.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\xE5Rd5V.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\wVBaF1V.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\p821SnA.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\l10Ji50.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\enTe075.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\x0Ebuh7.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tuo2jxP.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\s0p3bJ2.exe deleted successfully.


File C:\Documents and Settings\Suresh Senathirajah\o2fT.exe not found!
Deletion of file C:\Documents and Settings\Suresh Senathirajah\o2fT.exe failed!

Could not process line:
C:\Documents and Settings\Suresh Senathirajah\o2fT.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\mI63sFj.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\pk@4e68.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\wlxM8g5.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\MJ2ux0a.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\FNKGgr8.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\DOFo356.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\dHQ5ud3.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\AO6657j.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\v460Pb6.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\RfK3666.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\eI07684.exe deleted successfully.


File C:\Documents and Settings\Suresh Senathirajah\kCehMIy.exe not found!
Deletion of file C:\Documents and Settings\Suresh Senathirajah\kCehMIy.exe failed!

Could not process line:
C:\Documents and Settings\Suresh Senathirajah\kCehMIy.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\WtPSfW4.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\X1c4JV0.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\u5X06rm.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\r6Tix88.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\aUDevp7.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\bR2tPrp.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\OtPt3F0.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\DvppDbw.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\nKuH8a2.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\qSki12i.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tmp.reg deleted successfully.
File C:\WINDOWS\SYSTEM32\nAk41wF.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\Jif567n.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\u2EEBii.exe deleted successfully.
File C:\WINDOWS\soso333.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\KAUm4f7.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\win_3.exe deleted successfully.


File C:\Documents and Settings\Suresh Senathirajah\oodfoDe.exe not found!
Deletion of file C:\Documents and Settings\Suresh Senathirajah\oodfoDe.exe failed!

Could not process line:
C:\Documents and Settings\Suresh Senathirajah\oodfoDe.exe
Status: 0xc0000034

File C:\Documents and Settings\Suresh Senathirajah\u4tMtvp.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\RkFoEF6.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\mbgEr52.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\HgE8Wa8.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\fD5QPru.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\jN3JR3C.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\win_4el.exe deleted successfully.
File C:\Documents and Settings\Suresh Senathirajah\rl7a6G7.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\xuw122U.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\suchost.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\pneuxdn.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\qizmquf.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\aspi6611.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\adirss.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\se.exe.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\emO81d5.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\w.exe.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\tmp_tg.exe deleted successfully.
File C:\tmmjcov.exe deleted successfully.
File C:\knrw.exe deleted successfully.
File C:\usddru.exe deleted successfully.
File C:\gseudw.exe deleted successfully.
File C:\hdeybmen.exe deleted successfully.
File C:\oxta.exe deleted successfully.
File C:\jtwcyl.exe deleted successfully.
File C:\bleobw.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ipv6monl.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\syst7s8.exe deleted successfully.
File C:\explorer1.exe deleted successfully.


File C:\WINDOWS\\System32\taskdir.exe not found!
Deletion of file C:\WINDOWS\\System32\taskdir.exe failed!

Could not process line:
C:\WINDOWS\\System32\taskdir.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » November 9th, 2006, 3:06 am

Bob4

Dr Web report:

xh4l7df.exe;c:\documents and settings\suresh senathirajah;Trojan.Galapoper;Will be cured after reboot.;
hppautoindexer.exe;c:\program files\hewlett-packard\laserjet 33xx;Win32.Dref;Cured.;
hppdirector.exe;c:\program files\hewlett-packard\laserjet 33xx;Win32.Dref;Cured.;
ipodservice.exe;c:\program files\ipod\bin;Win32.Dref;Cured.;
sqladhlp.exe;c:\program files\microsoft sql server\80\tools\binn;Win32.Dref;Cured.;
sqlagent.exe;c:\program files\microsoft sql server\mssql$microsoftbcm\binn;Win32.Dref;Cured.;
wservice.exe;c:\windows\system32;Win32.Dref;Deleted.;
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » November 9th, 2006, 3:28 am

Bob4

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:23:03 PM, on 9/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\uWDF.exe
C:\Documents and Settings\Suresh Senathirajah\My Documents\Down Loaded\High Jack\nofun.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFB1D823-A012-467A-9D9A-1E19EFA0BC57}: NameServer = 85.255.116.30 85.255.112.144
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » November 9th, 2006, 3:46 am

Bob4

I cannot get the CA online scanner to run. I am now at home, and the access on the infected computer is via dialup. Could this be causing the problem?

Also, the infection is still present. I am wondering whether the infection is somehow loading-up from Ewido. I noticed that the file replication ie infection seems to start whenever I run Ewido (or when I try and uninstal it). You will recall that I am unable to uninstal Ewido.

Thanks
srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby srs » November 9th, 2006, 3:54 am

Bob4,

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:51:41 PM, on 9/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\program files\u-storage tools2.65\ustorage.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\uWDF.exe
C:\Documents and Settings\Suresh Senathirajah\My Documents\Down Loaded\High Jack\nofun.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UStorag] c:\program files\u-storage tools2.65\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.65
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - Startup: Dragon NaturallySpeaking.lnk = C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsup ... mAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69767973-9E92-4618-8894-F732ED49292F}: NameServer = 10.205.0.111,10.205.0.112
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 9th, 2006, 5:26 pm

Panda
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your Valid Email
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results in your next reply
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 9th, 2006, 7:20 pm

Bob4

There appears to be something wrong. Again I can't get the online scan to activate. When I click on the "scan pc" icon nothing happens. Is there some setting I should check or change?

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 9th, 2006, 7:57 pm

Try this but this infection may be stopping it. :x


1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby srs » November 9th, 2006, 8:14 pm

Bob4

No luck. I changes the security settings as you asked.

In fact when I right-click on the "scan pc" icon, the options to open link etc are greyed out (ie not available).

srs
srs
Regular Member
 
Posts: 82
Joined: December 21st, 2005, 10:21 pm

Unread postby Bob4 » November 9th, 2006, 8:27 pm

HMMM This probably won't work either. There are 2 icons one is at the bottom. Try right clicking it and choose open in new window.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware