HJT logfile

AJJ · 02-22-2005, 12:27 PM

Just a few probs wonder wether anyone can help?

1.On start-up the computer says it is locked (classic logon prompt), and asks for username and password no password is needed for any of the users and as for the usernames it is the same as it was when in the friendlier format (welcome screen). When going onto the control panel it shows that im using the welcome screen when it appears not so.

2.Log onto any user and an error message shows along with that infamous sound.

It says:

“Ctfmon.exe” - bad image

The application or Dll C:\windows\system32\oleacc.dll is not a valid windows image please check this against your installation diskette

(?)

3.Another very suspicious symptom, when on the control panel click on add or remove programs nothing happens????? Something isnt right

I have also been having some problems with the dial up Internet connection and can only access it from one user when tried from another user an error message shows (error 619)

Can anyone help?

Thanks, AJ

Fxcapt · 02-22-2005, 02:33 PM

Check here. I think you may have the worm version, definitely corrupted ctfmon. http://www.neuber.com/taskmanager/pr...tfmon.exe.html

tetonbob · 02-22-2005, 02:34 PM

Can you pinpoint an event just prior to these problems occurring? Any new programs or hardware installed, something downloaded, perhaps?

Let's see what is running on your computer. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

Please post your log in a new thread in the HijackThis Log Help forum. This our dedicated spyware/virus forum. One of the expert analysts there will look over your log and assist you. Please include a brief desription of the problem you are having and what you have done to fix it so far.

This may not solve all the issues, but will help to eliminate some if present.

AJJ · 02-23-2005, 12:43 AM

Thanks il post it on that forum soon as i can

AJ

AJJ · 02-24-2005, 12:51 AM

posted it under HJT logfile

thanks again guys

AJJ · 02-24-2005, 12:57 AM

read "few probs with my pc?" to get the full story.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 07:45:32, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\symcapp.exe
C:\WINDOWS\System32\bpk.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [Services] C:\WINDOWS\symcapp.exe
O4 - Global Startup: Startup.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29aec71f...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A1D1EF-187B-4BCE-9A2B-2F4D5CDB2B07}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

End of KRC HijackThis Analyzer Log.
====================================================================

**Pancake** · 02-24-2005, 01:31 AM

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed.If you don't understand please ask before proceeding with the fixes.

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run Adaware and SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to setup Ad-Aware
Download Ad-Aware SE build 1.05

If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
Open AdAware from Start | Programs | Lavasoft | AdAware.
Select <Check for updates now>, <Proceed>
After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer.
After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option.
At this point all the boxes next to the items should be checked. Then hit the next button.
It will ask if you want to delete the selected objects. Hit the Okay button.
Now most of the spyware should have been deleted from your hard drive.

----------------------------------------------------------------------

How to setup Spybot Search & Destroy
Download Spybot

Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop.
I recommend c:/program files/spybot/
Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
Open Spybot from Start | Programs | Spybot | Spybot S&D
Select <Search for Updates>. Let it install all updates. This is very important!
Select <Immunize>
Select <Check for Problems>
Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
Select <Fix Selected Problems>
Close Spybot//

------------------------------------------------------

Files highlighted in BLACK will need to be removed from your hard drive.

------------------------------------------------------------------

Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode
------------------------------------------------------------------

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed.

bpk.exe
symcapp.exe
-------------------------------------------------------------------
Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Services] C:\WINDOWS\symcapp.exe
O4 - Global Startup: Startup.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab

------------------------------------------------------------------

Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed).

C:\WINDOWS\System32\bpk.exe
C:\WINDOWS\symcapp.exe

-------------------------------------------------------------------
Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files.

When finished please post a new log......

AJJ · 02-24-2005, 05:30 AM

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 11:40:44, on 24/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29aec71f...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97A1D1EF-187B-4BCE-9A2B-2F4D5CDB2B07}: NameServer = 194.168.4.100 194.168.8.100
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

End of KRC HijackThis Analyzer Log.
====================================================================

i did it but nothings changed that error warning still comes up when i start windows and my add and remove icon has disapeared completely i also still have truble with my internet connection and have to connect on one user and swap back to mine with it still active?

greyknight17 · 02-24-2005, 06:33 AM

Do the following now:

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

AJJ · 02-24-2005, 09:07 AM

Here it is

StartDreck (build 2.1.7 public stable) - 2005-02-24 @ 16:05:27 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as AJ at AJ-7XIGP68ONHZM

»Registry
»Run Keys
»Current User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\ctfmon.exe
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*UpdReg=C:\WINDOWS\UpdReg.EXE
*SCANINICIO="C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
*APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
*BTUSRBDG=BtUsrBdg.exe
*BTSETBOOTKEY=BTSetBootKey.exe
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile="C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
+.jse
*JSEFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*
+.vbe
*VBEFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*
+.wsh
*WSHFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*
+.wsf
*WSFFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
+Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar2.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://g.msn.com/0SEENUS/SAOS01
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.com/
+SearchUrl
*provider=MSN
*=http://home.microsoft.com/access/autosearch.asp?p=%s
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/en-us/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/en-us/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\AJ\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

CTSNKY · 02-25-2005, 05:51 AM

Download WinsockFix and unzip it. Then double-click on it to run it.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

AJJ · 02-25-2005, 10:42 AM

Heres the log

16:40:57 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
16:40:57 [Init] Started 25-02-05 16:40:57 GMT Standard Time (UTC: 0), Internet Time @736.77
16:40:57 [Init] Loading TDS-3 Systems ...
16:40:57 [Init] Token successfully adjusted.
16:40:57 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
16:40:57 [Init] • Plugins : OK. Loaded 13
16:40:57 [Init] • Exec Protection : Not Installed
16:40:57 [Init] WARNING: Your Radius.TD3 database needs to be updated!
16:40:57 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
16:40:57 [Init] Licensed users can use the Update facility from the TDS menu
16:40:57 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
16:41:02 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
16:41:03 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other]
16:41:03 [Init] Radius Systems loaded. <Databases updated 14-10-2004>
16:41:03 [Init] TDS-3 Ready. <Aj@82.2.64.1, 127.0.0.1 - United Kingdom>
16:41:03 [Tip Of The Day] If you regularly query certain computers, add them to the default Target Host list by clicking System Analysis | View File | Default Target Host List
16:41:03 [TDS] Good afternoon Aj.
16:41:05 [Mutex Memory Scan] Started...
16:41:07 [Mutex Memory Scan] Finished (no trojan mutexes found).
16:41:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
16:54:01 [Quit] Unloading ...
16:54:08 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
16:54:08 [Init] Started 25-02-05 16:54:08 GMT Standard Time (UTC: 0), Internet Time @745.93
16:54:08 [Init] Loading TDS-3 Systems ...
16:54:08 [Init] Token successfully adjusted.
16:54:08 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
16:54:08 [Init] • Plugins : OK. Loaded 13
16:54:08 [Init] • Exec Protection : Not Installed
16:54:08 [Init] WARNING: Your Radius.TD3 database needs to be updated!
16:54:08 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
16:54:08 [Init] Licensed users can use the Update facility from the TDS menu
16:54:09 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
16:54:14 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
16:54:14 [Init] • Systems Initialised [48064 references - 23734 primaries/12168 traces/12162 variants/other]
16:54:14 [Init] Radius Systems loaded. <Databases updated 25-02-2005>
16:54:14 [Init] TDS-3 Ready. <Aj@82.2.64.1, 127.0.0.1 - United Kingdom>
16:54:14 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu!
16:54:14 [TDS] Good afternoon Aj.
16:54:17 [Mutex Memory Scan] Started...
16:54:19 [Mutex Memory Scan] Finished (no trojan mutexes found).
16:54:19 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
16:54:48 [CRC32] Started - verifying 29 files ...
16:54:52 [CRC32] Test finished.
16:55:38 [Memory Scan] Memory scan started, please wait a moment ...
16:55:38 [Memory Scan] Memory scan complete.
16:55:38 [Mutex Memory Scan] Started...
16:55:40 [Mutex Memory Scan] Finished (no trojan mutexes found).
16:55:40 [Trace Scan] Started...
16:55:46 [Trace Scan] Finished.
16:55:46 [Service\Driver Scan] Scanning for services and drivers ...
16:55:49 [Service\Driver Scan] Scanned 290 services and drivers.
16:55:49 [File Scan] Scanning in A:\ ...
16:55:50 [File Scan] Scanned 0 files: 0 alarms in 1.0625 seconds (Avg 1. files/sec)
16:55:50 [File Scan] Scanning in C:\ ...
17:35:11 [File Scan] Scanned 63894 files: 8 alarms in 2360.734 seconds (Avg 28.07 files/sec)
17:35:11 [File Scan] Scanning in D:\ ...
17:35:11 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec)
17:35:11 [Scan] Finished.

and heres the alarm section
Scan Control Dumped @ 17:40:26 25-02-05
Suspicious Filename: Dual extensions
File: c:\documents and settings\aj\desktop\battlefield_1942_incremental_patch_v1.6_to_v1.61b.exe

Positive identification: Adware.Winad.a
File: c:\program files\winad client\winclt.exe

Positive identification: Adware.Apropos.b1
File: c:\windows\cxtpls_loader.exe

Positive identification (DLL): Keylog.Perfect 1.5.3.6 (dll)
File: c:\windows\system32\bpkhk.dll

Positive identification: TrojanDownloader.Win32.Agent.fz1
File: c:\windows\system32\bpkr.exe

Positive identification: TrojanDownloader.Win32.Agent.fz1
File: c:\windows\system32\rinst.exe

greyknight17 · 02-25-2005, 11:29 AM

Is that all the alarms found? There should be 8 there.

Uninstall WinAd Client via the Add/Remove Panel

Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\program files\winad client\
c:\windows\cxtpls_loader.exe
c:\windows\system32\bpkhk.dll
c:\windows\system32\bpkr.exe
c:\windows\system32\rinst.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart. Any problems now?

AJJ · 02-26-2005, 05:02 AM

No nothing has changed yet, i still get that error message my and i coundt uninstall the winad program because i dont have add or remove programs anymore and when i did it still wouldnt go through to it. Might the ctfmon.exe have anything to do with it ?

someone said it might of been the worm version?

Thanks

AJ

CTSNKY · 02-26-2005, 03:35 PM

You should be able to get to Add/Remove Programs by typing this command into Start/Run: appwiz.cpl

Quote:

ctfmon.exe is a part of the Microsoft Office suite. It activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

You can fix that entry in HJT, but I would not delete the file just yet.

AJJ · 03-06-2005, 12:12 AM

sorry for not responding updating to broadand (finally)
when i type appwiz.cpl into the run bar noting happens and it still isnt in my control panel?

greyknight17 · 03-06-2005, 10:13 AM

That file is probably ok to keep since none of the virus/trojan scanners are picking it up.

Go to Start->Run and type in sfc /scannow and hit OK. Let is run and see if it finds any missing/corrupted files.

02-22-2005, 12:27 PM	#1 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	few problems with my PC ? Just a few probs wonder wether anyone can help? 1.On start-up the computer says it is locked (classic logon prompt), and asks for username and password no password is needed for any of the users and as for the usernames it is the same as it was when in the friendlier format (welcome screen). When going onto the control panel it shows that im using the welcome screen when it appears not so. 2.Log onto any user and an error message shows along with that infamous sound. It says: “Ctfmon.exe” - bad image The application or Dll C:\windows\system32\oleacc.dll is not a valid windows image please check this against your installation diskette (?) 3.Another very suspicious symptom, when on the control panel click on add or remove programs nothing happens????? Something isnt right I have also been having some problems with the dial up Internet connection and can only access it from one user when tried from another user an error message shows (error 619) Can anyone help? Thanks, AJ

02-24-2005, 12:57 AM	#6 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	HJT logfile read "few probs with my pc?" to get the full story. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 07:45:32, on 24/02/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\symcapp.exe C:\WINDOWS\System32\bpk.exe C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE C:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll O4 - HKLM\..\Run: [Services] C:\WINDOWS\symcapp.exe O4 - Global Startup: Startup.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29aec71f...p/RdxIE601.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{97A1D1EF-187B-4BCE-9A2B-2F4D5CDB2B07}: NameServer = 194.168.4.100 194.168.8.100 O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe End of KRC HijackThis Analyzer Log. ====================================================================

02-24-2005, 06:33 AM	#9 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Do the following now: If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

02-25-2005, 05:51 AM	#11 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Download WinsockFix and unzip it. Then double-click on it to run it. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ GO BIG BLUE!!

02-25-2005, 11:29 AM	#13 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Is that all the alarms found? There should be 8 there. Uninstall WinAd Client via the Add/Remove Panel Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): c:\program files\winad client\ c:\windows\cxtpls_loader.exe c:\windows\system32\bpkhk.dll c:\windows\system32\bpkr.exe c:\windows\system32\rinst.exe The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Restart. Any problems now? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

02-22-2005, 02:33 PM	#2 (permalink)
Fxcapt Takin' It All In At TSF! Join Date: Feb 2005 Location: DETROIT MI Posts: 57 OS: XP PRO-2	Check here. I think you may have the worm version, definitely corrupted ctfmon. http://www.neuber.com/taskmanager/pr...tfmon.exe.html

02-22-2005, 02:34 PM	#3 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,559 OS: 2000 Pro; XP Pro; XP Home	Can you pinpoint an event just prior to these problems occurring? Any new programs or hardware installed, something downloaded, perhaps? Let's see what is running on your computer. Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it. 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless. Please post your log in a new thread in the HijackThis Log Help forum. This our dedicated spyware/virus forum. One of the expert analysts there will look over your log and assist you. Please include a brief desription of the problem you are having and what you have done to fix it so far. This may not solve all the issues, but will help to eliminate some if present.

02-23-2005, 12:43 AM	#4 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	Thanks il post it on that forum soon as i can AJ

02-24-2005, 12:51 AM	#5 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	posted it under HJT logfile thanks again guys

02-24-2005, 01:31 AM	#7 (permalink)
Pancake Security Team (ret.) Join Date: Nov 2003 Location: Victoria.Australia Posts: 7,404 OS: XP Pro SP3	Hi and Welcome It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed.If you don't understand please ask before proceeding with the fixes. Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes. Turn off System Restore instructions (WinXP) Rightclick My Computer \| Properties \| System Restore \| check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point. SHOW HIDDEN FILES AND FOLDERS. To show hidden files instructions (WinXP) Doubleclick My Computer \| Tools \| Folder Options \| View tab Select Show Hidden Files and Folders Uncheck Hide extensions for known file types Uncheck Hide protected operating system files (Recommended) Select Apply to All Folders \| Yes \| Apply \| OK ------------------------------------------------------------------ Download and run Adaware and SpyBot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below. How to setup Ad-Aware Download Ad-Aware SE build 1.05 If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/ Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory. Open AdAware from Start \| Programs \| Lavasoft \| AdAware. Select <Check for updates now>, <Proceed> After installation, run the program and click the start button.Then click the next button. This lets ad-aware scan your computer. After ad-aware is done running, hit the next button. Then right click the area with the listed spy ware objects.Choose the "Select all objects" option. At this point all the boxes next to the items should be checked. Then hit the next button. It will ask if you want to delete the selected objects. Hit the Okay button. Now most of the spyware should have been deleted from your hard drive. ---------------------------------------------------------------------- How to setup Spybot Search & Destroy Download Spybot Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/spybot/ Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory. Open Spybot from Start \| Programs \| Spybot \| Spybot S&D Select <Search for Updates>. Let it install all updates. This is very important! Select <Immunize> Select <Check for Problems> Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it. Select <Fix Selected Problems> Close Spybot// ------------------------------------------------------ Files highlighted in BLACK will need to be removed from your hard drive. ------------------------------------------------------------------ Please start by putting HJT in SAFE MODE. During reboot, tap the F8 key. Select Safe Mode ------------------------------------------------------------------ Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed. bpk.exe symcapp.exe ------------------------------------------------------------------- Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT. O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM\..\Run: [Services] C:\WINDOWS\symcapp.exe O4 - Global Startup: Startup.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing) O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab O16 - DPF: {C9147000-17E4-41E8-9089-A2A67DBCA22D} (IEUpdateOSR2 Control with Key) - https://client.virgin.net/assets/update.cab ------------------------------------------------------------------ Open Windows Explorer and delete the following highlighted file/s (or delete the whole (Red) folder if listed). C:\WINDOWS\System32\bpk.exe C:\WINDOWS\symcapp.exe ------------------------------------------------------------------- Check that you have carried out all the above steps/fixes and then reboot into Normal Mode and download Cleanup This will clean out your tempory files. When finished please post a new log......

02-24-2005, 05:30 AM	#8 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 11:40:44, on 24/02/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/29aec71f...p/RdxIE601.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{97A1D1EF-187B-4BCE-9A2B-2F4D5CDB2B07}: NameServer = 194.168.4.100 194.168.8.100 O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe End of KRC HijackThis Analyzer Log. ==================================================================== i did it but nothings changed that error warning still comes up when i start windows and my add and remove icon has disapeared completely i also still have truble with my internet connection and have to connect on one user and swap back to mine with it still active?

02-24-2005, 09:07 AM	#10 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	Here it is StartDreck (build 2.1.7 public stable) - 2005-02-24 @ 16:05:27 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 1) Internet Explorer: 6.0.2800.1106 Logged in as AJ at AJ-7XIGP68ONHZM »Registry »Run Keys »Current User »Run CTFMON.EXE=C:\WINDOWS\System32\ctfmon.exe NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit »RunOnce »Default User »Run CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE »RunOnce »Local Machine »Run UpdReg=C:\WINDOWS\UpdReg.EXE SCANINICIO="C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe" APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup nwiz=nwiz.exe /install NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit BTUSRBDG=BtUsrBdg.exe BTSETBOOTKEY=BTSetBootKey.exe QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" %* +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINDOWS\System32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile="C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" +.jse JSEFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %* +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" %* +.vbe VBEFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" % +.wsh WSHFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" % +.wsf WSFFile=C:\PROGRA~1\PANDAS~1\PANDAA~1\pavscrip.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mswmp.inf,PerUserStub +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser +Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe »Browser Helper Objects (LM) Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7} `InprocServer32=c:\program files\google\googletoolbar2.dll »Internet Explorer »Current User Local Page=C:\WINDOWS\System32\blank.htm Search Bar=http://g.msn.com/0SEENUS/SAOS01 Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.com/ +SearchUrl provider=MSN =http://home.microsoft.com/access/autosearch.asp?p=%s »Default User »Local Machine Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home CustomizeSearch=http://ie.search.msn.com/en-us/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/en-us/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\System32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\System32\stobject.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\AJ\Start Menu\Programs\Startup\desktop.ini »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect C:\msdos.sys C:\config.sys C:\WINDOWS\System32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\System32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\WINDOWS\System32\drivers\etc\hosts `127.0.0.1 localhost »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\System32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\WINDOWS\System32\notepad.exe C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\System32\taskman.exe C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\System32\winhlp32.exe C:\WINDOWS\winhlp32.exe »System/Drivers »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User

02-25-2005, 10:42 AM	#12 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	Heres the log 16:40:57 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 16:40:57 [Init] Started 25-02-05 16:40:57 GMT Standard Time (UTC: 0), Internet Time @736.77 16:40:57 [Init] Loading TDS-3 Systems ... 16:40:57 [Init] Token successfully adjusted. 16:40:57 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 16:40:57 [Init] • Plugins : OK. Loaded 13 16:40:57 [Init] • Exec Protection : Not Installed 16:40:57 [Init] WARNING: Your Radius.TD3 database needs to be updated! 16:40:57 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 16:40:57 [Init] Licensed users can use the Update facility from the TDS menu 16:40:57 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 16:41:02 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 16:41:03 [Init] • Systems Initialised [39471 references - 16560 primaries/10873 traces/12038 variants/other] 16:41:03 [Init] Radius Systems loaded. <Databases updated 14-10-2004> 16:41:03 [Init] TDS-3 Ready. <Aj@82.2.64.1, 127.0.0.1 - United Kingdom> 16:41:03 [Tip Of The Day] If you regularly query certain computers, add them to the default Target Host list by clicking System Analysis \| View File \| Default Target Host List 16:41:03 [TDS] Good afternoon Aj. 16:41:05 [Mutex Memory Scan] Started... 16:41:07 [Mutex Memory Scan] Finished (no trojan mutexes found). 16:41:07 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 16:54:01 [Quit] Unloading ... 16:54:08 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 16:54:08 [Init] Started 25-02-05 16:54:08 GMT Standard Time (UTC: 0), Internet Time @745.93 16:54:08 [Init] Loading TDS-3 Systems ... 16:54:08 [Init] Token successfully adjusted. 16:54:08 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 16:54:08 [Init] • Plugins : OK. Loaded 13 16:54:08 [Init] • Exec Protection : Not Installed 16:54:08 [Init] WARNING: Your Radius.TD3 database needs to be updated! 16:54:08 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 16:54:08 [Init] Licensed users can use the Update facility from the TDS menu 16:54:09 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 16:54:14 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 16:54:14 [Init] • Systems Initialised [48064 references - 23734 primaries/12168 traces/12162 variants/other] 16:54:14 [Init] Radius Systems loaded. <Databases updated 25-02-2005> 16:54:14 [Init] TDS-3 Ready. <Aj@82.2.64.1, 127.0.0.1 - United Kingdom> 16:54:14 [Tip Of The Day] Can't remember the port that a particular service uses? Or perhaps you can't remember the service that a particular port uses? Try the Port Reference and Reverse Port Reference utilities - available in the Utilities menu! 16:54:14 [TDS] Good afternoon Aj. 16:54:17 [Mutex Memory Scan] Started... 16:54:19 [Mutex Memory Scan] Finished (no trojan mutexes found). 16:54:19 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 16:54:48 [CRC32] Started - verifying 29 files ... 16:54:52 [CRC32] Test finished. 16:55:38 [Memory Scan] Memory scan started, please wait a moment ... 16:55:38 [Memory Scan] Memory scan complete. 16:55:38 [Mutex Memory Scan] Started... 16:55:40 [Mutex Memory Scan] Finished (no trojan mutexes found). 16:55:40 [Trace Scan] Started... 16:55:46 [Trace Scan] Finished. 16:55:46 [Service\Driver Scan] Scanning for services and drivers ... 16:55:49 [Service\Driver Scan] Scanned 290 services and drivers. 16:55:49 [File Scan] Scanning in A:\ ... 16:55:50 [File Scan] Scanned 0 files: 0 alarms in 1.0625 seconds (Avg 1. files/sec) 16:55:50 [File Scan] Scanning in C:\ ... 17:35:11 [File Scan] Scanned 63894 files: 8 alarms in 2360.734 seconds (Avg 28.07 files/sec) 17:35:11 [File Scan] Scanning in D:\ ... 17:35:11 [File Scan] Scanned 0 files: 8 alarms in 0 seconds (Avg -1.#IND files/sec) 17:35:11 [Scan] Finished. and heres the alarm section Scan Control Dumped @ 17:40:26 25-02-05 Suspicious Filename: Dual extensions File: c:\documents and settings\aj\desktop\battlefield_1942_incremental_patch_v1.6_to_v1.61b.exe Positive identification: Adware.Winad.a File: c:\program files\winad client\winclt.exe Positive identification: Adware.Apropos.b1 File: c:\windows\cxtpls_loader.exe Positive identification (DLL): Keylog.Perfect 1.5.3.6 (dll) File: c:\windows\system32\bpkhk.dll Positive identification: TrojanDownloader.Win32.Agent.fz1 File: c:\windows\system32\bpkr.exe Positive identification: TrojanDownloader.Win32.Agent.fz1 File: c:\windows\system32\rinst.exe

02-26-2005, 05:02 AM	#14 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	No nothing has changed yet, i still get that error message my and i coundt uninstall the winad program because i dont have add or remove programs anymore and when i did it still wouldnt go through to it. Might the ctfmon.exe have anything to do with it ? someone said it might of been the worm version? Thanks AJ Last edited by AJJ; 02-26-2005 at 05:11 AM.

03-06-2005, 12:12 AM	#16 (permalink)
AJJ Registered User Join Date: Feb 2005 Posts: 9 OS: XP	sorry for not responding updating to broadand (finally) when i type appwiz.cpl into the run bar noting happens and it still isnt in my control panel?

03-06-2005, 10:13 AM	#17 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	That file is probably ok to keep since none of the virus/trojan scanners are picking it up. Go to Start->Run and type in sfc /scannow and hit OK. Let is run and see if it finds any missing/corrupted files. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools