- let it reboot after the last one. If you get a message about an External Process then repeat the killbox stuff once you get into Safe Mode.)
Reboot into Safe Mode by tapping the F8 key when you see the PC maker's logo. Keep tapping until it tells you it is going to Safe Mode or you see the Safe Mode menu. Select the top option. Log in with your usual login.
Run HijackThis and just do a Scan only. Check then Fix Checked the following:
Logfile of HijackThis v1.99.1 Scan saved at 5:58:38 PM, on 10/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
We didn't make any progress that time. Did you have any problem going into safe mode?
Might be that ewido can help us:
This is ALgal's procedure which I am borrowing:
"When running an Ewido scan no windows or programs should be open!. Do not use the Computer while the Ewido scan is running!
Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu." Launch ewido, there should be a big "E" icon on your desktop, double-click it. The program will prompt you to update; click the "OK" button The program will now go to the main screen Update ewido: You will need to update ewido to the latest definition files. On the left hand side of the main screen click update Click on Start The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido. Do NOT run a scan yet.
Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Select the first option, to run Windows in Safe Mode.
* Now open Ewido Security Suite Click on scanner
* Click Complete System Scan and the scan will begin. * During the scan it will prompt you to clean files, click OK * When the scan is finished, look at the bottom of the screen and click the Save report button. * Save the report to your desktop
Close Ewido"
Run a new Hijackthis scan and check any of the se that still remain:
Thanks for your help. Does it matter what windows user account I use to run a hijackthis? Or would everything show up no matter what account I'm under? Anyway here is my log:
Logfile of HijackThis v1.99.1 Scan saved at 4:36:08 PM, on 10/13/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Yes it makes a difference. Even if both accounts have admin powers the O4 HKCU entries are specific to a particular user. It might be necessary to boot into Safe Mode as administrator, then as User 1 then as User 2. Each time removing the HKCU entries with Hijackthis.
It looks like we are making progress. Probably it changes names each time you reboot so you don't get them all. This time we are looking at:
I think there is a bat file somewhere involved since I see cmd.exe running. Start, Run, cmd, OK to bring up the cmd screen and then type:
cd \
(cd SPACE \)
dir /s *.bat
(dir SPACE /s SPACE *.bat)
When it finishes see if you have any bat files with recent dates. Say you find malware.bat in C:\windows\System32 then you can look at it with:
notepad \Windows\System32\malware.bat or you can use Explorer:
Right click on Start and select Explore. Then in the new window find the Views icon (bottom right of the two toolbars at the top. Looks like a little window with a down arrow. Press it and select Details. Then select Tools, Folder Options, check Use Windows Classic Folders, Apply then View, check Show Hidden Files and Folders, and uncheck the two that start with Hide. (ignore the warning) then say Apply. Then press Like Current Folder. OK.
Now locate the Windows folder (My Computer=> Local Disk C: => Windows and click once on it. In the right pane will be an alphabetical list of folders and files. Scroll down in the right pane until you find System32 and double click on it. Windows may tell you don't need to see the files but click on the link they offer you to see the files. Find the .bat file and right click on it and select EDIT (not open as that will run it). This should open the file in notepad. Do a File, SaveAs to your desktop as "malware.txt" then you can open it and post it in your next reply. Probably would not hurt to rightclick on the .bat file and rename it to .txt too.
RKinner
2 Intern
•
5.9K Posts
0
October 11th, 2005 23:00
Download the Hoster from:
www.funkytoad.com/
Unpack to your desktop and run it. Select Restore Original Hosts.
Get DelDomain.inf from:
http://www.mvps.org/winhelp2002/DelDomains.inf and then right click on it and Install.
Also download and install ccleaner.exe from http://www.ccleaner.com. Don't let
it clean anything yet.
download Killbox http://www.greyknight17.com/spy/KillBox.exe and save to your desktop. Run it and where it says Full Path of File to Delete put in:
C:\WINDOWS\system32\uerjgeh
Select Delete on Reboot and DELTREE options then the red button. Agree you want to delete the file and but do not let it reboot.
Repeat for:
C:\Program Files\DNS
C:\WINDOWS\system32\wrre
C:\Program Files\ISTsvc
C:\Program Files\winsupdater
Repeat for (Delete on Reboot only):
C:\WINDOWS\system32\winlog.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\services32.exe
- let it reboot after the last one. If you get a message about an External Process then repeat the killbox stuff once you get into Safe Mode.)
Reboot into Safe Mode by tapping the F8 key when you see the PC
maker's logo.
Keep tapping until it tells you it is going to Safe Mode or you see the Safe
Mode menu. Select the top option. Log in with your usual login.
Run HijackThis and just do a Scan only. Check then Fix
Checked the following:
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [duap] C:\WINDOWS\system32\uerjgeh\duap.exe
O4 - HKLM\..\Run: [thxhto] C:\WINDOWS\system32\wrre\thxhto.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [] winlog.exe
(Also check anything that was not in your last scan. These things tend to change names every reboot.)
Now run ccleaner.exe. On the first page, uncheck everything but the two lines
that have the word Temporary in them then Run Cleaner.
Reboot into normal mode and run another HijackThis log and post it as a reply. Let's
see how we did.
Ron
John_Doe
313 Posts
0
October 13th, 2005 13:00
Logfile of HijackThis v1.99.1
Scan saved at 5:58:38 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\winsupdater\winsupdater.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wrre\thxhto.exe
C:\WINDOWS\system32\oypjkob\rciq.exe
C:\WINDOWS\system32\odssw\hmroq.exe
C:\WINDOWS\system32\qmgeww\ekpd.exe
C:\WINDOWS\system32\uerjgeh\duap.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\HJT\HijackThis.exe
C:\Documents and Settings\Admin\Desktop\spyaudit1_1822729185.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.latino.msn.com/0SEESUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BdxSmbcc] C:\WINDOWS\henes.exe
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [xqmdqsn] C:\WINDOWS\system32\hrep\xqmdqsn.exe
O4 - HKLM\..\Run: [wpovxg] C:\WINDOWS\system32\pnlvqpev\wpovxg.exe
O4 - HKLM\..\Run: [vfenvpd] C:\WINDOWS\system32\mnssngg\vfenvpd.exe
O4 - HKLM\..\Run: [thxhto] C:\WINDOWS\system32\wrre\thxhto.exe
O4 - HKLM\..\Run: [rciq] C:\WINDOWS\system32\oypjkob\rciq.exe
O4 - HKLM\..\Run: [hmroq] C:\WINDOWS\system32\odssw\hmroq.exe
O4 - HKLM\..\Run: [ekpd] C:\WINDOWS\system32\qmgeww\ekpd.exe
O4 - HKLM\..\Run: [duap] C:\WINDOWS\system32\uerjgeh\duap.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124744569203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
RKinner
2 Intern
•
5.9K Posts
0
October 13th, 2005 17:00
We didn't make any progress that time. Did you have any problem going into safe mode?
Might be that ewido can help us:
This is ALgal's procedure which I am borrowing:
"When running an Ewido scan no windows or programs should be open!. Do not use the Computer while the Ewido scan is running!
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
Launch ewido, there should be a big "E" icon on your desktop, double-click it.
The program will prompt you to update; click the "OK" button
The program will now go to the main screen
Update ewido:
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
Do NOT run a scan yet.
Please be sure you can see hidden files in windows.
How to see hidden files in Windows.
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
* Now open Ewido Security Suite
Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop
Close Ewido"
Run a new Hijackthis scan and check any of the se that still remain:
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\Run: [winsupdater] C:\Program Files\winsupdater\winsupdater.exe /auto
O4 - HKLM\..\Run: [BdxSmbcc] C:\WINDOWS\henes.exe
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [xqmdqsn] C:\WINDOWS\system32\hrep\xqmdqsn.exe
O4 - HKLM\..\Run: [wpovxg] C:\WINDOWS\system32\pnlvqpev\wpovxg.exe
O4 - HKLM\..\Run: [vfenvpd] C:\WINDOWS\system32\mnssngg\vfenvpd.exe
O4 - HKLM\..\Run: [thxhto] C:\WINDOWS\system32\wrre\thxhto.exe
O4 - HKLM\..\Run: [rciq] C:\WINDOWS\system32\oypjkob\rciq.exe
O4 - HKLM\..\Run: [hmroq] C:\WINDOWS\system32\odssw\hmroq.exe
O4 - HKLM\..\Run: [ekpd] C:\WINDOWS\system32\qmgeww\ekpd.exe
O4 - HKLM\..\Run: [duap] C:\WINDOWS\system32\uerjgeh\duap.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe
Reboot into regular mode and run a new Hijackthis log and post it as a reply.
Ron
John_Doe
313 Posts
0
October 13th, 2005 19:00
Thanks for your help. Does it matter what windows user account I use to run a hijackthis? Or would everything show up no matter what account I'm under? Anyway here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 4:36:08 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\mc-58-12-0000140.exe
C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\services.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.latino.msn.com/0SEESUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000140.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Icatch(VI) SnapDetect.lnk = C:\WINDOWS\twain_32\ca561a\SnapDetect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124744569203
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Message Edited by John_Doe on 10-13-2005 04:37 PM
RKinner
2 Intern
•
5.9K Posts
0
October 13th, 2005 20:00
Yes it makes a difference. Even if both accounts have admin powers the O4 HKCU entries are specific to a particular user. It might be necessary to boot into Safe Mode as administrator, then as User 1 then as User 2. Each time removing the HKCU entries with Hijackthis.
It looks like we are making progress. Probably it changes names each time you reboot so you don't get them all. This time we are looking at:
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
Boot into Safe Mode and check Fix Checked them then use Killbox to Delete on Reboot:
C:\Program Files\Common Files\services.exe
C:\Program Files\Common Files\Windows\mc-58-12-0000140.exe
C:\Program Files\Common Files\mc-58-12-0000140.exe
C:\Program Files\MsMovies (DELTREE)
I think there is a bat file somewhere involved since I see cmd.exe running. Start, Run, cmd, OK to bring up the cmd screen and then type:
cd \
(cd SPACE \)
dir /s *.bat
(dir SPACE /s SPACE *.bat)
When it finishes see if you have any bat files with recent dates. Say you find malware.bat in C:\windows\System32 then you can look at it with:
notepad \Windows\System32\malware.bat or you can use Explorer:
Right click on Start and select Explore. Then in the new window find the Views icon (bottom right of the two toolbars at the top. Looks like a little window with a down arrow. Press it and select Details. Then select Tools, Folder Options, check Use Windows Classic Folders, Apply then View, check Show Hidden Files and Folders, and uncheck the two that start with Hide. (ignore the warning) then say Apply. Then press Like Current Folder. OK.
Now locate the Windows folder (My Computer=> Local Disk C: => Windows and click once on it. In the right pane will be an alphabetical list of folders and files. Scroll down in the right pane until you find System32 and double click on it. Windows may tell you don't need to see the files but click on the link they offer you to see the files. Find the .bat file and right click on it and select EDIT (not open as that will run it). This should open the file in notepad. Do a File, SaveAs to your desktop as "malware.txt" then you can open it and post it in your next reply. Probably would not hurt to rightclick on the .bat file and rename it to .txt too.
Ron