Tech Support Forum - View Single Post

sUBs · 07-07-2005, 02:28 AM

Possible areas for concern
Panda found some suspicious files here..
Please visit this website - http://virusscan.jotti.org/
Submit the files for a comprehensive scan -

W:\downloads etc\downloads\BIOS_FOLDER\X2.4983.BIOS\BIOS\x2rlsc hk.exe
W:\downloads etc\downloads\FILE SPLITER JOINER\hjsplit.exe

If the results are positive, you'll have to add these files to KillBox's list for deletion.

W:\downloads etc\downloads\BIOS_FOLDER\X2.4983.BIOS\BIOS\x2rlsc hk.exe
W:\downloads etc\downloads\BIOS_FOLDER\X2.4983.BIOS.rar
W:\downloads etc\downloads\FILE SPLITER JOINER\hjsplit.exe
W:\downloads etc\downloads\FILE SPLITER JOINER.zip

I have to ask you to disable Spywareguard. It hinders the removal of some entries. You can re-enable it after you're clean.
- Right click the running icon of Spywareguard located in the system tray
- Go to Menu > File > Exit and confirm the programs close.
As you're no longer running Sygate, I'll remove it from the list of running services.
1. Click Start > Run - type services.msc.
2. Locate the Sygate Personal Firewall Pro (SmcService) service and double-click on it to open the Properties dialog.
3. Click the Stop button.
4. In the Startup type dropdown select Disabled.
5. Click the Apply button and then the Ok button.
6. Close the Services window
7. Then start HiJackThis & go to Config > Misc.Tools... > Delete an NT service...
  In the popup box that appears, type in SmcService & click the OK button.
Run a scan with HiJackThis & select(tick) the following & click [Fix checked] :

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: UB Class - {00000000-15D9-4736-AB29-131578A45F2B} - C:\WINDOWS\system32\wsrchc3.dll
O2 - BHO: blank - {3CC12C40-47EB-4705-8140-168ADC713E94} - blank (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing)
O4 - HKLM\..\Run: [iisvers] C:\WINDOWS\iisvers.exe
O4 - HKLM\..\Run: [bluestart] c:\\rraut.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/07d784d8f6d04c...ip/RdxIE601.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.
- C:\WINDOWS\system32\wsrchc3.dll
  C:\WINDOWS\iisvers.exe
  c:\rraut.exe
  C:\Documents and Settings\neil\Application Data\Adobe\Acrobat\Whapi\WHA Library.dll
  C:\Documents and Settings\neil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-5c50b54d.zip (this line should read javainstaller & not jav ainstaller)
  C:\Documents and Settings\neil\Desktop\Antenna Web Design Studio v2.3.91.rar
  C:\WINDOWS\gendel32.exe
  C:\WINDOWS\SYSTEM32\httppost.exe
  C:\WINDOWS\SYSTEM32\ncase.dll
  C:\WINDOWS\SYSTEM32\t0ccy3.exe
  C:\WINDOWS\SYSTEM32\uninst.exe
  C:\WINDOWS\tqp.exe
Start KillBox.
1. Go to the [File] menu, and choose [Paste from Clipboard].
  Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there.
2. Select/tick the following:
  - "Delete on Reboot"
  - "End Explorer Shell While Killing File"
  - "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt.
After rebooting, locate and delete the following folder(s), if present:
- C:\Documents and Settings\neil\Favorites\Shop
Run Cleanup!
Set the program up as follows:
1. Click Options...
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
  - Empty Recycle Bins
  - Delete Cookies
  - Delete Prefetch files
  - [X]Scan local drives for temporary files (Please uncheck this option)
  - Cleanup! All Users
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup
Post a fresh HJT log & tell us if you have anymore problems

07-07-2005, 02:28 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,326 OS: N/A	Possible areas for concern Panda found some suspicious files here.. Please visit this website - http://virusscan.jotti.org/ Submit the files for a comprehensive scan - W:\downloads etc\downloads\BIOS_FOLDER\X2.4983.BIOS\BIOS\x2rlsc hk.exe W:\downloads etc\downloads\FILE SPLITER JOINER\hjsplit.exe If the results are positive, you'll have to add these files to KillBox's list for deletion. W:\downloads etc\downloads\BIOS_FOLDER\X2.4983.BIOS\BIOS\x2rlsc hk.exe W:\downloads etc\downloads\BIOS_FOLDER\X2.4983.BIOS.rar W:\downloads etc\downloads\FILE SPLITER JOINER\hjsplit.exe W:\downloads etc\downloads\FILE SPLITER JOINER.zip I have to ask you to disable Spywareguard. It hinders the removal of some entries. You can re-enable it after you're clean. Right click the running icon of Spywareguard located in the system tray Go to Menu > File > Exit and confirm the programs close. As you're no longer running Sygate, I'll remove it from the list of running services. Click Start > Run - type services.msc. Locate the Sygate Personal Firewall Pro (SmcService) service and double-click on it to open the Properties dialog. Click the Stop button. In the Startup type dropdown select Disabled. Click the Apply button and then the Ok button. Close the Services window Then start HiJackThis & go to Config > Misc.Tools... > Delete an NT service... In the popup box that appears, type in SmcService & click the OK button. Run a scan with HiJackThis & select(tick) the following & click [Fix checked] : R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) R3 - URLSearchHook: UB Class - {00000000-15D9-4736-AB29-131578A45F2B} - C:\WINDOWS\system32\wsrchc3.dll O2 - BHO: blank - {3CC12C40-47EB-4705-8140-168ADC713E94} - blank (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - blank (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - blank (file missing) O4 - HKLM\..\Run: [iisvers] C:\WINDOWS\iisvers.exe O4 - HKLM\..\Run: [bluestart] c:\\rraut.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/07d784d8f6d04c...ip/RdxIE601.cab O18 - Filter: text/html - (no CLSID) - (no file) O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\system32\wsrchc3.dll C:\WINDOWS\iisvers.exe c:\rraut.exe C:\Documents and Settings\neil\Application Data\Adobe\Acrobat\Whapi\WHA Library.dll C:\Documents and Settings\neil\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-5c50b54d.zip (this line should read javainstaller & not jav ainstaller) C:\Documents and Settings\neil\Desktop\Antenna Web Design Studio v2.3.91.rar C:\WINDOWS\gendel32.exe C:\WINDOWS\SYSTEM32\httppost.exe C:\WINDOWS\SYSTEM32\ncase.dll C:\WINDOWS\SYSTEM32\t0ccy3.exe C:\WINDOWS\SYSTEM32\uninst.exe C:\WINDOWS\tqp.exe Start KillBox. Go to the [File] menu, and choose [Paste from Clipboard]. Verify that you've done this properly by clicking the dropdown-arrow next to the [Full Path of File to Delete] field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [Yes] at the Pending Operations prompt. After rebooting, locate and delete the following folder(s), if present: C:\Documents and Settings\neil\Favorites\Shop Run Cleanup! Set the program up as follows: Click Options... Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders without making a backup Post a fresh HJT log & tell us if you have anymore problems __________________ Question - what have you done for the community today?