Tech Support Forum - View Single Post

BigPapa · 02-26-2006, 01:53 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:03:26 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINDOWS\TEMP\win3E.tmp.exe <---these little bastards are
C:\WINDOWS\TEMP\win32.tmp.exe ^
C:\WINDOWS\TEMP\win3E.tmp.exe ^
C:\WINDOWS\TEMP\win32.tmp.exe ^
C:\WINDOWS\TEMP\win3E.tmp.exe <---are kicking my ****!!!
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{748881EC-D6C7-4237-90F8-44CA9BFB8C39}: NameServer = 68.109.202.25,68.1.18.25
O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hey yall...

My Problem started with a stupid keygen.exe for a stupid $20 program (insert random insults now).

Here's what I have been fighting over the last few days...

It seems this keygen installed some sort of dialer that takes advantage of IE's ActiveX. When it first started out, I was receiving these popups of an illegal instruction handled by NTVDM (the file it was trying to execute was h91746.exe) over the 16-bit System Prompt. I continued to click close on everyone that popped up and began looking for answers. After clicking close enough times, I began getting a popup from Norton about installing "rdgUS2405.exe" and its possibility of being bad (big red warning box). In my research on this EXE I found no references to it specifically, but did find references to other rdg**####.exe (** seems to be a country code, because ive seen US and FR references, but thats only a guess) files that people were fighting. Considering this thing manifests itself with random names, it makes it much harder to pinpoint.

I traced h91746.exe to my windows/temp directory and found over 3000 files there, mostly < 1 byte... So I go to clear them all out, and did so with the exception of a few files that I could not even remove in safe mode command prompt. I also cleaned out histories, cookies, temp internet files, windows/downloadedwhatever files... Nothing will stop this beast.

So I decided to study the directory and watched it grow again. It appears to be creating random named win**.tmp.exe files in my windows/temp directory. To further complicate things, when enough of these files are in place, it begins creating random named EXEs in that directory that are then executed. I can see these processes running in my task manager, though googling the name comes up with nothing.

So here's where I am now. I disabled my IE and checked the ActiveX controls so that I no longer get the h91746.exe popup. I also analyzed a prefetch file for rdgus2405 and was able to clean some stuff out that kept it from reoccuring. My changes to the was Active X is handled, although preventing the 16-bit dos subsystem error from popping up, has not eliminated the problem. I am still getting these win**.tmp.exe files that are executing, and after enough of them execute, I get a popup regarding my ActiveX settings 'preventing me from viewing the page correctly'. Simply clicking ok, makes the message go away.

I am troubled by the fact that this got by norton and spy bot. I have run ad-aware se and the vxd add-on, as suggested, with nothing showing up. I have run multiple scans with Norton, and made sure all quartined/backed up items were deleted. My definitions are up to date and my build is tight. I use Firefox and I work in the IT field for 2 of the biggest corps in world. This is totally embarrassing to be a tech and have these issues I can't resolve. Any help is appreciated...

But if I cant get rid of this nuisance, I'm throwing XP out the window for good this time!

PS - Though I imagine this log should suffice, I do have a screen capture with the specific activeX error popup as well as my task manager processes and a major chunk of the HJT log. Email me at bigpapaslim@cox.net to request it...

Slim

02-26-2006, 01:53 PM	#1 (permalink)
BigPapa Registered User Join Date: Feb 2006 Posts: 5 OS: XP Pro SP2	rdgUS2405 remnants, need help... Logfile of HijackThis v1.99.1 Scan saved at 2:03:26 PM, on 2/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\WINDOWS\TEMP\win3E.tmp.exe <---these little bastards are C:\WINDOWS\TEMP\win32.tmp.exe ^ C:\WINDOWS\TEMP\win3E.tmp.exe ^ C:\WINDOWS\TEMP\win32.tmp.exe ^ C:\WINDOWS\TEMP\win3E.tmp.exe <---are kicking my **!!! C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{748881EC-D6C7-4237-90F8-44CA9BFB8C39}: NameServer = 68.109.202.25,68.1.18.25 O20 - Winlogon Notify: wincqt32 - C:\WINDOWS\SYSTEM32\wincqt32.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Hey yall... My Problem started with a stupid keygen.exe for a stupid $20 program (insert random insults now). Here's what I have been fighting over the last few days... It seems this keygen installed some sort of dialer that takes advantage of IE's ActiveX. When it first started out, I was receiving these popups of an illegal instruction handled by NTVDM (the file it was trying to execute was h91746.exe) over the 16-bit System Prompt. I continued to click close on everyone that popped up and began looking for answers. After clicking close enough times, I began getting a popup from Norton about installing "rdgUS2405.exe" and its possibility of being bad (big red warning box). In my research on this EXE I found no references to it specifically, but did find references to other rdg####.exe ( seems to be a country code, because ive seen US and FR references, but thats only a guess) files that people were fighting. Considering this thing manifests itself with random names, it makes it much harder to pinpoint. I traced h91746.exe to my windows/temp directory and found over 3000 files there, mostly < 1 byte... So I go to clear them all out, and did so with the exception of a few files that I could not even remove in safe mode command prompt. I also cleaned out histories, cookies, temp internet files, windows/downloadedwhatever files... Nothing will stop this beast. So I decided to study the directory and watched it grow again. It appears to be creating random named win.tmp.exe files in my windows/temp directory. To further complicate things, when enough of these files are in place, it begins creating random named EXEs in that directory that are then executed. I can see these processes running in my task manager, though googling the name comes up with nothing. So here's where I am now. I disabled my IE and checked the ActiveX controls so that I no longer get the h91746.exe popup. I also analyzed a prefetch file for rdgus2405 and was able to clean some stuff out that kept it from reoccuring. My changes to the was Active X is handled, although preventing the 16-bit dos subsystem error from popping up, has not eliminated the problem. I am still getting these win**.tmp.exe files that are executing, and after enough of them execute, I get a popup regarding my ActiveX settings 'preventing me from viewing the page correctly'. Simply clicking ok, makes the message go away. I am troubled by the fact that this got by norton and spy bot. I have run ad-aware se and the vxd add-on, as suggested, with nothing showing up. I have run multiple scans with Norton, and made sure all quartined/backed up items were deleted. My definitions are up to date and my build is tight. I use Firefox and I work in the IT field for 2 of the biggest corps in world. This is totally embarrassing to be a tech and have these issues I can't resolve. Any help is appreciated... But if I cant get rid of this nuisance, I'm throwing XP out the window for good this time! PS - Though I imagine this log should suffice, I do have a screen capture with the specific activeX error popup as well as my task manager processes and a major chunk of the HJT log. Email me at bigpapaslim@cox.net to request it... Slim