Not sure what this is!

Discussion in 'other anti-trojan software' started by tragic001, Jul 10, 2003.

Thread Status:
Not open for further replies.
  1. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    I apologize for interfering, but shouldn´t that be e2give?
    And I think it would be smarter to search for the CLSID.
     
  2. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    you are right ;) , please search for both,

    Been busy with this issue for the last couple of hours.

    thanks,
    Martin
     
  3. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    LOL, either way that came up zilch. I mean i did as you instructed but nothing was shown after the search for e2safe and e2give o_O How do i search for the clsid or whatever.

    I do appreciate your help guys. I mean this is beyond the call of duty.

    Thanks
     
  4. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    and the clsid??
     
  5. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    See above. Where or what is clsid?

    I have to take my wife out to dinner now, please bare with me and i shall take this up when i get back.

    Many thanks guys :)
     
  6. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Please download this prog.
    It shows what progs. will startup when you start or reboot your pc.

    http://www.wilders.org/HTMLobj-1576/startuplist.zip

    Would like to take a look at that..

    rgds,
    Martin

    (this issue is a tough one, i hate it when i can't solve it)
     
  7. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    As requested:

    StartupList report, 11/07/2003, 20:14:16
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Nick\Desktop\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\WINDOWS\System32\CTSvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\ESET\nod32kui.exe
    C:\Program Files\NSClean\BOClean\BOClean.EXE
    C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
    C:\Program Files\Motherboard Monitor 5\MBM5.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Nick\Desktop\StartupList.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    IMJPMIG8.1 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    PHIME2002ASync = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    PHIME2002A = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    CTDVDDet = C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    nod32kui = C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    BOCleanautostart = BOClean.exe
    MBM 5 = "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - (no file) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll - {724d43a9-0d85-11d4-9908-00400523e39a}
    (no name) - c:\windows\googletoolbar.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: imon.dll (file MISSING)
    Protocol #2: imon.dll (file MISSING)
    Protocol #3: imon.dll (file MISSING)
    Protocol #4: imon.dll (file MISSING)
    Protocol #5: imon.dll (file MISSING)
    Protocol #6: imon.dll (file MISSING)
    Protocol #7: imon.dll (file MISSING)
    Protocol #8: imon.dll (file MISSING)
    Protocol #9: imon.dll (file MISSING)
    Protocol #10: imon.dll (file MISSING)
    Protocol #11: imon.dll (file MISSING)
    Protocol #12: imon.dll (file MISSING)
    Protocol #13: imon.dll (file MISSING)
    Protocol #14: imon.dll (file MISSING)
    Protocol #15: imon.dll (file MISSING)
    Protocol #16: imon.dll (file MISSING)
    Protocol #17: imon.dll (file MISSING)
    Protocol #35: imon.dll (file MISSING)

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 5,869 bytes
    Report generated in 0.047 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  8. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    just enter: IeBHOs.dll
    and the same for: 3643ABC2-21BF-46B9-B230-F247DB0C6FD6

    rgds,
    Martin
     
  9. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    CLSID is {E9041F85-3C18-4A7E-A29D-E24F84B79BF1}
    You can search the same way you did for e2give.
     
  10. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Damn, can't seem to find any malware here, accept:

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe

    Don't know what this file is, can you check properties for this file, to see where it belongs to??

    rgds,
    Martin
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    ctfmon.exe:
    CTFMon is involved with the language/alternative input services in Office XP. CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled. Not required if you don't need these features. For more info on ctfmon see here . CTFMON can be disabled from Control Panel, Text & Speech Services

    Source: http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
     
  12. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Anybody else a clue, running out of options here and out of forums concerning this issue o_O

    rgds,
    Martin
     
  13. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Did you find anything suspicious in his startup list Pieter??

    rgds,
    Martin
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    No Martin, I didn´t.

    Regards,

    Pieter
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands

    Now where did I read that before... :rolleyes:

    Aaah, I just remembered, here it is:

    http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?s=5909b5673aa69205dfd89bdc10883bbe;act=ST;f=38;t=3051
     
  16. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    correct Tony,

    rgds,
    Martin
     
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,361
    Location:
    The Netherlands
    No prob, Martin. ;)
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi tragic001,

    Here´s something that is worth a try:
    DRDelete

    Regards,

    Pieter
     
  19. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Hi Guys,

    I do appreciate the effort you have put in here, certainly Martin. Thanks buddy.
    For all the clsid searches etc. The result is negative. o_O

    TonyKlein, thats a name i have met often on my travels, but i can assure you that i am well covered on that respect. I mean, i run spywareblaster, spybot, adaware, Boclean, TH and now TDS. Plus Norton firewall.

    I can still call upon this file somewhere on my computer to download it again. That to me is not normal. Its beyond me as to why, and your efforts in this make me want to find out why, before i use Ghost :) I mean there has to be a reason.

    Anyone got a link for the DrDelete proggy, i cannot find it.

    Again guys thanks. :)
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
  21. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Well, i do beleive that DeDelete did the job :) Dr Delete said the file was deleted withour a reboot. So went back to windows explorer and try to download the ugo.exe as before, but this time i just get the following page showing. No dowonload dialogue box as before. I do believe the pest has gone. Can you guys confirm that for me?

    In any event, what can i say, you all have been outstanding in helping me. For that i sincerely thank you all. :) Will run TH to see if it shows again.

    http://www.imagestation.com/picture/sraid69/pff0b44419c28cffa72a11821f8420b0c/fbb20bea.jpg

    Again sorry for the attach Paul, but its impossible to upload from here?
     
  22. tragic001

    tragic001 Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    35
    Its gone :D TH come up clean now.....once again, many many thanks guys. Really top notch. :)
     
  23. martindijk

    martindijk Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    537
    Location:
    Gorredijk - the Netherlands
    Hi Tragic,

    Glad to hear this poltergeist has left the building :D

    rgds,
    Martin
     
  24. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Nice common effort, all :cool:. It's a pleasure to see community members helping one another out, and being successful!

    Love it when all works out :) :) :)

    regards.

    paul
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.