My log

Discussion in 'adware, spyware & hijack cleaning' started by kloshar, Apr 2, 2004.

Thread Status:
Not open for further replies.
  1. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Here is my log:
    Logfile of HijackThis v1.97.7
    Scan saved at 15:18:22, on 2.4.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINNT\system32\wsz32.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\WINNT\system32\svchost.exe
    C:\Program Files\eMule\emule.exe
    C:\ircxmatrix\mirc32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\pzorko\LOCALS~1\Temp\Rar$EX00.982\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mobisux.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {2D5210D6-4268-FB45-4CF0-701759E0921A} - (no file)
    O3 - Toolbar: FlagAbout - {7BC80E58-4F71-55A2-E434-7C6AFA310C69} - (no file)
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [Windows Services] wsz32.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\RunServices: [Windows Services] wsz32.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Windows Services] wsz32.exe
    O4 - HKLM\..\RunOnce: [Windows Services] wsz32.exe
    O4 - Startup: eMule.lnk = C:\Program Files\eMule\emule.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.drsc.si/cgi-bin/AxisCamControl.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    kloshar, Apr 2, 2004
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchexe.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchexe.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {2D5210D6-4268-FB45-4CF0-701759E0921A} - (no file)
    O3 - Toolbar: FlagAbout - {7BC80E58-4F71-55A2-E434-7C6AFA310C69} - (no file)
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [Windows Services] wsz32.exe
    O4 - HKLM\..\RunServices: [Windows Services] wsz32.exe
    O4 - HKCU\..\Run: [Windows Services] wsz32.exe
    O4 - HKLM\..\RunOnce: [Windows Services] wsz32.exe
    O4 - Startup: eMule.lnk = C:\Program Files\eMule\emule.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINNT\system32\wsz32.exe


    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R279 31.03.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
    dvk01, Apr 2, 2004
    #2
  3. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Thanx for your post! I'll do all what you say and I hope it will be good for my computer!
     
    kloshar, Apr 2, 2004
    #3
  4. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    OK, here is my new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:24:15, on 3.4.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINNT\system32\mspmv.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\eMule\emule.exe
    C:\DOCUME~1\pzorko\LOCALS~1\Temp\Rar$EX00.493\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mobisux.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [Configuration Loader] mspmv.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] mspmv.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Startup: eMule.lnk = C:\Program Files\eMule\emule.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.drsc.si/cgi-bin/AxisCamControl.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    kloshar, Apr 3, 2004
    #4
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O4 - HKLM\..\Run: [Configuration Loader] mspmv.exe
    O4 - HKLM\..\RunServices: [Configuration Loader] mspmv.exe

    Delete these files

    C:\WINNT\system32\mspmv.exe

    then
    Reboot normally & post a new log to see if it's gone
     
    dvk01, Apr 3, 2004
    #5
  6. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Actually, I can't get into safe mode. It says that svchost.exe has an error. So I'll do all in normal mode.
     
    kloshar, Apr 3, 2004
    #6
  7. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:29:37, on 3.4.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\eMule\emule.exe
    C:\DOCUME~1\pzorko\LOCALS~1\Temp\Rar$EX00.072\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mobisux.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - Startup: eMule.lnk = C:\Program Files\eMule\emule.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.drsc.si/cgi-bin/AxisCamControl.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    kloshar, Apr 3, 2004
    #7
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if you are going to use normal mode I'm almost certain thge files will come back again so please do this

    downlaod & install regprot from http://www.diamondcs.com.au/index.php?page=regprot

    then when it pops up the message box saying xxxxx wants to write to the registry say no to any starnge or random file names especialy this one mspmv.exe, but let regprot write it's start up entry to the registry, otherwise it cannot protect you

    then if it isn't being installed in the registry it might go
    then press ctrl+ ALT+DEL once to bring up task manager and stop any running processes by the same name, then it might let you delete it.

    if any problems, come back

    please post a new log after doing it


    Edit:

    I posted while you were posting your new log, but I've just noticed something I missed before

    This C:\WINNT\system32\r_server.exe
    in your running processes looks like a remote access trojan that can install anything on the computer

    I would strongly recommend downloading and running a specialised anti trojan

    the best antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
    dvk01, Apr 3, 2004
    #8
  9. slammer_JvA

    slammer_JvA Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    1,588
    Location:
    Below sea-level. Safe and sound behind our dikes:
    Just want to say a big "Thankyou dvk01!" for that brief tutorial on the settings of Adaware!

    Cookie for you! :D

    Grtz,
    Slammer
     
    slammer_JvA, Apr 3, 2004
    #9
  10. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    09:47:38 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    09:47:38 [Init] Started 03-04-04 09:47:38 Central Europe Standard Time (UTC: -1), Internet Time @366,41
    09:47:38 [Init] Loading TDS-3 Systems ...
    09:47:38 [Init] Token successfully adjusted.
    09:47:38 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    09:47:38 [Init] • Plugins : OK. Loaded 13
    09:47:38 [Init] • Exec Protection : Not Installed
    09:47:38 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    09:47:38 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    09:47:38 [Init] Licensed users can use the Update facility from the TDS menu
    09:47:38 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    09:47:41 [Init] Unloading ...
    11:54:48 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
    11:54:48 [Init] Started 03-04-04 11:54:48 Central Europe Standard Time (UTC: -1), Internet Time @454,72
    11:54:48 [Init] Loading TDS-3 Systems ...
    11:54:48 [Init] Token successfully adjusted.
    11:54:48 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    11:54:48 [Init] • Plugins : OK. Loaded 13
    11:54:48 [Init] • Exec Protection : Not Installed
    11:54:48 [Init] WARNING: Your Radius.TD3 database needs to be updated!
    11:54:48 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
    11:54:48 [Init] Licensed users can use the Update facility from the TDS menu
    11:54:48 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    11:54:51 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    11:54:51 [Init] • Systems Initialised [31397 references - 11211 primaries/8986 traces/11200 variants/other]
    11:54:51 [Init] Radius Systems loaded. <Databases updated 27-01-2004>
    11:54:51 [Init] TDS-3 Ready. <Pzorko@192.168.1.2, 127.0.0.1 - Slovenia>
    11:54:51 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning inside the memory space of processes
    11:54:51 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
    11:54:51 [TDS] Good morning Pzorko.
    11:54:53 [Mutex Memory Scan] Started...
    11:54:55 [Mutex Memory Scan] Finished (no trojan mutexes found).
    11:54:55 [Trace Scan] Started...
    11:55:10 [CRC32] Started - verifying 29 files ...
    11:55:11 [CRC32] File doesn't exist: C:\autoexec.bat
    11:55:13 [CRC32] Test finished.
    11:56:04 [Memory Scan] Memory scan started, please wait a moment ...
    11:56:06 [Memory Scan] Memory scan complete.
    11:56:06 [Mutex Memory Scan] Started...
    11:56:07 [Mutex Memory Scan] Finished (no trojan mutexes found).
    11:56:07 [Trace Scan] Started...
    11:56:15 [Trace Scan] Finished.
    11:56:15 [Service\Driver Scan] Scanning for services and drivers ...
    11:56:16 [Service\Driver Scan] Scanned 232 services and drivers.
    11:56:16 [File Scan] Scanning in A:\ ...
    11:56:17 [File Scan] Scanned 0 files: 3 alarms in 1,058594 seconds (Avg 1, files/sec)
    11:56:17 [File Scan] Scanning in C:\ ...
    12:07:39 [File Scan] Scanned 47189 files: 8 alarms in 681,5508 seconds (Avg 70,24 files/sec)
    12:07:39 [File Scan] Scanning in D:\ ...
    12:07:46 [File Scan] Scanned 291 files: 8 alarms in 7,148438 seconds (Avg 41,71 files/sec)
    12:07:46 [File Scan] Scanning in E:\ ...
    12:07:46 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1,#IND files/sec)
    12:07:46 [File Scan] Scanning in F:\ ...
    12:07:46 [File Scan] Scanned 0 files: 8 alarms in 1,953125E-02 seconds (Avg 1, files/sec)
    12:07:46 [Scan] Finished.
    11:55:08 [Trace Scan] Finished.
    12:07:46 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.

    Is my computer still infected?
     
    kloshar, Apr 3, 2004
    #10
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    yes TDS has found 8 alarms

    right click any entry in the bottom window

    and select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    then go to the tds directory, double click on the scandump.txt, it will open in notepad and paste the results here so swe can see what it found
     
    dvk01, Apr 3, 2004
    #11
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please get the latest radius [33206 references - 12307 primaries/9417 traces/11482 variants/other]
    from the update address above, copy that file into the TDS directory and reload TDS, do a new scan.
    Like described:
    after scanning in the bottom window are some alerts, you saw 8 but with the new update might be more.
    If the file Scandump.txt would not exist in your TDS directory create one there with notepad by that name, just an empty txt file. Then rightclick on one of the alerts from the TDS bottom window and choose "save as text" after which it will ask if you want to see the scandump.txt file now, yes do so, select all and copy and post inhere as Derek asked!
    Looking forward to the results.
     
    Jooske, Apr 3, 2004
    #12
  13. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    Scan Control Dumped @ 13:11:51 03-04-04
    Positive identification: RAT.Remote Administrator 2.1
    File: c:\winnt\system32\r_server.exe

    Positive identification: DDoS.RAT.GT Bot Spam
    File: c:\program files\mirc-gold\mirc-gold.exe

    Live trojan found (in process memory): RAT.Remote Administrator
    File: C:\WINNT\system32\r_server.exe

    Positive identification: RAT.Remote Administrator 2.1
    File: c:\winnt\system32\r_server.exe

    Positive identification (DLL): RAT.Remote Administrator 2.0 (dll)
    File: c:\winnt\system32\admdll.dll

    Positive identification (DLL): RAT.Remote Administrator 2.0 (dll)
    File: c:\program files\radmin\admdll.dll

    Positive identification: RAT.Remote Administrator 2.1
    File: c:\program files\radmin\r_server.exe

    Positive identification: DDoS.RAT.GT Bot Spam
    File: c:\program files\mirc-gold\mirc-gold.exe

    Remote Administrator is a program I need it.
     
    kloshar, Apr 3, 2004
    #13
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if te remote administrator files are the one you have installed and want and know about then ignore them

    I would fix the 2 mirc entries as they definitely look dodgy

    right click each of them in turn and select delete

    That is why we always say post the log to check, because in trojan work many otherwise legitimate applications can and often are usewd for bad purposes
     
    dvk01, Apr 3, 2004
    #14
  15. kloshar

    kloshar Registered Member

    Joined:
    Oct 12, 2003
    Posts:
    279
    Location:
    Europe, Slovenia, Bre?ice
    And what now?
     
    kloshar, Apr 3, 2004
    #15
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you sure in your TDS window the current 33206 references were shown whne you did this last scan?
    Radmin is a known program, you might like to check the files mentioned if those were recently modified, guess not, but best check their properties to be sure.
    Mirc file deleted,
    You're not on XP so a reboot will not bring back all the nasties just deleted fortunately.
    I leave you in Dereks hands for the next steps to follow.
    I wonder if this is the moment to try if safe mode is not possible and look if there were still files from the former list to be deleted or you might like to post first a fresh HJT log.
     
    Jooske, Apr 3, 2004
    #16
  17. shebala

    shebala Guest

    wsz32.exe virus? :rolleyes: EVERYONE on IRC had that recently!

    Remover: http://www.infestednexus.co.nr/ircbottrojanremover.exe
     
    shebala, Apr 6, 2004
    #17
  18. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thanks for the suggestion Shabala, but we already have removed it manually and TDS would have got rid of it and any other ones found as well
     
    dvk01, Apr 6, 2004
    #18
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...