Sign in to follow this  
tykra

Computer Attacked

Recommended Posts

Not sure if this is some sort of 6.6.06 attack, but the timing sure is weird - when I booted my computer this morning and signed onto the internet I discovered several things .

 

I keep getting fake security warnings popup in the bottom right of my screen.

 

Examples:

 

"Your computer is working slowly!"

"Alert! You are receiving spam!"

"Warning! Your security and privacy are at risk!"

"You computer is not protected against spyware!"

"Danger! Spyware activity detected on your computer!"

"Alert! A minimum of 7 spyware items found!"

 

Explorer opens to about:blank and displays a Windows Security Center (remove spyware alert) & link directs to xxxhttp://www.antispywarebox.com/index2.php?aff=0&wd=C:/WINDOWS

 

Task Manager is Disabled.

Regedit is Disabled.

Msconfig is Disabled.

 

Running adaware finds numerous files to fix - I fix them, then immediately the files are all reinstalled.

 

On start up I see that runsrv32.exe running so maybe that is reinstalling something ???

 

Examples of files that are being auto installed ...

 

ABetterInternet

Admess

Alexa

Avenue A, Inc

Blazefind.Bridge

CoolWWWSearch.SmartSearch

DailyToolbar

SpywareSheriff.FakeAlert

Statblaster.All files7

VX2.b.BDS

VX2.c

VX2.g.SiteHlpr

 

===========

HJT LOG

===========

 

Logfile of HijackThis v1.99.1

Scan saved at 3:31:09 PM, on 6/6/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\M-Audio Fast Track\GBInst.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\WINDOWS\System32\CTHELPER.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\progra~1\mcafee\MCAFEE~1\masalert.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\users32.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Documents and Settings\brian\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:81

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)

O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)

O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

O4 - HKLM\..\Run: [sNPSTD2] C:\WINDOWS\vsnpstd2.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\System32\runsrv32.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [owfw] C:\PROGRA~1\COMMON~1\owfw\owfwm.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tm=0&expId=5067

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...774/mcfscan.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\k0440ahqed4e0.dll (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZillaServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

===========

END LOG

===========

 

I have never had this much trouble getting rid of something before - normally its a quick search on google and its gone within minutes - today I have been searching all day long without success. I imagine this is a new strain of a virus, but mcafee isnt picking it up!

 

Please help, Ive lost an entire day trying to resolve this issue.

Share this post


Link to post
Share on other sites

You have got a bad one that downloads additional malware to your system. (It's not new)

 

I'm going to tackle the worst first. The fake alerts you are getting is a Smitfraud hijacker, but I'll come back to that after you do this step

 

Please download Brute Force Uninstaller to your desktop.

  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.

Save it in the same folder you made earlier (c:\BFU).

 

Then, please go to Start > My Computer and navigate to the C:\BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon foldericon.png and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • click "save"
    IN "filename" enter log.txt
  • click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

 

Also post a fresh HijackThis log. There will be more to do.

Share this post


Link to post
Share on other sites

Smitfraud Fix

 

I see you already have Ewido installed (good!) Just skip the steps that refer to downloading Ewido

 

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

 

2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

 

3 Download, install, and update Ewido AntiMalware (get the free trial version)

http://www.ewido.net/en/download/

 

a. Install Ewido AntiMalware

 

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

 

c. The program will prompt you to update click the OK button

 

d. The program will now go to the main screen

 

e. On the left hand side of the main screen click on Update

 

f. Click on Start. The update will start and a progress bar will show the updates being installed.

 

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

 

*Note: Ewido is a free trial product for 14 days. After that you can purchase it for full features OR you can also keep the free version to use as an on-demand scanner (recommended).

You will still be able to manually update Ewido using the *update* button :D

 

4. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

 

5. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

6. Next, start Ewido AntiMalware

 

a. Click on scanner

 

b. Click on *complete system scan*

 

c. Let the program scan the machine.

 

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.

Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

 

Click OK.

 

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

 

........................

 

8. Get a free online AV scan at eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system. SAVE the report at the end to copy back here please.

 

(This scan to make sure your Wininet.dll is fixed if infected)

 

(Don't forget to *save report* at the end. We need you to post a copy with your topic reply)

 

9. Now please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Ewido Scan report

 

eTrust online AV report

 

Fresh HijackThis log

Share this post


Link to post
Share on other sites
Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder

 

======

BFU LOG

======

 

BFU v1.00.9

Windows XP SP1 (WinNT 5.01.2600 SP1)

Script started at 8:28:31 PM, on 6/6/2006

 

Option Unload Explorer: Yes

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)

Failed: ServiceStop Network Monitor (service not found)

Failed: ServiceStop cmdService (service not found)

Failed: ServiceDisable Network Monitor (service not found)

Failed: ServiceDisable cmdService (service not found)

Failed: ServiceDelete Network Monitor (service not found)

Failed: ServiceDelete cmdService (service not found)

Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|p2pnetwork (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\OLE|winlog (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)

Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not found)

Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key not found)

Option pause between commands: 300 ms

Option pause between commands: 50 ms

Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)

Failed: FolderDelete C:\Program Files\winupdates (folder not found)

Failed: FolderDelete C:\Program Files\winupdate (folder not found)

Failed: FolderDelete C:\Program Files\winsupdater (folder not found)

Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)

Failed: FolderDelete C:\Program Files\MsMovies (folder not found)

Failed: FolderDelete C:\Program Files\wmplayer (folder not found)

Failed: FolderDelete C:\Program Files\outlook (folder not found)

Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)

Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe (operation failed)

Failed: FileDelete C:\DOCUME~1\brian\LOCALS~1\Temp\~DF2A58.tmp (operation failed)

Failed: FileDelete C:\DOCUME~1\brian\LOCALS~1\Temp\~DF6A9F.tmp (operation failed)

Failed: FileDelete C:\WINDOWS\Temp\sqlite_eSVptoIlOAeFykh (operation failed)

Failed: FileDelete C:\WINDOWS\Temp\sqlite_t8ABRz2ue4O4Q63 (operation failed)

Failed: FileDelete C:\WINDOWS\Temp\sqlite_tuDwgd2sbHFke3m (operation failed)

Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)

Failed: FolderDelete C:\Program Files\DNS (folder not found)

Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)

Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)

Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)

Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)

Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)

Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)

Failed: FolderDelete C:\Program Files\Update06 (folder not found)

Failed: FolderDelete C:\Program Files\Update03 (folder not found)

Failed: FolderDelete C:\Program Files\Update04 (folder not found)

Failed: FolderDelete C:\Program Files\Update08 (folder not found)

Failed: FolderDelete C:\Program Files\W-Update (folder not found)

Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)

Failed: FolderDelete C:\Program Files\Cas (folder not found)

Failed: FolderDelete C:\Program Files\CasStub (folder not found)

Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)

Failed: FolderDelete C:\Program Files\ipwins (folder not found)

Failed: FolderDelete C:\temp (folder not found)

Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)

Failed: FolderCreate C:\bintheredunthat (folder already exists)

Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)

Script completed.

 

======

END LOG

======

 

proceeding onto your second post procedures ....

Share this post


Link to post
Share on other sites

Great! (Don't worry about the file not found messages...this is what I am looking for: Script completed.). So that went well really :D

 

That BFU looks for a plethora of nasties, the log only lists the ones not found on your computer. "Script completed" is what I needed to see :)

Share this post


Link to post
Share on other sites

Ok, finally completed the next steps - 30m + for each for a couple of the scans :D - looks like I might have gotten rid of some of the stuff with my previous S+D work.

 

==================

BEGIN RAPPORT.TXT

==================

SmitFraudFix v2.55

 

Scan done at 20:42:48.85, Tue 06/06/2006

Run from C:\Documents and Settings\brian\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\alexaie.dll Deleted

C:\WINDOWS\alxie328.dll Deleted

C:\WINDOWS\alxtb1.dll Deleted

C:\WINDOWS\bg.gif Deleted

C:\WINDOWS\BTGrab.dll Deleted

C:\WINDOWS\close-bar.gif Deleted

C:\WINDOWS\dlmax.dll Deleted

C:\WINDOWS\infected.gif Deleted

C:\WINDOWS\Pynix.dll Deleted

C:\WINDOWS\star.gif Deleted

C:\WINDOWS\susp.exe Deleted

C:\WINDOWS\warning-bar-ico.gif Deleted

C:\WINDOWS\ZServ.dll Deleted

C:\WINDOWS\system32\a.exe Deleted

C:\WINDOWS\system32\alxres.dll Deleted

C:\WINDOWS\system32\bridge.dll Deleted

C:\WINDOWS\system32\dailytoolbar.dll Deleted

C:\WINDOWS\system32\jao.dll Deleted

C:\WINDOWS\system32\questmod.dll Deleted

C:\WINDOWS\system32\runsrv32.dll Deleted

C:\WINDOWS\system32\runsrv32.exe Deleted

C:\WINDOWS\system32\tcpservice2.exe Deleted

C:\WINDOWS\system32\txfdb32.dll Deleted

C:\WINDOWS\system32\udpmod.dll Deleted

C:\WINDOWS\system32\wstart.dll Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

==================

END RAPPORT.TXT

==================

 

 

==================

BEGIN EWIDO LOG

==================

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

 

+ Created on: 9:43:14 PM, 6/6/2006

+ Report-Checksum: 60641495

 

+ Scan result:

 

No infected objects found.

 

 

::Report End

==================

END EWIDO LOG

==================

 

 

==================

BEGIN AV REPORT

==================

Scan Results: Scan Completed. 105491 files scanned. No viruses found.

 

File Infection Status Path

- No Infections

 

==================

END AV REPORT

==================

 

==================

BEGIN HJT LOG

==================

 

Logfile of HijackThis v1.99.1

Scan saved at 10:40:49 PM, on 6/6/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\brian\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:81

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [sNPSTD2] C:\WINDOWS\vsnpstd2.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [owfw] C:\PROGRA~1\COMMON~1\owfw\owfwm.exe

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tm=0&expId=5067

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...774/mcfscan.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\k0440ahqed4e0.dll (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZillaServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

 

 

==================

END HJT LOG

==================

Share this post


Link to post
Share on other sites

Well - everything looked good in safe mode - now that I rebooted I am once again getting the spyware popups, task manager, regedit etc are all disabled by this virus. (what ever it is)

Share this post


Link to post
Share on other sites

Sounds as if it's gotten reinfected again?

 

Keep the affected PC offline and use another clean PC to access these instructions

 

Open HijackThis and do a *scan only*

When it finishes, checkmark these entries and press the *fix checked* button

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:81

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

 

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

 

O4 - HKLM\..\Run: [susse] "C:\WINDOWS\System32\hpsw.exe"

 

O4 - HKCU\..\Run: [owfw] C:\PROGRA~1\COMMON~1\owfw\owfwm.exe

 

O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\k0440ahqed4e0.dll (file missing)

 

Delete this file:

C:\WINDOWS\System32\hpsw.exe

 

Delete this folder:

C:\PROGRA~1\COMMON~1\owfw

 

Repeat the steps for:

 

SmitfraudFix

Ewido Scan

BFU for Alcra

 

You should already have Adaware installed...do a full system scan with it as well.

 

We may need to look for a hidden rootkit. Download these two tools from a clean PC onto CD and take to the affected computer, copy them to the HardDrive of the infected computer and run these to produce a log to post back here:

 

Download the free beta trial of this tool from F-Secure called Blacklight

F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml

Doubleclick on bibeta.exe to run it.

Click the *I accept* button near the bottom of that page.

Download and run blacklite click > scan then > next, next again then exit

there will be a new text file near blacklite.Post it please. The text file is named:

fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)

!!Do not rename any files yet

 

............................................

Please download Rootkit Revealer

http://www.sysinternals.com/utilities/rootkitrevealer.html

(download link is at the very bottom of the page)

 

Unzip/extract it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)

It may take a while to scan (don't do anything while it's running - leave the PC idle during the scan)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Share this post


Link to post
Share on other sites

Ok I have repeated those steps ...

 

[safe mode]

- SmitfraudFix deleted all of the same files it had the first time ...

- Ewido found nothing just as first time ...

- Ran BFU - All was good again ...

 

I then attempted to run backlight without success.

 

------------------------

F-Secure Backlight could not acquire necessary privileges (SeDebugPriviledge)

 

-Your computer settings may prevent acquiring these privileges.

-A malicious program might have diabled these privileges.

------------------------

 

I was able to run RootkitRevealer ...

 

============

BEGIN RR LOG

============

 

HKLM\S-1-5-21-3438958190-1758548669-4134804467-1007\RemoveAccess\InternetProfile 4/13/2004 10:25 AM 15 bytes Data mismatch between Windows API and raw hive data.

 

C:\WINDOWS\softwareDistribution\DataStore\Logs\tmp.edb 6/7/2006 12:02 PM 64 KB Visible in Windows API, but not in MFT or directory inbox.

 

============

END RR LOG

============

 

What ever this is, it sure is hiding itself good and disabling everything trying to find/delete it! Very nasty indeed !!!

Share this post


Link to post
Share on other sites

This must be a result of fixing those items in HJT, but my infected pc is now slower than a 7777 year itch.

 

I think I might need to make myself a stiff drink, either that or this computer andor I are going out the window.

Share this post


Link to post
Share on other sites

The sedebug privlege was reset by the Look2me pest. This tool will fix that and look for any remanants of Look2me.

 

Please download Look2Me-Destroyer.exe to your desktop.

  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

 

Since Ewido isn't finding anything, go ahead and turn it off on the realtime protection (it might be adding to the slowness)

Ewido is a free trial Anti-Trojan product for 14 days. After that you can purchase it for full features OR you can also keep the free version after the trial is over to use as an on-demand scanner (recommended).

You will still be able to manually update Ewido using the *update* button :D

 

During the trial period if you want to turn off the realtime protection, Select *Status* from the main screen and next to "Realtime Protection" click on the green letters active and it should turn to red inactive . You may do the same with automatic updates and update manually before scanning. Those two features will disappear anyway after the trial is over

Share this post


Link to post
Share on other sites

==============

BEGIN L2D LOG

==============

 

Look2Me-Destroyer V1.0.12

 

Scanning for infected files.....

Scan started at 6/7/2006 3:24:06 PM

 

Attempting to delete infected files...

 

Making registry repairs.

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{267980D6-E4F9-4EEB-82A7-E3DD8F6358FB}"

HKCR\Clsid\{267980D6-E4F9-4EEB-82A7-E3DD8F6358FB}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6FCC351D-3335-4396-A2A7-B11ADF054705}"

HKCR\Clsid\{6FCC351D-3335-4396-A2A7-B11ADF054705}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8DC8FAF1-D08E-4D0B-A5C6-B654BAD3A5CF}"

HKCR\Clsid\{8DC8FAF1-D08E-4D0B-A5C6-B654BAD3A5CF}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{600E2E42-288E-416A-8CD4-3BE2EB9C6891}"

HKCR\Clsid\{600E2E42-288E-416A-8CD4-3BE2EB9C6891}

 

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{2DADE561-D5C4-46E2-9615-5B6C1ED43C23}"

HKCR\Clsid\{2DADE561-D5C4-46E2-9615-5B6C1ED43C23}

 

Restoring Windows certificates.

 

Replaced hosts file with default windows hosts file

 

Restoring SeDebugPrivilege for Administrators - Succeeded

 

==============

END L2D LOG

==============

 

Ok looks as if I was infected by that too - D*mn this thing is nasty!

 

==============

BEGIN HJT LOG

==============

 

Logfile of HijackThis v1.99.1

Scan saved at 3:31:19 PM, on 6/7/2006

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\M-Audio Fast Track\GBInst.exe

C:\WINDOWS\System32\CTHELPER.EXE

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\McAfee.com\VSO\mcvsshld.exe

C:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe

C:\WINDOWS\vsnpstd2.exe

c:\progra~1\mcafee\mcafee antispyware\massrv.exe

c:\program files\mcafee.com\agent\mcdetect.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

c:\PROGRA~1\mcafee.com\vso\OasClnt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\progra~1\mcafee\MCAFEE~1\masalert.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\brian\Desktop\HijackThis.exe

 

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\System32\adobepnl.dll

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll

O3 - Toolbar: JunoBar - {5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} - C:\Program Files\Juno\Toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe

O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe

O4 - HKLM\..\Run: [sNPSTD2] C:\WINDOWS\vsnpstd2.exe

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...tm=0&expId=5067

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLHelper/ve...n7/DLHelper.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...774/mcfscan.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: A - Sysinternals - www.sysinternals.com - C:\DOCUME~1\brian\LOCALS~1\Temp\A.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: Fast Track Installer (FastTrackInstallerService) - Nemesis - C:\Program Files\M-Audio Fast Track\GBInst.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\xampp\FileZillaFTP\FileZillaServer.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe

O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe

O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe

O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

 

==============

END HJT LOG

==============

 

awaiting further instruction ...

Share this post


Link to post
Share on other sites

I went back and ran Blacklight RootKit Eliminator as I anticipated that might be something I needed to go back and do now ...

 

It stated that "No hidden items found."

 

... am I getting any closer to having a clean machine yet?

 

From the last HJT log I am curious what some of these items are ...

 

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

 

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

 

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

 

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

 

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

 

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\juspc.exe" -w

 

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

 

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

 

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)

 

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Share this post


Link to post
Share on other sites

Scan with HijackThis and checkmark these items in the list, then press the *fix checked* button

 

O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)

 

O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)

 

O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)

 

O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\System32\susp.exe

 

Delete this file (if found)

C:\WINDOWS\System32\susp.exe

 

Reboot your PC and scan once more with HijackThis and post a fresh log please. Let me know if any problems remain that you see on your end.

 

The other items you see are legit and the may NOT be missing in those sections.

(file missing in HJT only rings true in the 03 and 02 sections)

 

See Section IV here for an explanation:

http://www.dslreports.com/faq/13622

Share this post


Link to post
Share on other sites

Ok, just got back from dinner 1.5 hr drive from my home - wanted to get as far away from this mess as possible - LOL.

 

Anyway when I booted up and did a HJT scan it found none of the previous items.

 

Let me know if any problems remain that you see on your end.

 

Well for starters the pc is very slow - I click on windows explorer and nothing happens. I do ctrl-alt-del and about a minute later it finally pops up - under performance tab it states CPU usage is 100% - something decided to take a chunk out of my memory or something. Wait 10 minutes later my windows explorer is creeping its way onto the screen ...

 

When I go to restart it shows CtHelper is not responding [end now], Explorer is not responding, [end now], Imgicon.exe not responding [end now], AXTimer, PC Camera, etc etc I imagine all those apz are the reason my system resources are all gone.

 

Now whats going on? Was one of those HJT fixes a driver that shouldnt have been removed?

Share this post


Link to post
Share on other sites

... I really appreciated your efforts, I wish we could have gotten this thing figured out, but I cant lose another day of work - I figure I will be up all night reloading windows, and enough software to get be going for work tomorrow.

 

thanks.

 

I sure wish I could come face to face with the piece of scum that was responsible for screwing up my PC!

Share this post


Link to post
Share on other sites

I seem to have the same symptoms as tykra on my machine. I've read the thread and it doesn't seem that a solution was reached? At the beginning of the thread Calimity Jane indicates that this is not a new attack?

 

Should I start a new thread or try the same fixes that tykra tried?

 

I too would like to string up the fellows who created this attack.

 

Rob.

Share this post


Link to post
Share on other sites

Woah! I was attacked last night as well! 6/6/6? Hadn't thought of that. Yeah, I tried to google "TitanShield"- which keeps popping up on my browser- and NOTHING is found. My computer is screwed up major. I downloaded from Mcaffee a virus scanner that is free through Comcast and it found files that were bad but it still did nothing for my situation. I've got the perfect solution that I am carrying out right now! NUKE IT! NUKE IT! NUKE IT!!!!

 

good luck

Share this post


Link to post
Share on other sites

Good luck guys, this thing was a mess those who created/injected this deserve a major ###### kicking ...

 

Anyway, I just started reinstalling xp - I have lost a ###### load of stuff that can never be replaced thanks to some idiot(s)

 

Best of luck to you ...

Share this post


Link to post
Share on other sites

I've been working on this same issue this evening on one of my client's PC's and noticed the file users32.exe in the c:\windows\system32 folder kept running itself. Obviously it's being called by a service somewhere in the registry but I haven't found it yet.

 

I did do the smitfraud clean and have used just about every antispyware program under the sun to try and remove this darned thing. It's also affected Liveupdate for his Symantec Corporate Antivirus program but I haven't even worried about that yet.

 

What I ended up doing just recently was delete the users32.exe file in Safe Mode and then create a directory of the same name. I then attrib'd the directory read only, system and hidden and it seems to have done the trick........ for now. I'm sure the originating service is still running so that's my next step is to find out what that bad boy is.

 

Good luck to those of you fighting this thing right now. Luckily I'm making money whilest learning how to deal with this issue or I'd be upset right now!!!!!

Share this post


Link to post
Share on other sites

Found it!

 

Look in the registry under HKLM\software\microsoft\shared tools\msconfig\startupreg.

 

Remove the unwanted crap and you're done.

 

:angry:

Share this post


Link to post
Share on other sites

Hey, I have the same issues. But I dont have a msconfig key in HKLM. But I did try to delete the users32 file and that did allow me to get into the registry upon reboot.

Share this post


Link to post
Share on other sites
Hey, I have the same issues. But I dont have a msconfig key in HKLM. But I did try to delete the users32 file and that did allow me to get into the registry upon reboot.

 

I did not have that key as well - but am having the exact same issue. I am dreading formatting.

 

I hope someone has a fix for this soon!

 

Did deleting the user32 file have any bad effects?

 

Tolan

Share this post


Link to post
Share on other sites
Sign in to follow this