Sex Tracker and A Adaware

RAZAN3 · 04-15-2005, 03:10 AM

Besides these two, I also seem to have Elite toolbar and Sasser last nite as well....

I have done spybot, Adaware. Adaware is coming up clean, Spybot cannot seem to finish quarantining the files found above.

I am on different machine currently as my IE cannot work? I'm not even running IE and I'm getting popups, sounds like Elite is back ARRRRGHHHH

Please review HJT Log and give me some help pleeeeaaase. I'm in China on business and Laptop is my only link to work etc....

Logfile of HijackThis v1.99.1
Scan saved at 4:03:31 AM, on 4/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\userinit32.exe
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\explorer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINNT\system32\cmd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://partminer.webex.com/client/v...ex/ieatgpc.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: CWShredder Service - Unknown owner - D:\CWShredder.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

greyknight17 · 04-15-2005, 09:11 AM

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Go to Start->Run and type in services.msc and hit OK. Then look for Remote Administrator Service (r_server) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\system32\userinit32.exe

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\system32\userinit32.exe - delete the file exactly as shown here
C:\WINNT\system32\r_server.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

RAZAN3 · 04-15-2005, 08:19 PM

Thank you for the welcome... and your time.

I have followed the instructions as best I could.

Note, that I could not get to the UK.Trendmicro, as my IE was not working at all, it stalls out when i make connection

I did run Virus scan, which was updated last monday...

In Safe Mode I disabled r_server

In Safe Mode I ran the HJT tool and killed userinit32.exe

I could not scan after this step, so I closed and reopened, and recheck the killed file was not present, I then reopened again to perform Scan and I deleted on 023 - Service line that was present on the list below.

I restarted in normal mode.

I had a folder under My doc's that was not showing a name, i deleted it, but it was my palm install folder, ???? FYI No big deal...

I rescanned and found many of the searchmiracle files 3 and marked them to be deleted.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:04:49 PM, on 4/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://partminer.webex.com/client/v...ex/ieatgpc.cab
O23 - Service: CWShredder Service - Unknown owner - D:\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

End of KRC HijackThis Analyzer Log.
====================================================================

I hope to hear from you soon... I am on our LAN, so as to not infect it with my Laptop.

RAZAN3 · 04-15-2005, 09:54 PM

Machine is still possessed....

Running explorer and IExplorer message comes up, then I hit cancel and the machine clears the screen and my applications dissappear except for explorer. I goto task menu and kill them, and I can restart.

Seems to repeat when I run the KRC analyzer program???

RAZAN3 · 04-15-2005, 10:31 PM

Spybot has detected Avenue A and Sex Tracker, but stalls when removing them?

RAZAN3 · 04-16-2005, 02:46 AM

I have uninstalled Eartthlink software....

Funny i uninstalled with safe mode and it was still there in normal, uninstalled again, then manually restarted instead of autorestart, now it's gone.

Open explorer and I get error messages still, ran spybot again, found by cannot remove them

greyknight17 · 04-16-2005, 09:33 AM

Give us these two logs:

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

RAZAN3 · 04-17-2005, 07:06 PM

Thanks for reply, will execute immediately....

RAZAN3 · 04-17-2005, 11:24 PM

HELLO AGAIN, GOOD TOOL, IT ACTUALLY RAN UNINTERRUPTED. i WAS CONNECTED TO MY SERVER AND IT BEGAN SEARCHING THE LAN.... LOOKS LIKE I MAY NEED TO CLEAN SOME ISSUES THERE AS WELL.

22:07:25 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
22:07:25 [Init] Started 17-04-05 22:07:25 Central Standard Time (UTC: 6), Internet Time @1171.82
22:07:25 [Init] Loading TDS-3 Systems ...
22:07:25 [Init] Token successfully adjusted.
22:07:25 [Init] ?TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
22:07:26 [Init] ?Plugins : OK. Loaded 13
22:07:26 [Init] ?Exec Protection : Not Installed
22:07:26 [Init] WARNING: Your Radius.TD3 database needs to be updated!
22:07:26 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
22:07:26 [Init] Licensed users can use the Update facility from the TDS menu
22:07:27 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
22:07:49 [Init] ?Radius Advanced Specialist Extensions on standby for 13 trojan families
22:07:50 [Init] ?Systems Initialised [52414 references - 26651 primaries/13539 traces/12224 variants/other]
22:07:50 [Init] Radius Systems loaded. <Databases updated 17-04-2005>
22:07:50 [Init] TDS-3 Ready. <Rodney_miller@10.0.1.102, 127.0.0.1 - United States>
22:07:50 [Tip Of The Day] If you use mIRC, never install it into C:\mirc - always use a different name, and if possible, a different drive, as the path " & Chr$(34) & "C:\mirc" & Chr$(34) & " is hard-coded into several worms as a place to attack.
22:07:50 [TDS] Good evening Rodney_miller.
22:08:00 [Mutex Memory Scan] Started...
22:08:02 [Mutex Memory Scan] Finished (no trojan mutexes found).
22:08:02 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
22:09:43 [CRC32] Started - verifying 29 files ...
22:09:44 [CRC32] File doesn't exist: C:\autoexec.bat
22:10:00 [CRC32] Test finished.
22:12:24 [Memory Scan] Memory scan started, please wait a moment ...
22:12:25 [Memory Scan] Memory scan complete.
22:12:25 [Mutex Memory Scan] Started...
22:12:27 [Mutex Memory Scan] Finished (no trojan mutexes found).
22:12:27 [Trace Scan] Started...
22:12:53 [Trace Scan] Finished.
22:12:53 [ServiceScan] Scanning for services and drivers ...
22:13:03 [ServiceScan] Scanned 242 services and drivers.
22:13:04 [File Scan] Scanning in A:\ ...
22:13:18 [File Scan] Scanned 2 files: 2 alarms in 14.01563 seconds (Avg 1.14 files/sec)
22:13:18 [File Scan] Scanning in C:\ ...
22:56:20 [File Scan] Scanned 16825 files: 12 alarms in 2582.031 seconds (Avg 7.52 files/sec)
22:56:20 [File Scan] Scanning in D:\ ...
22:56:27 [File Scan] Scanned 3 files: 12 alarms in 6.53125 seconds (Avg 1.46 files/sec)
22:56:27 [File Scan] Scanning in E:\ ...
00:02:51 [File Scan] Scanned 652 files: 12 alarms in -82416.09 seconds (Avg .99 files/sec)
00:02:51 [File Scan] Scanning in M:\ ...
00:05:18 [File Scan] Scanned 1 files: 12 alarms in 146.571 seconds (Avg 1.01 files/sec)
00:05:18 [File Scan] Scanning in P:\ ...
00:05:18 [File Scan] Scanned 0 files: 12 alarms in 0 seconds (Avg -1.#IND files/sec)
00:05:18 [Scan] Finished.
00:07:23 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt

SCAN RESULTS

Scan Control Dumped @ 00:15:36 18-04-05
File Trace: Default trojan filename: Worm.Funner please submit
File: C:\WINNT\System32\userinit32.exe

File Trace: Default trojan filename: Suspicious please submit
File: C:\WINNT\1.exe

Positive identification: Adware.ToolBar.EliteBar.z2
File: c:\documents and settings\rodney_miller\local settings\temp\tmp384883.tmp

Trojan Client\EditServer found: RemoteAdmin.RAdmin 2.2 (Client)
File: c:\program files\radmin\radmin.exe

Positive identification: RemoteAdmin.RAdmin 2.2
File: c:\program files\radmin\r_server.exe

Positive identification: DDoS.RAT.rBot.bhe
File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc1.exe

Positive identification: Trojan.Win32.StartPage.nk8
File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc8.exe

Positive identification: RemoteAdmin.RAdmin 2.2
File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc9.exe

Positive identification (DLL): Adware.ToolBar.EliteBar.z1 (dll)
File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc6\elitesidebar 08.dll

Positive identification (DLL): Adware.WebEx (dll)
File: c:\winnt\downloaded program files\ieatgpc.dll

Positive identification: RAT.Agent.bg Dropper.a
File: c:\winnt\system32\lol.exe

Positive identification: DDoS.RAT.rBot.btm
File: c:\winnt\system32\userinit32.exe

greyknight17 · 04-17-2005, 11:29 PM

Uninstall «RAdmin if it's in Add/Remove Panel.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\1.exe
c:\program files\radmin\
c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc1.exe
c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc8.exe
c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc9.exe
c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc6\elitesidebar 08.dll
c:\winnt\downloaded program files\ieatgpc.dll
c:\winnt\system32\lol.exe
c:\winnt\system32\userinit32.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart.

Any problems now? Where is the StartDreck log?

RAZAN3 · 04-18-2005, 12:28 AM

SORRY FOR DELAY, BETWEEN WINEXPLORER CRASHES I FORGOT THIS ONE....
DISREGARD MANDARIN CHARACTERS, I'M ON MY PRC LAN FOR ISP ACCESS

StartDreck (build 2.1.7 public stable) - 2005-04-17 @ 22:04:55 (GMT -05:00)
Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4)
Internet Explorer: 5.50.4807.2300
Logged in as rodney_miller at WIN2K-WKSTN-10

籖egistry
籖un Keys
籆urrent User
籖un
*ctfmon.exe=ctfmon.exe
籖unOnce
籇efault User
籖un
*kimochiz.exe=C:\WINNT\kimochiz.exe
籖unOnce
*^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
籐ocal Machine
籖un
*Synchronization Manager=mobsync.exe /logon
*AtiPTA=Atiptaxx.exe
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
籖unOnce
籖unServices
籖unServicesOnce
籖unOnceEx
籖unServicesOnceEx
籉ile Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\system32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINNT\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINNT\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINNT\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
籄ctive Setup (LM)
+Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath="C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath="C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT
+Microsoft Outlook Express 5/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325}
*StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 5/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
籅rowser Helper Objects (LM)
籌nternet Explorer
籆urrent User
*Local Page=C:\WINNT\system32\blank.htm
*Start Page=http://www.yahoo.com/
+SearchUrl
*provider=
籇efault User
籐ocal Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
籗hellServiceObjectDelayLoad (LM)
*Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E}
`InprocServer32=C:\WINNT\system32\NETSHELL.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\system32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=stobject.dll
籗pecial NT Values
籆urrent User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
籇efault User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
籐ocal Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINNT\SYSTEM32\Userinit.exe,
籉iles
籄utostart Folders
籆urrent User
*C:\Documents and Settings\rodney_miller\Start Menu\Programs\Startup\HotSync Manager.lnk
籇efault User
籐ocal Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-B Notebook Adapter Utility.lnk
籌NI-Files
籛IN.INI\[windows]
*LOAD=
*RUN=
籗YSTEM.INI\[boot]
*SHELL=Explorer.exe
籘ext Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINNT\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
`DEVICE=C:\PVSW\bin\btrdrvr.sys
*C:\autoexec.bat
*C:\WINNT\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
*C:\WINNT\wininit.ini
`[rename]
`NUL=C:\DOCUME~1\RODNEY~1\LOCALS~1\Temp\ginstall.dll
*C:\WINNT\system32\drivers\etc\hosts
`127.0.0.1 localhost
`64.91.255.87 www.dcsresearch.com
籔rogram Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\system32\win.com
*C:\WINNT\explorer.exe
?PATH% Companion Files
+C:\WINNT\system32\notepad.exe
*C:\WINNT\NOTEPAD.EXE
+C:\WINNT\system32\REGSVR32.EXE
*C:\PVSW\bin\regsvr32.exe
+C:\WINNT\system32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\system32\winhlp32.exe
*C:\WINNT\winhlp32.exe
+C:\PVSW\bin\manifest.bat
*C:\PVSW\bin\manifest.vbs
籗ystem/Drivers
籖unning Processes
+0=<idle>
+8=<system>
+148=\SystemRoot\System32\smss.exe
+172=\??\C:\WINNT\system32\csrss.exe
+168=\??\C:\WINNT\system32\winlogon.exe
+220=C:\WINNT\system32\services.exe
+232=C:\WINNT\system32\lsass.exe
+408=C:\WINNT\system32\svchost.exe
+436=C:\WINNT\system32\spoolsv.exe
+516=C:\WINNT\System32\Ati2evxx.exe
+532=C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
+548=C:\WINNT\System32\svchost.exe
+572=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
+668=C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
+692=C:\WINNT\system32\regsvc.exe
+708=C:\WINNT\system32\MSTask.exe
+788=C:\WINNT\System32\WBEM\WinMgmt.exe
+800=C:\WINNT\system32\svchost.exe
+1188=C:\WINNT\system32\Atiptaxx.exe
+1156=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
+1200=C:\WINNT\system32\ctfmon.exe
+1204=C:\WINNT\DvzCommon\DvzMsgr.exe
+1224=C:\Program Files\WinZip\WZQKPICK.EXE
+1232=C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
+1240=C:\Program Files\Palm\HOTSYNC.EXE
+1028=C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
+1172=C:\WINNT\explorer.exe
+1160=C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
+1212=C:\Program Files\Hijackthis\Startdreck scanner\StartDreck.exe
籚MM32Files (LM)
?System%\VMM32
?System%\IOSUBSYS
籄pplication specific
籑S Office 97/8.0 STARTUP-PATH
籆urrent User
籇efault User
籐ocal Machine
籌CQ NetDetect
籆urrent User
籇efault User

RAZAN3 · 04-18-2005, 01:45 AM

CLEANUP APPLICATION IS GETTING HUNG UP, STARTS DELETING FILES AND THEN STOPS????

I GET AN Explorer Error window as well with a cancel button says it is going to close windows and is generating error report, but it never does. I hit cancel and explorer application dies....

Happens often, but does it during cleanup, I hear the flush, and error window pops up???

RAZAN3 · 04-18-2005, 02:33 AM

What is CiceroIU ??? it has flagged me when shutting down that it needs to be closed first..... hmmmm

greyknight17 · 04-18-2005, 04:01 PM

That CleanUp program should have cleaned out the temp folders once you hear the flush. Try running it again in Safe MOde.

Boot into Safe Mode.

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

*kimochiz.exe=
Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\WINNT\kimochiz.exe

Go to C:\WINNT\ and double click on wininit.ini to open it. Delete this line:

`NUL=C:\DOCUME~1\RODNEY~1\LOCALS~1\Temp\ginstall.dll

Save the file and close it.

Run CleanUp program.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

RAZAN3 · 04-18-2005, 07:15 PM

Oh yeah, Big Kudo's....

Little story, I'm in China, the whole city of SH has a Government ISP that they call 16300 with password the same. All hotels use this if they don't have ADSL service. 20million people, one Dialup ISP, go figure

IT engineer at the Hotel says, " Best way to fix your problem is to reinstall Windows....." Spoken like a true Windows Engineer LOL You know the joke, when the car breaks down, Chemical Gas, Mechanical Carburetor, Electrical Engineer Wiring, Windows Engineer "Close all the windows and reopen them...."

Thank you so much, I'll be checking out your Security Thread and making a donation...

The Laptop is my only solice here at times, and without it... I cannot function at work nor at night when my family is asleep I write them and they return.

I appreciate your time, and your patience.

04-15-2005, 03:10 AM	#1 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	Sex Tracker and A Adaware Besides these two, I also seem to have Elite toolbar and Sasser last nite as well.... I have done spybot, Adaware. Adaware is coming up clean, Spybot cannot seem to finish quarantining the files found above. I am on different machine currently as my IE cannot work? I'm not even running IE and I'm getting popups, sounds like Elite is back ARRRRGHHHH Please review HJT Log and give me some help pleeeeaaase. I'm in China on business and Laptop is my only link to work etc.... Logfile of HijackThis v1.99.1 Scan saved at 4:03:31 AM, on 4/15/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\userinit32.exe C:\WINNT\system32\Atiptaxx.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\WINNT\DvzCommon\DvzMsgr.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe C:\Program Files\Palm\HOTSYNC.EXE C:\WINNT\explorer.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\WINNT\system32\cmd.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://partminer.webex.com/client/v...ex/ieatgpc.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe O23 - Service: CWShredder Service - Unknown owner - D:\CWShredder.exe (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)

04-15-2005, 09:11 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go to Start->Run and type in services.msc and hit OK. Then look for Remote Administrator Service (r_server) and double click on it. Click on the Stop button and under Startup type, choose Disabled. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINNT\system32\userinit32.exe Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing) Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\system32\userinit32.exe - delete the file exactly as shown here C:\WINNT\system32\r_server.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-16-2005, 09:33 AM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Give us these two logs: Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-17-2005, 11:29 PM	#10 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Uninstall «RAdmin if it's in Add/Remove Panel. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINNT\1.exe c:\program files\radmin\ c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc1.exe c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc8.exe c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc9.exe c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc6\elitesidebar 08.dll c:\winnt\downloaded program files\ieatgpc.dll c:\winnt\system32\lol.exe c:\winnt\system32\userinit32.exe The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Restart. Any problems now? Where is the StartDreck log? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-18-2005, 04:01 PM	#14 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	That CleanUp program should have cleaned out the temp folders once you hear the flush. Try running it again in Safe MOde. Boot into Safe Mode. Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program: kimochiz.exe= Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot): C:\WINNT\kimochiz.exe Go to C:\WINNT\ and double click on wininit.ini to open it. Delete this line: `NUL=C:\DOCUME~1\RODNEY~1\LOCALS~1\Temp\ginstall.dll* Save the file and close it. Run CleanUp program. Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

04-15-2005, 08:19 PM	#3 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	Thank you for the welcome... and your time. I have followed the instructions as best I could. Note, that I could not get to the UK.Trendmicro, as my IE was not working at all, it stalls out when i make connection I did run Virus scan, which was updated last monday... In Safe Mode I disabled r_server In Safe Mode I ran the HJT tool and killed userinit32.exe I could not scan after this step, so I closed and reopened, and recheck the killed file was not present, I then reopened again to perform Scan and I deleted on 023 - Service line that was present on the list below. I restarted in normal mode. I had a folder under My doc's that was not showing a name, i deleted it, but it was my palm install folder, ???? FYI No big deal... I rescanned and found many of the searchmiracle files 3 and marked them to be deleted. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:04:49 PM, on 4/15/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300) Running processes: C:\WINNT\DvzCommon\DvzMsgr.exe C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/mor...on/search.html O4 - Global Startup: Dataviz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://partminer.webex.com/client/v...ex/ieatgpc.cab O23 - Service: CWShredder Service - Unknown owner - D:\CWShredder.exe (file missing) O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe End of KRC HijackThis Analyzer Log. ==================================================================== I hope to hear from you soon... I am on our LAN, so as to not infect it with my Laptop.

04-15-2005, 09:54 PM	#4 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	Machine is still possessed.... Running explorer and IExplorer message comes up, then I hit cancel and the machine clears the screen and my applications dissappear except for explorer. I goto task menu and kill them, and I can restart. Seems to repeat when I run the KRC analyzer program???

04-15-2005, 10:31 PM	#5 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	Spybot has detected Avenue A and Sex Tracker, but stalls when removing them?

04-16-2005, 02:46 AM	#6 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	I have uninstalled Eartthlink software.... Funny i uninstalled with safe mode and it was still there in normal, uninstalled again, then manually restarted instead of autorestart, now it's gone. Open explorer and I get error messages still, ran spybot again, found by cannot remove them

04-17-2005, 07:06 PM	#8 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	Thanks for reply, will execute immediately....

04-17-2005, 11:24 PM	#9 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	HELLO AGAIN, GOOD TOOL, IT ACTUALLY RAN UNINTERRUPTED. i WAS CONNECTED TO MY SERVER AND IT BEGAN SEARCHING THE LAN.... LOOKS LIKE I MAY NEED TO CLEAN SOME ISSUES THERE AS WELL. 22:07:25 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 22:07:25 [Init] Started 17-04-05 22:07:25 Central Standard Time (UTC: 6), Internet Time @1171.82 22:07:25 [Init] Loading TDS-3 Systems ... 22:07:25 [Init] Token successfully adjusted. 22:07:25 [Init] ?TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 22:07:26 [Init] ?Plugins : OK. Loaded 13 22:07:26 [Init] ?Exec Protection : Not Installed 22:07:26 [Init] WARNING: Your Radius.TD3 database needs to be updated! 22:07:26 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 22:07:26 [Init] Licensed users can use the Update facility from the TDS menu 22:07:27 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 22:07:49 [Init] ?Radius Advanced Specialist Extensions on standby for 13 trojan families 22:07:50 [Init] ?Systems Initialised [52414 references - 26651 primaries/13539 traces/12224 variants/other] 22:07:50 [Init] Radius Systems loaded. <Databases updated 17-04-2005> 22:07:50 [Init] TDS-3 Ready. <Rodney_miller@10.0.1.102, 127.0.0.1 - United States> 22:07:50 [Tip Of The Day] If you use mIRC, never install it into C:\mirc - always use a different name, and if possible, a different drive, as the path " & Chr$(34) & "C:\mirc" & Chr$(34) & " is hard-coded into several worms as a place to attack. 22:07:50 [TDS] Good evening Rodney_miller. 22:08:00 [Mutex Memory Scan] Started... 22:08:02 [Mutex Memory Scan] Finished (no trojan mutexes found). 22:08:02 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 22:09:43 [CRC32] Started - verifying 29 files ... 22:09:44 [CRC32] File doesn't exist: C:\autoexec.bat 22:10:00 [CRC32] Test finished. 22:12:24 [Memory Scan] Memory scan started, please wait a moment ... 22:12:25 [Memory Scan] Memory scan complete. 22:12:25 [Mutex Memory Scan] Started... 22:12:27 [Mutex Memory Scan] Finished (no trojan mutexes found). 22:12:27 [Trace Scan] Started... 22:12:53 [Trace Scan] Finished. 22:12:53 [ServiceScan] Scanning for services and drivers ... 22:13:03 [ServiceScan] Scanned 242 services and drivers. 22:13:04 [File Scan] Scanning in A:\ ... 22:13:18 [File Scan] Scanned 2 files: 2 alarms in 14.01563 seconds (Avg 1.14 files/sec) 22:13:18 [File Scan] Scanning in C:\ ... 22:56:20 [File Scan] Scanned 16825 files: 12 alarms in 2582.031 seconds (Avg 7.52 files/sec) 22:56:20 [File Scan] Scanning in D:\ ... 22:56:27 [File Scan] Scanned 3 files: 12 alarms in 6.53125 seconds (Avg 1.46 files/sec) 22:56:27 [File Scan] Scanning in E:\ ... 00:02:51 [File Scan] Scanned 652 files: 12 alarms in -82416.09 seconds (Avg .99 files/sec) 00:02:51 [File Scan] Scanning in M:\ ... 00:05:18 [File Scan] Scanned 1 files: 12 alarms in 146.571 seconds (Avg 1.01 files/sec) 00:05:18 [File Scan] Scanning in P:\ ... 00:05:18 [File Scan] Scanned 0 files: 12 alarms in 0 seconds (Avg -1.#IND files/sec) 00:05:18 [Scan] Finished. 00:07:23 [Screen Text] Saved to C:\Program Files\TDS3\scr0.txt SCAN RESULTS Scan Control Dumped @ 00:15:36 18-04-05 File Trace: Default trojan filename: Worm.Funner please submit File: C:\WINNT\System32\userinit32.exe File Trace: Default trojan filename: Suspicious please submit File: C:\WINNT\1.exe Positive identification: Adware.ToolBar.EliteBar.z2 File: c:\documents and settings\rodney_miller\local settings\temp\tmp384883.tmp Trojan Client\EditServer found: RemoteAdmin.RAdmin 2.2 (Client) File: c:\program files\radmin\radmin.exe Positive identification: RemoteAdmin.RAdmin 2.2 File: c:\program files\radmin\r_server.exe Positive identification: DDoS.RAT.rBot.bhe File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc1.exe Positive identification: Trojan.Win32.StartPage.nk8 File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc8.exe Positive identification: RemoteAdmin.RAdmin 2.2 File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc9.exe Positive identification (DLL): Adware.ToolBar.EliteBar.z1 (dll) File: c:\recycler\s-1-5-21-2000478354-2111687655-842925246-500\dc6\elitesidebar 08.dll Positive identification (DLL): Adware.WebEx (dll) File: c:\winnt\downloaded program files\ieatgpc.dll Positive identification: RAT.Agent.bg Dropper.a File: c:\winnt\system32\lol.exe Positive identification: DDoS.RAT.rBot.btm File: c:\winnt\system32\userinit32.exe

04-18-2005, 12:28 AM	#11 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	SORRY FOR DELAY, BETWEEN WINEXPLORER CRASHES I FORGOT THIS ONE.... DISREGARD MANDARIN CHARACTERS, I'M ON MY PRC LAN FOR ISP ACCESS StartDreck (build 2.1.7 public stable) - 2005-04-17 @ 22:04:55 (GMT -05:00) Platform: Windows 2000 (Win NT 5.0.2195 Service Pack 4) Internet Explorer: 5.50.4807.2300 Logged in as rodney_miller at WIN2K-WKSTN-10 籖egistry 籖un Keys 籆urrent User 籖un ctfmon.exe=ctfmon.exe 籖unOnce 籇efault User 籖un kimochiz.exe=C:\WINNT\kimochiz.exe 籖unOnce ^SetupICWDesktop=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop 籐ocal Machine 籖un Synchronization Manager=mobsync.exe /logon AtiPTA=Atiptaxx.exe vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe +OptionalComponents +MSFS Installed=1 +MAPI Installed=1 NoChange=1 +MAPI Installed=1 NoChange=1 籖unOnce 籖unServices 籖unServicesOnce 籖unOnceEx 籖unServicesOnceEx 籉ile Associations (CR) +.bat batfile="%1" %* +.com comfile="%1" % +.disabled SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1" +.exe exefile="%1" %* +.hta htafile=C:\WINNT\system32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile=C:\WINNT\System32\WScript.exe "%1" % +.jse JSEFile=C:\WINNT\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=C:\WINNT\System32\WScript.exe "%1" %* +.vbe VBEFile=C:\WINNT\System32\WScript.exe "%1" % +.wsh WSHFile=C:\WINNT\System32\WScript.exe "%1" % +.wsf WSFFile=C:\WINNT\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] 籄ctive Setup (LM) +Internet Explorer Access/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath="C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigIE +Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP +Outlook Express Access/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath="C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE +Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT +Microsoft Outlook Express 5/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +EnableRevocation/{6A5110B5-E14B-4268-A065-EF89FF33C325} StubPath=regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll +Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 5/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe 籅rowser Helper Objects (LM) 籌nternet Explorer 籆urrent User Local Page=C:\WINNT\system32\blank.htm Start Page=http://www.yahoo.com/ +SearchUrl provider= 籇efault User 籐ocal Machine Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch 籗hellServiceObjectDelayLoad (LM) Network.ConnectionTray={7007ACCF-3202-11D1-AAD2-00805FC1270E} `InprocServer32=C:\WINNT\system32\NETSHELL.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\system32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=stobject.dll 籗pecial NT Values 籆urrent User Load= Run= Programs=com exe bat pif cmd SHELL= 籇efault User Load= Run= Programs=com exe bat pif cmd SHELL= 籐ocal Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINNT\SYSTEM32\Userinit.exe, 籉iles 籄utostart Folders 籆urrent User C:\Documents and Settings\rodney_miller\Start Menu\Programs\Startup\HotSync Manager.lnk 籇efault User 籐ocal Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless-B Notebook Adapter Utility.lnk 籌NI-Files 籛IN.INI\[windows] LOAD= RUN= 籗YSTEM.INI\[boot] SHELL=Explorer.exe 籘ext Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(1)\WINNT `[operating systems] `multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect C:\msdos.sys C:\config.sys C:\WINNT\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 `DEVICE=C:\PVSW\bin\btrdrvr.sys C:\autoexec.bat C:\WINNT\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx C:\WINNT\wininit.ini `[rename] `NUL=C:\DOCUME~1\RODNEY~1\LOCALS~1\Temp\ginstall.dll C:\WINNT\system32\drivers\etc\hosts `127.0.0.1 localhost `64.91.255.87 www.dcsresearch.com 籔rogram Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINNT\system32\win.com C:\WINNT\explorer.exe ?PATH% Companion Files +C:\WINNT\system32\notepad.exe C:\WINNT\NOTEPAD.EXE +C:\WINNT\system32\REGSVR32.EXE C:\PVSW\bin\regsvr32.exe +C:\WINNT\system32\taskman.exe C:\WINNT\TASKMAN.EXE +C:\WINNT\system32\winhlp32.exe C:\WINNT\winhlp32.exe +C:\PVSW\bin\manifest.bat *C:\PVSW\bin\manifest.vbs 籗ystem/Drivers 籖unning Processes +0=<idle> +8=<system> +148=\SystemRoot\System32\smss.exe +172=\??\C:\WINNT\system32\csrss.exe +168=\??\C:\WINNT\system32\winlogon.exe +220=C:\WINNT\system32\services.exe +232=C:\WINNT\system32\lsass.exe +408=C:\WINNT\system32\svchost.exe +436=C:\WINNT\system32\spoolsv.exe +516=C:\WINNT\System32\Ati2evxx.exe +532=C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe +548=C:\WINNT\System32\svchost.exe +572=C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe +668=C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe +692=C:\WINNT\system32\regsvc.exe +708=C:\WINNT\system32\MSTask.exe +788=C:\WINNT\System32\WBEM\WinMgmt.exe +800=C:\WINNT\system32\svchost.exe +1188=C:\WINNT\system32\Atiptaxx.exe +1156=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe +1200=C:\WINNT\system32\ctfmon.exe +1204=C:\WINNT\DvzCommon\DvzMsgr.exe +1224=C:\Program Files\WinZip\WZQKPICK.EXE +1232=C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe +1240=C:\Program Files\Palm\HOTSYNC.EXE +1028=C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE +1172=C:\WINNT\explorer.exe +1160=C:\Program Files\Microsoft Office\Office10\WINWORD.EXE +1212=C:\Program Files\Hijackthis\Startdreck scanner\StartDreck.exe 籚MM32Files (LM) ?System%\VMM32 ?System%\IOSUBSYS 籄pplication specific 籑S Office 97/8.0 STARTUP-PATH 籆urrent User 籇efault User 籐ocal Machine 籌CQ NetDetect 籆urrent User 籇efault User

04-18-2005, 01:45 AM	#12 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	CLEANUP APPLICATION IS GETTING HUNG UP, STARTS DELETING FILES AND THEN STOPS???? I GET AN Explorer Error window as well with a cancel button says it is going to close windows and is generating error report, but it never does. I hit cancel and explorer application dies.... Happens often, but does it during cleanup, I hear the flush, and error window pops up???

04-18-2005, 02:33 AM	#13 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	What is CiceroIU ??? it has flagged me when shutting down that it needs to be closed first..... hmmmm

04-18-2005, 07:15 PM	#15 (permalink)
RAZAN3 Registered User Join Date: Apr 2005 Posts: 22 OS: XP Pro	You ROOOOCCCCCKKKKK Oh yeah, Big Kudo's.... Little story, I'm in China, the whole city of SH has a Government ISP that they call 16300 with password the same. All hotels use this if they don't have ADSL service. 20million people, one Dialup ISP, go figure IT engineer at the Hotel says, " Best way to fix your problem is to reinstall Windows....." Spoken like a true Windows Engineer LOL You know the joke, when the car breaks down, Chemical Gas, Mechanical Carburetor, Electrical Engineer Wiring, Windows Engineer "Close all the windows and reopen them...." Thank you so much, I'll be checking out your Security Thread and making a donation... The Laptop is my only solice here at times, and without it... I cannot function at work nor at night when my family is asleep I write them and they return. I appreciate your time, and your patience.