Tech Support Forum banner
Status
Not open for further replies.

HJT log - Help needed please

3K views 21 replies 4 participants last post by  CTSNKY 
#1 ·
I have a number of problems with a machine which I installed Broadband on at the weekend. I have run AVG and currently there are 10 virus that are in the virus vault.

Each time I try to connect to the internet the browser goes to the home page and then diverts to another site which isn't very nice!

I've run Hijack this and the log is below. Not sure if I also need to post details of the virus in the vault as I think some of these are occurring each time the machine connects to the internet. There are actually 17 entries in the vault but some are the same virus where I have had to run AVG several times to remove them.

I'd really appreciate any help you can offer with this.

Thanks in advance

Logfile of HijackThis v1.97.7
Scan saved at 10:28:36, on 30/11/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\f0mered.exe
C:\WINNT\System32\msass43.exe
c:\winnt\system32\ccdew\beird.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
c:\winnt\system32\ccdew\wshield.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Grisoft\AVG6\Avgvv.exe
C:\WINNT\System32\mdm.exe
C:\Elveys\Software Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - HKLM\..\Run: [Windows Media Player] msass43.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msass43.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - HKCU\..\Run: [Windows Media Player] msass43.exe
O4 - HKCU\..\RunServices: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...2575462963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.1
 
See less See more
#2 ·
Lotsa nasties!!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\System32\f0mered.exe
C:\WINNT\System32\msass43.exe
c:\winnt\system32\ccdew\beird.exe
c:\winnt\system32\ccdew\wshield.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\Run: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - HKLM\..\Run: [Windows Media Player] msass43.exe
O4 - HKLM\..\RunServices: [Start aThx Roll] f0mered.exe
O4 - HKLM\..\RunServices: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msass43.exe
O4 - HKCU\..\Run: [Start aThx Roll] f0mered.exe
O4 - HKCU\..\Run: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe
O4 - HKCU\..\Run: [Windows Media Player] msass43.exe
O4 - HKCU\..\RunServices: [ALTER DATA] c:\winnt\system32\ccdew\repcale.exe c:\winnt\system32\ccdew\beird.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\System32\f0mered.exe
C:\WINNT\System32\msass43.exe
c:\winnt\system32\ccdew\

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.
 
#3 ·
Thanks so much

Thank you very much for your time and help with this.

I followed your instructions and things look like they are back to normal. My latest HJT log is below and I'd be grateful if you could check it now to make sure it's ok.

The only query I have now is whether it is ok to leave the Virus's that AVG has placed in the vault. Please see the attached which shows what's in the vault. I've also noticed a couple of things in the Adminsitrator foldre in documents and settings which may relate to what's in the vault.

Thanks again

Logfile of HijackThis v1.98.2
Scan saved at 23:24:22, on 02/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINNT\System32\mdm.exe
C:\Elveys\Software Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeserve.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe" /waitservice
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.1
 

Attachments

#4 ·
You can delete all those files in the Vault whenever you like.

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Section (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

:wave:
 
#5 ·
Still having problems

Thank you for looking at the log, sorry for delay replying, I thought I was ok but still seem to be getting problems when I connect, although not quite the same symptoms.

I went through the list of measures in the anti spyware link.

At the moment I still have problems once I have connected, up until then the machine seems fine. Once connected the machine goes very slow and AVG detects virus's. The virus's in the vault this time are in the attachment.

I've posted my current HJT log below in case there is anything obvious.

Thanks in advance (again!)
Logfile of HijackThis v1.98.2
Scan saved at 20:14:07, on 06/12/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\System32\windev32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Grisoft\AVG6\Avgvv.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\System32\mdm.exe
C:\Elveys\Software Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Device Service] windev32.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Microsoft Device Service] windev32.exe
O4 - HKCU\..\Run: [Microsoft Device Service] windev32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.1
 

Attachments

#6 ·
Take your virus list, go to each of those folders, and see if the file is actually there. If the bad file is there, delete it. Try to find them all, and delte them.

Something is very whacky, and I am not sure what it is.

Don't bother with more logs at this point...tell us the result of your own search and destroy mission.
 
#7 ·
I still think I've got some problems

Sorry for delay since last post. I had got so frustrated with the machine that I'd left it until after new year before having another crack at it. I though having run a couple of online scans (Panda & housecall)and running spybot, ad-aware, avg that I'd got things under control although I also started using Firefox which may have made anything left less evident. I had also installed the zone alarms free edition which may also have helped although I had to remove this recently as it seemed to be blocking the other machines I have from accessing the internet using the broadband connection of the machine I have had the problems with.

Anyway I still think there are some unresolved issues with the machine. I've been getting some Messenger boxes appearing on the screen which i thought were suspicious and have closed these but this then seems to be followed by the following symptoms:

1)Unable to move desktop items around
2)Error messages with outlook express that there is not enough memory
3)Unable to see Content of WINNT folder

I've included the current HJT log as its been a while since the last post and there may be something here which is causing the problem.

Logfile of HijackThis v1.98.2
Scan saved at 20:01:38, on 16/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\System32\realone.exe
C:\WINNT\System32\devsrv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Elveys\Software Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Debug Service] debug32.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Device Microsoft System] devsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Debug Service] debug32.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Device Microsoft System] devsrv.exe
O4 - HKCU\..\Run: [Microsoft Debug Service] debug32.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Device Microsoft System] devsrv.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3800D619-E545-4757-9DD2-46272BAEF1DE}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
 
#8 ·
Hi there.......lots of info to share and things to do here. Take your time, but stay on the path. Make sure you get the exact file names listed for action, as some of them have similar names to important Windows files. Also, don't be fooled by what some of these files "appear" to be.....that's part of the hook.

===========

To disable the Windows Messenger service pop-ups:

Click Start-> Settings-> Control Panel-> Administrative Tools->Services
Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
Click the STOP button.
Select Disable or Manual in the Startup Type scroll bar
Click OK

-------------

Log analysis:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

You have an outdated version of HijackThis. Click here to get the latest version of HijackThis and run it.

Before you give us a new log here, if we gave you instructions for a fix, please do the fixes first and then post the new log with this updated version.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Microsoft Debug Service] debug32.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Device Microsoft System] devsrv.exe
O4 - HKLM\..\RunServices: [Microsoft Debug Service] debug32.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsysmgr.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Device Microsoft System] devsrv.exe
O4 - HKCU\..\Run: [Microsoft Debug Service] debug32.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] ntsf.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Device Microsoft System] devsrv.exe

Delete all of the the above Files according to their directory (if none, just do a search for them) and delete them. Will probably find most/all of them in C:\Windows or C:\Windows\System32 folder.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
 
#9 ·
A way to go yet I think!

Hi there,

Thanks for picking this up so quickly and for your time.

I followed the instructions except I couldn't see System Restore option in My Computer so didn't think it applied to my OS.

The results file is below.

I couldn't find all the files debug.32,libsysmgr and syslog32 so unable to delete these.

After I'd run the KRC results I opened browser and again found I got problems after a little while with system slowing right down. I aso think that the HJT scan results are different once I've opened the browser and include items I'd deleted (msexcel,Realone.exe) that appeared to be clear in HJT prior to opening browser.There are also some other items that I have had before such as defragfatx.I have therefore posted another HJT scan which was taken once I'd opened Browser.

I't's been quite difficult getting online long enough to post this and I noticed that when trying to conncet to the Forum the bottom left of panel is showing it waiting for response from te.burst.net and ad.doubleclick.net, not sure if this is linked to the problem with browser freezing after a while?

I couple of other things that may be significant. I have had AVG reporting IRC/Backdoor sdbot trojan but it doesn't remove this nor do the on line scans. After posting recent HJT log I had also run a programme called Stinger which was supposed to remove this particular virus but although it did identify and remove some infected files, the problem still exists and I'm looking at an AVG Resident Shield alert for this as I'm typing now.Sbot is usually followed by some characters or numerics but these seem to vary. Also the files they are found in also vary.

Lastly on a number of occasions, usually when running scans, I get a blue screen which says something along the lines of physical mem(ory dump. The system then shuts down and reboots. I mention this as I'd noticed something in My Computer startup and recovery tab (while looking for system restore) which is set to Complete Memory dump in system failure section.

Anyway I'll post this before I freeze up again. Thanks again for your help.


====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 07:21:24, on 18/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\System32\winsystem32.exe
C:\WINNT\System32\updsrv.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Windows_Protect] winsystem32.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3800D619-E545-4757-9DD2-46272BAEF1DE}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)
O23 - Service: NT login service - Unknown - C:\WINNT\System32\libsysmgr.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================




Logfile of HijackThis v1.99.0
Scan saved at 15:35:53, on 18/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\system32\defragfatx.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\winproxy.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfatx.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3800D619-E545-4757-9DD2-46272BAEF1DE}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)
O23 - Service: NT login service - Unknown - C:\WINNT\System32\libsysmgr.exe (file missing)
 
#10 ·
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system32\defragfatx.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\winproxy.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfatx.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Windows_Protect] winsystem32.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Windows_Protect] winsystem32.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O23 - Service: NT login service - Unknown - C:\WINNT\System32\libsysmgr.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\defragfatx.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\winproxy.exe
C:\WINNT\System32\libsysmgr.exe
winole.exe
updsrv.exe
msexcel.exe
winsystem32.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools/programs provided.
 
#11 ·
They just won't go!

Hi there, Thank you for picking this up.

I've done my best to follow the instructions as closely as I could but the problems with the

machine have made some of this very difficult,

Online scan attempts resulted with the machine slowing down to a halt without being able to

complete a full scan. The same was the case with TDS-3 and I was unable to complete the full

scan without machine grinding to a halt.

I therefore ran HJT in Safemode and followed instructions although winole.exe wasn't present

in scan results. I was able to find and delete all files except winsystem32.exe. After

rebooting in normal mode the HJT log did not show these entries

I managed to go online and run Trend Micro Housecall which detected 7 infected files, 6 with

worm peybot.a and 1 with worm rbot.afk. housecall could not clean these.

I also then mananged a Panda Active Scan which detected 18 infected files and removed 16 of

them.
These were the results:

Virus:W32/Sdbot.BLY.worm Disinfected Operating system






Virus:W32/Sdbot.BNX.worm Disinfected

C:\WINNT\system32\OfficeGUI32cb.exe




Virus:W32/Sdbot.BLY.worm Renamed C:\WINNT\system32\realone.exe




Virus:W32/Gaobot.CGL.worm Disinfected C:\WINNT\system32\taskmngr.exe






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP1480






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP2516






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP3600






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP4364






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP4616






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP4768






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP4872






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP5076






Virus:W32/Gaobot.CJX.worm Disinfected C:\WINNT\system32\TFTP5132






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP5184






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP5228






Virus:W32/Sdbot.BLY.worm Disinfected C:\WINNT\system32\TFTP6068






Virus:Worm Generic.GA Disinfected C:\WINNT\system32\TFTP6432






Virus:Worm Generic.GA Disinfected C:\WINNT\system32\TFTP6772






Virus:Worm Generic.GA Renamed C:\WINNT\system32\winproxy.exe





Once I'd gone online to post this I started to get problems again and the usual suspects are

back again and appearing in HJT scan. I was able to run TDS quick scan and results are

below. The machine actually ground to a halt while I was posting this and I hadn't copied

top part of TDS window at that stage. When I rebooted and run TDS again there was a line I'd

noticed in first scan that was not now appearing:

This was a warning that registry autostart settings had been changed and when I viewed this

it was realone.exe,winproxy.exe,defragfat.exe,msexcel.exe.



TDS quick scan results

Scan Control Dumped @ 21:29:06 19-01-05
RegVal Trace: RAT.Domwis please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Windows DLL

Loader=C:\WINNT\system32\defragfatx.exe]

File Trace: Default trojan filename: DDoS.RAT.rBot
File: C:\WINNT\System32\host32.exe

Positive identification: DDoS.RAT.SpyBot 1.2ga
File: c:\winnt\system32\tftp7164

Positive identification: DDoS.RAT.SpyBot 1.2ga
File: c:\winnt\system32\tftp7228

Positive identification: DDoS.RAT.rBot.acp
File: c:\winnt\system32\winexec32.exe

Positive identification: Trojan.Win32.LowZones.p5
File: c:\winnt\tempfiles\folder\folder\internet.exe

Positive identification: Adware.WinAD.b1
File: c:\winnt\tempfiles\folder\folder\xp.exe





Here are the results of the KRC Analyzer against the current HJT log.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 22:25:03, on 19/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\system32\defragfatx.exe
C:\WINNT\System32\msexcel.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\updsrv.exe
C:\WINNT\System32\winproxy.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINNT\msagent\AgentSvr.exe
C:\WINNT\regedit.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Freeserve
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfatx.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT

Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA

Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer =

192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file

missing)


End of KRC HijackThis Analyzer Log.
====================================================================

Thanks again for the help and your time.
 
#12 ·
Try to run that TDS3 scan again, when able. Also, please do not use Word for copying/pasting, it adds double-spaced entries, which are a pain to read. Use Notepad. Thanks.....

===========

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

Unless there's something you need in there (and move it our, if you do), you should delete this entire folder:

c:\winnt\tempfiles\

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):

C:\WINNT\System32\msexcel.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\updsrv.exe
C:\WINNT\System32\winproxy.exe


Reboot and post a new HJT log.
 
#13 ·
next installment please

Hi there, thanks for your response.

I managed to complete TDS full scan, results are below along with details copied from the panel of TDS screen.

I was able to follow each instruction and I have included the new HJT log which is still showing entries for the 4 files.

Scan Control Dumped @ 19:07:29 20-01-05
Live trojan found (in process memory): DCOM RPC Exploit
File: C:\WINNT\system32\defragfatx.exe

Live trojan found: DCOM RPC Exploit
File: C:\WINNT\System32\msexcel.exe

Live trojan found: DCOM RPC Exploit
File: C:\WINNT\System32\realone.exe

Live trojan found: DCOM RPC Exploit
File: C:\WINNT\System32\winproxy.exe

Live trojan found: DCOM RPC Exploit
File: C:\WINNT\System32\updsrv.exe

RegVal Trace: RAT.Domwis please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [Windows DLL
Loader=C:\WINNT\system32\defragfatx.exe]

File Trace: Default trojan filename: DDoS.RAT.rBot
File: C:\WINNT\System32\host32.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\administrator\my documents\karen work\lisa gajjudhur one to one 23.8.04..doc

Suspicious Filename: Dual extensions
File: c:\elveys\software downloads\setupdvddecrypter_3.2.0.0.exe

Suspicious Filename: Dual extensions
File: c:\elveys\software downloads\setupdvddecrypter_3.2.2.0.exe

Suspicious Filename: Dual extensions
File: c:\elveys\software downloads\setupdvddecrypter_3.5.1.0.exe

Positive identification: DDoS.RAT.SpyBot 1.2ga
File: c:\winnt\system32\tftp7164

Positive identification: DDoS.RAT.SpyBot 1.2ga
File: c:\winnt\system32\tftp7228

Positive identification: DDoS.RAT.rBot.acp
File: c:\winnt\system32\winexec32.exe

Positive identification: Trojan.Win32.LowZones.p5
File: c:\winnt\tempfiles\folder\folder\internet.exe

Positive identification: Adware.WinAD.b1
File: c:\winnt\tempfiles\folder\folder\xp.exe



07:38:32 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
07:38:32 [Init] Started 20-01-05 07:38:32 GMT Standard Time (UTC: 0), Internet Time @360.09
07:38:32 [Init] Loading TDS-3 Systems ...
07:38:32 [Init] Token successfully adjusted.
07:38:32 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
07:38:32 [Init] • Plugins : OK. Loaded 13
07:38:32 [Init] • Exec Protection : Not Installed
07:38:32 [Init] WARNING: Your Radius.TD3 database needs to be updated!
07:38:32 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
07:38:32 [Init] Licensed users can use the Update facility from the TDS menu
07:38:33 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
07:38:42 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
07:38:42 [Init] • Systems Initialised [44547 references - 20677 primaries/11735 traces/12135

variants/other]
07:38:42 [Init] Radius Systems loaded. <Databases updated 18-01-2005>
07:38:42 [Init] TDS-3 Ready. <Administrator@192.168.1.6, 127.0.0.1 - United Kingdom>
07:38:42 [Tip Of The Day] Ever wanted to know what your IRC client and IRC server were saying to each other? You can view, analyse, and even inject data into almost any TCP

Client/Server combination using the Traffic Bridge utility.
07:38:42 [TDS] ****-A-DOODLE-DO! Good morning Administrator
07:38:50 [Mutex Memory Scan] Started...
07:38:51 [Mutex Memory Scan] Finished (no trojan mutexes found).
07:38:51 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on

registering.
07:38:56 [CRC32] Started - verifying 29 files ...
07:38:57 [CRC32] File doesn't exist: C:\autoexec.bat
07:39:05 [CRC32] Test finished.
07:43:19 [Memory Scan] Memory scan started, please wait a moment ...
07:43:20 [Memory Scan] Memory scan complete.
07:43:20 [Mutex Memory Scan] Started...
07:43:22 [Mutex Memory Scan] Finished (no trojan mutexes found).
07:43:22 [Trace Scan] Started...
07:43:36 [Trace Scan] Finished.
07:43:36 [ServiceScan] Scanning for services and drivers ...
07:43:43 [ServiceScan] Scanned 294 services and drivers.
07:43:43 [File Scan] Scanning in A:\ ...
07:43:44 [File Scan] Scanned 0 files: 7 alarms in 1.021484 seconds (Avg 1. files/sec)
07:43:44 [File Scan] Scanning in C:\ ...
08:29:00 [Locked File] Couldn't open c:\winnt\system32\popupblocker.exe for read access, file is locked
08:29:29 [Locked File] Couldn't open c:\winnt\system32\syslocal32.exe for read access, file is locked
08:35:02 [File Scan] Scanned 35738 files: 16 alarms in 3077.916 seconds (Avg 12.61 files/sec)
08:35:02 [File Scan] Scanning in D:\ ...
08:35:02 [File Scan] Scanned 0 files: 16 alarms in 6.054688E-02 seconds (Avg 1. files/sec)
08:35:02 [File Scan] Scanning in E:\ ...
08:35:02 [File Scan] Scanned 0 files: 16 alarms in 0 seconds (Avg -1.#IND files/sec)
08:35:02 [Scan] Finished.
19:06:52 [Screen Text] Saved to C:\Program Files\TDS3\scr1.txt
19:07:29 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt

Logfile of HijackThis v1.99.0
Scan saved at 20:30:01, on 20/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -
C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} -
C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfatx.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT
Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Search with Freeserve -
res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)
 
#14 ·
I think we're closing in on them.....

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and uncheck the box labeled 'Hide protected operating system files'.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINNT\system32\defragfatx.exe
O4 - HKLM\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Microsoft Excel] msexcel.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Update Microsoft System] updsrv.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Microsoft Excel] msexcel.exe
O4 - HKCU\..\Run: [Update Microsoft System] updsrv.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\defragfatx.exe
C:\WINNT\System32\msexcel.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\winproxy.exe
C:\WINNT\System32\updsrv.exe
C:\WINNT\System32\host32.exe
c:\winnt\system32\tftp7164
c:\winnt\system32\tftp7228
c:\winnt\system32\winexec32.exe

c:\winnt\tempfiles\ (Get rid of this folder!)

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
 
#15 · (Edited)
New entries in HJT log

Hi there, thanks for responding so quickly.

I followed instructions up to point of deleting files when I couldn't find the following files in the system32 folder or by doing a search.

msexcel
realone
winproxy
updsrv

I had already removed the tempfiles folder from previous instructions.

I rebooted and the new HJT log was clean. When I connected to Broadband I checked again and realone was showing as a running process. I rebooted again into safemode and removed the HJT entries again and this time the file was in the system32 folder so I deleted it.

I rebooted again and ran the log which looked clean. Once again when I connected to broadband I again started having problems with AVG detecting SDbot virus. After this had happened I ran the HJT can and below are the results, I didn't run KRC in case you wanted to view the full log as some of the previous entries are no longer showing but there are some new ones.

The broadband connection was happening automatically after reboot but I've removed connect automatically tick as I seem to always get the problems once I've actually connected even before I have necessarilly opened any browers.

I have just edited this post as I have another item now showing in HJT log.The KRC results of this latest HJT log are below, the previous full HJT log is below that.

Thanks

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 00:04:46, on 21/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\System32\realone.exe
C:\WINNT\System32\wincalc.exe
C:\WINNT\System32\winproxy.exe
C:\WINNT\System32\dllman.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

Logfile of HijackThis v1.99.0
Scan saved at 23:26:13, on 20/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
C:\WINNT\System32\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\System32\realone.exe
C:\WINNT\System32\wincalc.exe
C:\WINNT\System32\winproxy.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
C:\WINNT\System32\mdm.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: Ati HotKey Poller - Unknown - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)
 
#16 ·
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Get the updated AVG program at Grisoft. Install it and make sure to check for updates. Run a scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\System32\realone.exe
C:\WINNT\System32\wincalc.exe
C:\WINNT\System32\winproxy.exe
C:\WINNT\System32\dllman.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Calc Microsoft Windows] wincalc.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Calc Microsoft Windows] wincalc.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\System32\realone.exe
C:\WINNT\System32\wincalc.exe
C:\WINNT\System32\winproxy.exe
C:\WINNT\System32\dllman.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Run the TDS-3 scan again and post a new log.
 
#17 ·
still there

Here's the KRC results and TDS results, both run straight after reboot from safe mode. As with previous attempts, te log usually looks ok directly after reboot.

Regards AVG update, I had previous tried to install new version version but it won't run on this machine as it's windows server.

I've also posted KRC results following connection to Broadband which show realone and dllman back again plus a new entry.

I also got AVG alert about the SdBot virus reported previously.

Thanks for your response.



====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 09:49:59, on 22/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Freeserve
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT

Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA

Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer =

192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file

missing)


End of KRC HijackThis Analyzer Log.
====================================================================


TDS 3 screen and log

09:50:17 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
09:50:17 [Init] Started 22-01-05 09:50:17 GMT Standard Time (UTC: 0), Internet Time @451.59
09:50:17 [Init] Loading TDS-3 Systems ...
09:50:17 [Init] Token successfully adjusted.
09:50:17 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
09:50:18 [Init] • Plugins : OK. Loaded 13
09:50:18 [Init] • Exec Protection : Not Installed
09:50:18 [Init] WARNING: Your Radius.TD3 database needs to be updated!
09:50:18 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
09:50:18 [Init] Licensed users can use the Update facility from the TDS menu
09:50:18 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
09:50:26 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
09:50:26 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038

variants/other]
09:50:26 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
09:50:26 [Init] TDS-3 Ready. <Administrator@192.168.1.6, 127.0.0.1 - United Kingdom>
09:50:26 [Tip Of The Day] Ever wanted to know what your IRC client and IRC server were

saying to each other? You can view, analyse, and even inject data into almost any TCP

Client/Server combination using the Traffic Bridge utility.
09:50:26 [TDS] Good morning Administrator.
09:50:31 [Mutex Memory Scan] Started...
09:50:32 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:50:32 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on

registering.
09:50:39 [CRC32] Started - verifying 29 files ...
09:50:40 [CRC32] File doesn't exist: C:\autoexec.bat
09:50:46 [CRC32] Test finished.
09:53:41 [Memory Scan] Memory scan started, please wait a moment ...
09:53:42 [Memory Scan] Memory scan complete.
09:53:42 [Mutex Memory Scan] Started...
09:53:44 [Mutex Memory Scan] Finished (no trojan mutexes found).
09:53:44 [Trace Scan] Started...
09:53:57 [Trace Scan] Finished.
09:53:57 [ServiceScan] Scanning for services and drivers ...
09:54:02 [ServiceScan] Scanned 294 services and drivers.
09:54:02 [File Scan] Scanning in A:\ ...
09:54:03 [File Scan] Scanned 0 files: 0 alarms in 1.019531 seconds (Avg 1. files/sec)
09:54:04 [File Scan] Scanning in C:\ ...
10:40:29 [File Scan] Scanned 34851 files: 4 alarms in 2785.758 seconds (Avg 13.51 files/sec)
10:40:29 [File Scan] Scanning in D:\ ...
10:40:29 [File Scan] Scanned 0 files: 4 alarms in 0.0625 seconds (Avg 1. files/sec)
10:40:29 [File Scan] Scanning in E:\ ...
10:40:29 [File Scan] Scanned 0 files: 4 alarms in 0 seconds (Avg -1.#IND files/sec)
10:40:29 [Scan] Finished.
10:47:59 [Text Dump] Saved to C:\Program Files\TDS3\scandump.txt


Scan Control Dumped @ 10:47:59 22-01-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\administrator\my documents\karen work\lisa gajjudhur one

to one 23.8.04..doc

Suspicious Filename: Dual extensions
File: c:\elveys\software downloads\setupdvddecrypter_3.2.0.0.exe

Suspicious Filename: Dual extensions
File: c:\elveys\software downloads\setupdvddecrypter_3.2.2.0.exe

Suspicious Filename: Dual extensions
File: c:\elveys\software downloads\setupdvddecrypter_3.5.1.0.exe


KRC results after connection to broadband

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 11:29:30, on 22/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\WINNT\System32\mswinsck32.exe
C:\WINNT\System32\realone.exe
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\WINNT\System32\dllman.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Freeserve
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [Winsock32] mswinsck32.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Winsock32] mswinsck32.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT

Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA

Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) -

http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3800D619-E545-4757-9DD2-46272BAEF1DE}: NameServer =

194.74.65.69 194.72.9.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer =

192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file

missing)


End of KRC HijackThis Analyzer Log.
====================================================================
 
#18 ·
Disable/close SpywareGuard now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):

C:\WINNT\System32\mswinsck32.exe
C:\WINNT\System32\realone.exe
C:\WINNT\System32\dllman.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Winsock32] mswinsck32.exe
O4 - HKLM\..\Run: [Real One Player] realone.exe
O4 - HKLM\..\Run: [Windows Online Updater] dllman.exe
O4 - HKLM\..\RunServices: [Winsock32] mswinsck32.exe
O4 - HKLM\..\RunServices: [Real One Player] realone.exe
O4 - HKLM\..\RunServices: [Windows Online Updater] dllman.exe
O4 - HKCU\..\Run: [Real One Player] realone.exe

Restart and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
 
#19 · (Edited)
Progress????

Hi there, thanks for the last post, hopefully things may be on the up!

Followed last set of instructions. This time on reboot things seem better and I've been online without the usual suspects reappearing. Any idea why it might be different this time, the only thing I've done differently to previous attempts was remove Spyware Guard.

The latest KRC results are below, sqlserver.exe seems to have appeared so not sure if this should be removed as well? In terms of the machine, speed seems like it's back to normal, previously the cpu useage was showing as 100% a lot of the time when it was freezing.

I still have some strange things going on with view of WINNT folder showing as empty although settings are set to show hidden files etc, also previous message (not enough memory) when trying to send mail. Also unable to disconnect the dial up connection or open any desktop icons that are for dial ups open via start/settings/network and dial up connections.Are these likely to be related to the other problems?

Thanks again for your continuing help.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 20:54:09, on 23/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] sqlserver.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] sqlserver.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3800D619-E545-4757-9DD2-46272BAEF1DE}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)


End of KRC HijackThis Analyzer Log.
==================================================================

I rebooted again after the last post to check if any further problems. I connected to broadband and then checked if I could disconnect which it did although I got a message that Windows couldn't dial up server and an ip address.

I checked processes running and realone was back in the list. Ran HJT and it's also back there as well. Machine also slow opening applications and avg sdbot virus alerts appearing.
 
#20 ·
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] sqlserver.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] sqlserver.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

sqlserver.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.
 
#21 ·
Could this be it?

Hi there, thanks for the reply.

I've done as suggested but I had also since previous post had several of the others show up again. I got rid of them following previous instructions but I also re-installed Zone Alarms which I had removed last week as it was blocking my other machines from accessing internet. The combination seems to be working and firewall is blocking access to and from ip addresses used by realone and sqlserver. I also did an online scan at Panda which disinfected 28 files.

Here's the KRC results and this also after I have been connected and browsing without any apparent problems:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/16/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 23:53:45, on 23/01/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\sfmprint.exe
C:\WINNT\System32\rsvp.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\wins.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\locator.exe
C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\Citrix\ICA Client\pnagent.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Program Neighborhood Agent.lnk = C:\Program Files\Citrix\ICA Client\pnagent.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3800D619-E545-4757-9DD2-46272BAEF1DE}: NameServer = 194.74.65.69 194.72.9.34
O17 - HKLM\System\CCS\Services\Tcpip\..\{9A9DCBE9-A197-40DD-B03F-7E74774B753D}: NameServer = 192.168.1.6
O23 - Service: License Logging Service - Unknown - C:\WINNT\System32\llssrv.exe (file missing)


End of KRC HijackThis Analyzer Log.
=====================================================
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top