IE Hijack - precautionary post to avoid re-infection

Raeral · 04-17-2006, 04:12 AM

Hi

I joined this forum to get assistance to remove a stealthy address-bar redirection hack. I tried to read all the posting rules and made an introductory post in the introduction forum first. I then read the 5 steps before posting post and carried them all out religously. The problem seems to have gone. I wish to make this post anyway in-case you find something that allows the infection to return.

The problem.
1. On 10/4/06 (dd/mm/yy) I went to a porn site - www.bestpornhost.com/vintage - and a lot of disc activity occured. Following this visit, subsequent searches using the IE browser address bar were redirected. I found that I could circumvent the redirection by clicking three times but this of course is inconvenient.

I have CA antivirus installed, Ad-Aware 6.0 and Spybot S&D. I used all these and some viruses were found but the infection remained.

2. 0n 15/4/06 I joined this site. During 15/4 and 16/4 I followed all the pre submitting steps, including installing ad-aware SE. The docvumented results are:

3. Ad-Aware SE results:
MRU list (43 objects
CnsMin (7 objects)
Tracking cookie (83 objects)
133 objects removed
4. Spybot S&D results
Pipas.A - removed
5. Housecall results
adware.loctr.a
2xjava.trojan.femad.a
1xtrojan.small.ej
1xjava.trojan.femad.b
all removed
6. Bitdefender results
js.trojan.winbomb.f
7. CA etrust - nothing

ALL THE ABOVE WERE RUN IN SAFE MODE OR SAFE MODE WITH NETWORKING

Please note that I have probably done more damage since 10/4/06 (dd/mm/yy) as I have tried all kinds of things. I have removed some programs from ad-remove-programs during this event and have not documented everything I have done. Examples I can remember are a filelister. One virus sanner run during the week also removed (but I was not in safe mode at the time) easytool.adtrojan; findspy.a; marketengines and pipas.a.

-------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:16:37, on 17/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Tablane\Tablane.exe
C:\PROGRA~1\Tablane\TBLSER~1.EXE
C:\Program Files\Tablane\TBLBookmk.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.std.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

nuttyape · 04-17-2006, 05:44 AM

erm most porn sites we cant trust there softwear try not instaling them or at least make a restoree point before you do

Raeral · 04-17-2006, 05:50 AM

Quote:

Originally Posted by Nuttyape

erm most porn sites we cant trust there softwear try not instaling them or at least make a restoree point before you do

I understand that and I am normally far more circumspect. Incidentally, I did not overtly install any software from the site - it was all done stealthily by the site.

I posted the link as, hopefully, a helpful warning to other users. I had considered leaving out the reference to pr0n and the associated link. I considered the benefit to others far outweighed my own embarrassment at publicly declaring what I had done.

Raeral · 04-18-2006, 03:57 AM

Im considering submitting a bump as its nearly 24 hours since my original post. I am concious that it was a holiday yesterday so I'm tempted to just be patient.

However, I noticed that my original post has been modified by by tetonbob : Today at 05:18 AM (Times may be my local UK time). Is modification by others normal? What did I say that caused offence or otherwise? Just currious you understand.

Raeral · 04-18-2006, 05:18 AM

Having re-read the rules, I guess I fell foul of rule 4. I assure you this was not intentional. I thought I was being *good* by pointing out to others the error of my ways. I guess you removed the auto-link.

I am so sorry :(

Just to be clear, I still want some help on the original reason for posting this thread :)

Ried · 04-18-2006, 07:08 AM

Hello Raeral,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Download Ewido Security Suite

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the left hand side of the main screen click update.
Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

*******************************

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

*******************************

Click Start->Run - type SERVICES.MSC & then click on the OK button
*Locate the service - Ndlmsb0cfs
*Double-click on it to open the Properties dialog.
*Under the General tab: <--Take note and write down the *Service name given as we will need it shortly.
*Stop the service by using the Stop button.
*Change the Startup type to Disabled & then click on the OK button

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Ndlmsb0cfs. Click OK to allow reboot.

---------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe
O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Files if they still exist.

C:\WINDOWS\system32\ dmakl.exe
C:\WINDOWS\system32\ FileOps.exe

---------------------------

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

---------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

---------------------------

Reboot into Normal Mode.

---------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

In your next reply, I will need the following:

Ewido results
Panda results
New HijackThis log taken from Normal Mode

Raeral · 04-18-2006, 02:46 PM

I have carried out all your required tasks The results are as follows.

Download Ewido Security Suite. - Done
You will need to update Ewido to the latest definition files. - Done

Download CleanUp! (Alternate Link if main link doesn't work) and install it. - Done

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.. - Done

Click Start->Run - type SERVICES.MSC ... Ndlmsb0cfs...then click on the OK button. - Done. Note that the service was set to manual and was already stopped. Note also that the service name was the same as Ndlmsb0cfs.

Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
*In the popup box that appears, type in the *Service Name you found in the General Tab for Ndlmsb0cfs. Click OK to allow reboot.. - Done

Next, please reboot your computer in Safe Mode . - Done

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.. - Done - well, actually, all already set as directed

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

O1 - Hosts: localhost 127.0.0.1 - Done
O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe - Not present
O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe - Not present

Click 'Fix Checked' and close HijackThis. - Done

Delete the following Files if they still exist.

C:\WINDOWS\system32\ dmakl.exe - Not present anywhere on C: or D:
C:\WINDOWS\system32\ FileOps.exe - Done

Open Cleanup...Scan local drives for temporary files - Done

Run Ewido with it's updated definitions...Once finished, click the Save report button & save the report to your desktop - Done

Reboot into Normal Mode. - Done

Perform an online scan using Internet Explorer with Panda ActiveScan - Done

Ewido results
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:30:09, 18/04/2006
+ Report-Checksum: 35D43657

+ Scan result:

[204] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning
[228] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning
[860] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[1148] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[2].txt -> TrackingCookie.Bpath : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[3].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[3].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@orf.oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\TightVNC-unstable\VNCHooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup
C:\Program Files\TightVNC-unstable\WinVNC.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup

::Report End

Panda results

Incident Status Location

Adware:adware/sbsoft Not disinfected C:\WINDOWS\rdt.ini
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt[]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@atwola[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[3].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[4].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@go[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[3].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[4].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@tucows[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[2].txt
Virus:W32/Netsky.AE.worm Disinfected Archive 2005\Personal Folders\Awaiting Archive\Undeliverable:Re: document_all\Re: document_all\document_hengul.zip.zip[data.rtf .scr]

New HijackThis log taken from Normal Mode
Logfile of HijackThis v1.99.1
Scan saved at 22:13:26, on 18/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.allakhazam.com
O15 - Trusted Zone: *.bbc.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://www.std.com
O15 - Trusted Zone: *.wikipedia.org
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Ried · 04-18-2006, 05:39 PM

Hi Raeral,

Delete the following file:

C:\WINDOWS\ rdt.ini

If the above resists deletion, carry out the next set of instructions first, then boot into Safe Mode and delete the file.

*********************************

You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program.

Please download FixWareout from one of these sites:
http://forums.subratam.org/index.php...=post&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch, Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis log.

Raeral · 04-19-2006, 02:47 AM

Hi Ried,

Quote:

Originally Posted by Ried

Delete the following file:

C:\WINDOWS\ rdt.ini

- Done - The file did not resist deletion. As a precaution, I deleted the file; emptied the recycle bin; rebooted back into normal mode and checked to see if the file was still there. It was not (although the boot process took a while)

The latest HJT file...

Logfile of HijackThis v1.99.1
Scan saved at 10:37:34, on 19/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.allakhazam.com
O15 - Trusted Zone: *.bbc.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: http://www.std.com
O15 - Trusted Zone: *.wikipedia.org
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Ried · 04-19-2006, 07:33 AM

Hi Raeral,

It's important that I see the log from the FixWareout tool. Please post the fixwareoutreport.txt here, it will be located directly on C:

Raeral · 04-19-2006, 01:30 PM

Perhaps I misunderstood you. I thought you wished me to delete the file. If the file resists deletion, then use the fix tool. Please confirm my understanding is incorrect. You want me to delete the file AND use the fix tool. If I cant delete the file, use the tool first then delete the file.

Sorry if I misundertsood you.

Please confirm your intructions.

(Sorry if Im being stupid here)

Ried · 04-19-2006, 02:08 PM

Hi,

I'll be more clear. I was trying to save you a reboot.

That was a 2-step process. I wanted you to delete that file first as I suspected it would delete quietly in Normal Mode, then you could move along smoothly to the FixWareOut instructions.

The WareOut infection needs a specialty tool to clean it properly. So, you were correct in deleting that file, now we need to run the FixWareout tool. Post that log when you get it.

Raeral · 04-19-2006, 04:52 PM

Hi Ried,

:) No problem - my fault. I carried out your instructions as directed

Delete ...rdt.ini and
Run ...fixwareout.exe

with the following results. Note that fixwareout did not run HJT as you suggest. That might be because I put hjt in c:\hjt, I dont know. Anyways, I ran an HJT as requested too.

Fixwareout ver 1.003
Last edited 2/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dmakl.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
* csr.exe C:\WINDOWS\System32\CSNIL.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool
Logfile of HijackThis v1.99.1
Scan saved at 00:43:53, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.allakhazam.com
O15 - Trusted Zone: *.bbc.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.redfig.com
O15 - Trusted Zone: *.std.com
O15 - Trusted Zone: *.techsupportforum.com
O15 - Trusted Zone: *.wikipedia.org
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Ried · 04-19-2006, 05:38 PM

Hi Raeral,

Please copy these instructions to Notepad and save to your desktop for reference.

--------------------------------

Reboot into Safe Mode.

--------------------------------

Delete the following file:

C:\WINDOWS\System32\ CSNIL.EXE

--------------------------------

Run Cleanup! again using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.
* CleanUp! will not create any backups!!
--------------------------------

Run Ewido again with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop.

--------------------------------

Reboot into Normal Mode.

--------------------------------

Run another online scan at Panda and post the results here along with the Ewido results and a new HijackThis log.

How is your system behaving now?

Raeral · 04-20-2006, 02:04 PM

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:11:17, 20/04/2006
+ Report-Checksum: B8DE1713

+ Scan result:

C:\System Volume Information\_restore{35F78DBC-9A37-4259-9CD3-A67E8C5427CE}\RP29\A0006279.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup
C:\System Volume Information\_restore{35F78DBC-9A37-4259-9CD3-A67E8C5427CE}\RP29\A0006280.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup

::Report End

Incident Status Location

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\John\Cookies\john@apmebf[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\John\Cookies\john@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt[]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\John\Cookies\john@apmebf[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\John\Cookies\john@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\John\Cookies\john@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\John\Cookies\john@tribalfusion[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@atwola[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[3].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[4].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@go[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[3].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[4].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@tucows[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 21:50:27, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.allakhazam.com
O15 - Trusted Zone: *.bbc.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.redfig.com
O15 - Trusted Zone: *.std.com
O15 - Trusted Zone: *.techsupportforum.com
O15 - Trusted Zone: *.wikipedia.org
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)

Quote:

Originally Posted by Ried

How is your system behaving now?

Before we started this process, I had stopped the IE search redirections which was the original reason for asking you for help. It seems that you have found and removed even more infections.

Additionally, after the previous set of instructions (before this set) I noticed that local explorer windows didnt flash each time a new directory was selected. Also, it may be that I expect a speed improvement, but I do believe that disc searches are faster.

Ried · 04-20-2006, 03:03 PM

Hi Raeral,

You most likely are experiencing quicker response from your computer. CleanUp is a great tool for cleaning out the junk that accumulates over time.

Clear Internet Explorer Cookies:
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

**********************************

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Raeral · 04-20-2006, 05:26 PM

Thank you - you have been so helpful. I will do this stuff tomorrow - Im tired and must get to bed. I have a few small questions which I will post after carrying out the above final taks. Thanks for your help so far.

Raeral · 04-20-2006, 10:11 PM

Hi Ried,

I am very impressed with the support you have given me recently. If I was working, I would certainly provide a donation immediately. When I get a job, I will donate first thing I am able. In the meantime I have a further set of concerns/questions if you dont mind. Before posing these questions, I have carried out your recommended actions in your most recent post and have read all links (except the firewall one which I will read asap). One of your links recommended zone-alarm which I have downloaded and installed in place of the windows XP firewall. Anyway, here are my few questions:

Prior to the infection, I had
XP SP2

windows update set to auto-update

Microsoft Firewall enable

Current licenced & updated copy of CA Anti-trust anti-virus

updated and regularly used Spybot S&D 1.4

Ad-Aware 6 (Since updated to Ad-Aware SE)

Am NAT protected on my local home network

I change my passwords regularly

I use complex passwords and never re-use an admin password for a website

I would like to have thought that I was well aware of the dangers etc

yet I was still badly infected. Am I alone in my frustration that such malware is causing the community?
Can I be reasonably sure there are no latent malware/viruses attached to trusted programs on my machine?
Some of the programs that you have asked me to run retain parts of themselves on my machine. I dont know if such parts are active or not. For example, bitdefender v8. Is this normal? Should I leave these things still installed? Do they need to be maintained/updated?
What other programs may still be running (other than ones you have recommended I instal such as those in your latest reply above)
As stated earlier, I am very impressed with your service. I WILL be recommending you to my friends. Some of my friends will be able to donate for certain. Can I help my friends by contacting you on their behalf or must you deal with one person / one computer?
I recently (after I partialy cleaned my system but before you thoroughly cleaned it) changed my local passwords. Should I change them again?
Prior to the infection, I had got into the habit of using a local admin password as a standard account. I hope you agree that I should go back to using a non admin password for normal activities (its just that I hate the runas command but hey)?

Ried · 04-21-2006, 03:34 PM

Hi Raeral,

In today's 'world of the internet', Anti-Virus and Firewall protection are no longer enough. A multi-layered approach of protection is best as there is no one tool, or even combination of tools that can combat and protect against all malware, Bear in mind, it's always a game of playing 'catch up'. They write the malware, the tool makers come up with how to detect and remove them. 'Cat and Mouse' as it were.

The programs you now have installed will go a long way in keeping you protected. You also need to be careful of the sites you go to and what you click on within those sites.

Quote:

Can I be reasonably sure there are no latent malware/viruses attached to trusted programs on my machine?

Yes, that was the purpose of my asking you to do online scans.

Quote:

Some of the programs that you have asked me to run retain parts of themselves on my machine. I dont know if such parts are active or not. For example, bitdefender v8. Is this normal? Should I leave these things still installed? Do they need to be maintained/updated?

I highly suggest leaving the following programs:

Spybot
AdAware SE
Ewido

Those programs need to be updated by you and scan with them weekly. Launch any of those given programs, and you will find an 'Update' button on their Main Menu.

Regarding BitDefender, it does place an extra button in your right click drop down menu for convenience if you want to link to them for an online scan. You do not need to keep those, but they don’t put any strain on your system or resources. If you want to get rid of it, you can run a scan with HijackThis, close any other open programs. Place a ‘check’ and then click ‘Fix Checked’ for the following entries:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Quote:

What other programs may still be running (other than ones you have recommended I instal such as those in your latest reply above)

I’m not quite sure what you mean by that. Programs can be installed, but not running until invoked by you. Can you please clarify that for me?

Quote:

Can I help my friends by contacting you on their behalf or must you deal with one person / one computer?

Yes, you may ask for help on their behalf, but it is easier to work with the individual who owns the computer as their questions, or understanding of the instructions may be different than yours.

Quote:

I recently (after I partialy cleaned my system but before you thoroughly cleaned it) changed my local passwords. Should I change them again?

Due to the number of trojans you had, I think it would be prudent to change your passwords again.

Quote:

Prior to the infection, I had got into the habit of using a local admin password as a standard account. I hope you agree that I should go back to using a non admin password for normal activities (its just that I hate the runas command but hey)?

There is no need for such drastic action. Continue to log on as you have been. I do nothing 'special' when I log onto my system. I use AVG Free AV, ZoneAlarm Free firewall, Spybot, AdAware SE, Ewido, SpywareGuard, Spyware Blaster and IE SpyAD and have had no infections since using that setup. (over 1 year now

)

Something I'd like to bring to your attention. It is almost universally agreed that the Trusted Zone was the worst idea that MS ever had. If someone is able to corrupt just one of those entries, it is a direct line to the kernal of the operating system, and no security program would be able to do anything about it. The repairs are also very difficult i not nearly impossible. You currently have the following listed in your 'Trusted Zone':

O15 - Trusted Zone: *.allakhazam.com
O15 - Trusted Zone: *.bbc.co.uk
O15 - Trusted Zone: *.google.co.uk
O15 - Trusted Zone: *.msn.com
O15 - Trusted Zone: *.redfig.com
O15 - Trusted Zone: *.std.com
O15 - Trusted Zone: *.techsupportforum.com
O15 - Trusted Zone: *.wikipedia.org

If your Firewall will allow you to access these sites without actually having to place them in your Trusted Zone, I suggest removing them from that particular area.

Raeral · 04-21-2006, 04:13 PM

Hi Ried,

Your detailed reply is very useful. Thank you so much. Keep up the good work. Im am very very happy for you to put this thread in the resolved section. I assume I can reference it in the future if I need to.

Ignore my question 4. I was simply trying to establish if there were any other latent programs (other than the BitDefender we discussed) that may be left after the clean.

As I said, I read the links you asked me to read on 20/4/06 at 11:03 pm. As a result, I enabled the Spybot S&D 1.4 teatimer. On my system, it is eratic. For example, the dialogue box that results from a planned registry change does not allow me to allow the change - the dialogue box appears corrupt. I have therefore disabled teatimer. All other aspects of Spybot S&D 1.4 seem fine. There is no need to reply to this as I am perfectly happy. Im just pointing this out to you.

I removed all entries from trusted sites according to your reommendations above. Thank you.

Thank you once again. Please keep up the excellent work.

04-17-2006, 04:12 AM	#1 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	IE Hijack - precautionary post to avoid re-infection Hi I joined this forum to get assistance to remove a stealthy address-bar redirection hack. I tried to read all the posting rules and made an introductory post in the introduction forum first. I then read the 5 steps before posting post and carried them all out religously. The problem seems to have gone. I wish to make this post anyway in-case you find something that allows the infection to return. The problem. 1. On 10/4/06 (dd/mm/yy) I went to a porn site - www.bestpornhost.com/vintage - and a lot of disc activity occured. Following this visit, subsequent searches using the IE browser address bar were redirected. I found that I could circumvent the redirection by clicking three times but this of course is inconvenient. I have CA antivirus installed, Ad-Aware 6.0 and Spybot S&D. I used all these and some viruses were found but the infection remained. 2. 0n 15/4/06 I joined this site. During 15/4 and 16/4 I followed all the pre submitting steps, including installing ad-aware SE. The docvumented results are: 3. Ad-Aware SE results: MRU list (43 objects CnsMin (7 objects) Tracking cookie (83 objects) 133 objects removed 4. Spybot S&D results Pipas.A - removed 5. Housecall results adware.loctr.a 2xjava.trojan.femad.a 1xtrojan.small.ej 1xjava.trojan.femad.b all removed 6. Bitdefender results js.trojan.winbomb.f 7. CA etrust - nothing ALL THE ABOVE WERE RUN IN SAFE MODE OR SAFE MODE WITH NETWORKING Please note that I have probably done more damage since 10/4/06 (dd/mm/yy) as I have tried all kinds of things. I have removed some programs from ad-remove-programs during this event and have not documented everything I have done. Examples I can remember are a filelister. One virus sanner run during the week also removed (but I was not in safe mode at the time) easytool.adtrojan; findspy.a; marketengines and pipas.a. ------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:16:37, on 17/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Tablane\Tablane.exe C:\PROGRA~1\Tablane\TBLSER~1.EXE C:\Program Files\Tablane\TBLBookmk.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O1 - Hosts: localhost 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.std.com O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) __________________ Raeral Stay cool, stay connected Last edited by tetonbob; 04-17-2006 at 09:18 PM.

04-18-2006, 03:57 AM	#4 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Im considering submitting a bump as its nearly 24 hours since my original post. I am concious that it was a holiday yesterday so I'm tempted to just be patient. However, I noticed that my original post has been modified by by tetonbob : Today at 05:18 AM (Times may be my local UK time). Is modification by others normal? What did I say that caused offence or otherwise? Just currious you understand. __________________ Raeral Stay cool, stay connected

04-18-2006, 05:18 AM	#5 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Having re-read the rules, I guess I fell foul of rule 4. I assure you this was not intentional. I thought I was being good by pointing out to others the error of my ways. I guess you removed the auto-link. I am so sorry :( Just to be clear, I still want some help on the original reason for posting this thread :) __________________ Raeral Stay cool, stay connected

04-18-2006, 07:08 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hello Raeral, Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Download Ewido Security Suite Install Ewido Security Suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. ***************************** Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries. Open Windows Defender. Click on Tools, General Settings. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. *************************** Click Start->Run - type SERVICES.MSC** & then click on the OK button Locate the service - Ndlmsb0cfs* Double-click on it to open the Properties dialog. Under the General tab: *<--Take note and write down the Service name given as we will need it shortly.** Stop the service by using the Stop* button. Change the Startup type to Disabled* & then click on the OK button Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the Service Name you found in the General Tab for Ndlmsb0cfs. Click OK to allow reboot. --------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK. --------------------------- Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): O1 - Hosts: localhost 127.0.0.1 O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe Click 'Fix Checked' and close HijackThis. --------------------------- Delete the following Files if they still exist. C:\WINDOWS\system32\ dmakl.exe C:\WINDOWS\system32\ FileOps.exe --------------------------- Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Standard CleanUp!" *Uncheck the following: -Delete Newsgroup cache -Delete Newsgroup Subscriptions -Scan local drives for temporary files Click OK Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility --------------------------- Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop Ewido scan would require at least an hour. Ewido is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner. --------------------------- Reboot into Normal Mode. --------------------------- Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report In your next reply, I will need the following: Ewido results Panda results New HijackThis log taken from Normal Mode __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-18-2006, 02:46 PM	#7 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	I have carried out all your required tasks The results are as follows. Download Ewido Security Suite. - Done You will need to update Ewido to the latest definition files. - Done Download CleanUp! (Alternate Link if main link doesn't work) and install it. - Done Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.. - Done Click Start->Run - type SERVICES.MSC ... Ndlmsb0cfs...then click on the OK button. - Done. Note that the service was set to manual and was already stopped. Note also that the service name was the same as Ndlmsb0cfs. Next, start HiJackThis & go to Config>Misc.Tools...> Delete an NT service... In the popup box that appears, type in the Service Name you found in the General Tab for Ndlmsb0cfs. Click OK to allow reboot.. - Done Next, please reboot your computer in Safe Mode . - Done Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading: * select Show hidden files and folders. * Uncheck Hide protected operating system files (recommended) option. Also, make sure there is no checkmark beside Hide file extensions for known file types. Click OK.. - Done - well, actually, all already set as directed Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any): O1 - Hosts: localhost 127.0.0.1 - Done O4 - HKLM\..\Run: [dmakl.exe] C:\WINDOWS\system32\dmakl.exe - Not present O23 - Service: Ndlmsb0cfs - Unknown owner - C:\WINDOWS\system32\FileOps.exe - Not present Click 'Fix Checked' and close HijackThis. - Done Delete the following Files if they still exist. C:\WINDOWS\system32\ dmakl.exe - Not present anywhere on C: or D: C:\WINDOWS\system32\ FileOps.exe - Done Open Cleanup...Scan local drives for temporary files - Done Run Ewido with it's updated definitions...Once finished, click the Save report button & save the report to your desktop - Done Reboot into Normal Mode. - Done Perform an online scan using Internet Explorer with Panda ActiveScan - Done Ewido results --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 20:30:09, 18/04/2006 + Report-Checksum: 35D43657 + Scan result: [204] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning [228] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning [860] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning [1148] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning :mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup :mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup :mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup :mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup :mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup :mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup :mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup :mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ads20.bpath[2].txt -> TrackingCookie.Bpath : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[1].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@com[3].txt -> TrackingCookie.Com : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@cz7.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@image.masterstats[3].txt -> TrackingCookie.Masterstats : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@orf.oewabox[1].txt -> TrackingCookie.Oewabox : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup C:\Program Files\TightVNC-unstable\VNCHooks.dll -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup C:\Program Files\TightVNC-unstable\WinVNC.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.1370 : Cleaned with backup ::Report End Panda results Incident Status Location Adware:adware/sbsoft Not disinfected C:\WINDOWS\rdt.ini Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2tr4u4k4.default\cookies.txt[] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@atwola[1].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[2].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[3].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@ccbill[4].txt Spyware:Cookie/go Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@go[2].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[1].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[2].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[3].txt Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@kinghost[4].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@tucows[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\John\My Documents\profile\Cookies\jmccullough@xiti[2].txt Virus:W32/Netsky.AE.worm Disinfected Archive 2005\Personal Folders\Awaiting Archive\Undeliverable:Re: document_all\Re: document_all\document_hengul.zip.zip[data.rtf .scr] New HijackThis log taken from Normal Mode Logfile of HijackThis v1.99.1 Scan saved at 22:13:26, on 18/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe C:\WINDOWS\System32\svchost.exe C:\HJT\HijackThis.exe C:\WINDOWS\System32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [UniUploader] C:\Program Files\UniUploader\UniUploader.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .allakhazam.com O15 - Trusted Zone: .bbc.co.uk O15 - Trusted Zone: .google.co.uk O15 - Trusted Zone: .msn.com O15 - Trusted Zone: http://www.std.com O15 - Trusted Zone: .wikipedia.org O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) __________________ Raeral Stay cool, stay connected* Last edited by Raeral; 04-18-2006 at 02:49 PM.

04-17-2006, 05:44 AM	#2 (permalink)
nuttyape Registered User Join Date: Apr 2006 Location: london england Posts: 65 OS: windows xp proffesional	erm most porn sites we cant trust there softwear try not instaling them or at least make a restoree point before you do

04-18-2006, 05:39 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Raeral, Delete the following file: C:\WINDOWS\ rdt.ini If the above resists deletion, carry out the next set of instructions first, then boot into Safe Mode and delete the file. ******************************* You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Please make sure you have an ACTIVE internet connection as the tool will need to download additional files and a program. Please download FixWareout from one of these sites: http://forums.subratam.org/index.php...=post&id=43811 http://swandog46.geekstogo.com/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL. When your system reboots, follow the prompts. Afterwards, HijackThis will launch, Close HijackThis, and click OK to proceed. At the end of the fix, you may need to restart your computer again. Finally, please post the contents of the logfile C:fixwareoutreport.txt, along with a new HijackThis** log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-19-2006, 07:33 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Raeral, It's important that I see the log from the FixWareout tool. Please post the fixwareoutreport.txt here, it will be located directly on C: __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-19-2006, 01:30 PM	#11 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Perhaps I misunderstood you. I thought you wished me to delete the file. If the file resists deletion, then use the fix tool. Please confirm my understanding is incorrect. You want me to delete the file AND use the fix tool. If I cant delete the file, use the tool first then delete the file. Sorry if I misundertsood you. Please confirm your intructions. (Sorry if Im being stupid here) __________________ Raeral Stay cool, stay connected

04-19-2006, 02:08 PM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi, I'll be more clear. I was trying to save you a reboot. That was a 2-step process. I wanted you to delete that file first as I suspected it would delete quietly in Normal Mode, then you could move along smoothly to the FixWareOut instructions. The WareOut infection needs a specialty tool to clean it properly. So, you were correct in deleting that file, now we need to run the FixWareout tool. Post that log when you get it. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-19-2006, 04:52 PM	#13 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Hi Ried, :) No problem - my fault. I carried out your instructions as directed Delete ...rdt.ini and Run ...fixwareout.exe with the following results. Note that fixwareout did not run HJT as you suggest. That might be because I put hjt in c:\hjt, I dont know. Anyways, I ran an HJT as requested too. Fixwareout ver 1.003 Last edited 2/15/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "dmakl.exe"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] ... PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. »»»»» Search by size and names... * csr.exe C:\WINDOWS\System32\CSNIL.EXE »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool Logfile of HijackThis v1.99.1 Scan saved at 00:43:53, on 20/04/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\MSI\BToes Bluetooth Software\BTTray.exe C:\HJT\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Add to Restricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: Add to Trusted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\system32\webzone.dll O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\MSI\BToes Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: .allakhazam.com O15 - Trusted Zone: .bbc.co.uk O15 - Trusted Zone: .google.co.uk O15 - Trusted Zone: .msn.com O15 - Trusted Zone: .redfig.com O15 - Trusted Zone: .std.com O15 - Trusted Zone: .techsupportforum.com O15 - Trusted Zone: .wikipedia.org O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120738251782 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1120738438070 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadba...ivePreQual.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...39/mcfscan.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\MSI\BToes Bluetooth Software\bin\btwdins.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing) O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing) __________________ Raeral Stay cool, stay connected

04-19-2006, 05:38 PM	#14 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Raeral, Please copy these instructions to Notepad and save to your desktop for reference. -------------------------------- Reboot into Safe Mode. -------------------------------- Delete the following file: C:\WINDOWS\System32\ CSNIL.EXE -------------------------------- Run Cleanup! again using the following configuration: 1. Click Options... 2. Set the slider to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted. * CleanUp! will not create any backups!! -------------------------------- Run Ewido again with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop. -------------------------------- Reboot into Normal Mode. -------------------------------- Run another online scan at Panda and post the results here along with the Ewido results and a new HijackThis log. How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-20-2006, 03:03 PM	#16 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 23,958 OS: WinXP and Vista	Hi Raeral, You most likely are experiencing quicker response from your computer. CleanUp is a great tool for cleaning out the junk that accumulates over time. Clear Internet Explorer Cookies: Launch Internet Explorer>Tools>Internet Options>Delete Cookies ******************************** Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links. Reset hidden/system files and folders Windows XP =============== Click Start*. Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Enable Windows Auto Update Go to Start>Run* - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under *Settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Create a new System Restore point* Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK This will prevent any reinfection from previous restore points. In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and free downloads are available at the following links: Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items . Download Spyware Guard to catch and block spyware before it can execute. Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD) From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list, by typing 2 Then return to the main menu. Select option #4 - Add the old porn sites domain, by typing 4 Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

04-20-2006, 05:26 PM	#17 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Thank you - you have been so helpful. I will do this stuff tomorrow - Im tired and must get to bed. I have a few small questions which I will post after carrying out the above final taks. Thanks for your help so far. __________________ Raeral Stay cool, stay connected

04-20-2006, 10:11 PM	#18 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Hi Ried, I am very impressed with the support you have given me recently. If I was working, I would certainly provide a donation immediately. When I get a job, I will donate first thing I am able. In the meantime I have a further set of concerns/questions if you dont mind. Before posing these questions, I have carried out your recommended actions in your most recent post and have read all links (except the firewall one which I will read asap). One of your links recommended zone-alarm which I have downloaded and installed in place of the windows XP firewall. Anyway, here are my few questions: Prior to the infection, I had XP SP2 windows update set to auto-update Microsoft Firewall enable Current licenced & updated copy of CA Anti-trust anti-virus updated and regularly used Spybot S&D 1.4 Ad-Aware 6 (Since updated to Ad-Aware SE) Am NAT protected on my local home network I change my passwords regularly I use complex passwords and never re-use an admin password for a website I would like to have thought that I was well aware of the dangers etc yet I was still badly infected. Am I alone in my frustration that such malware is causing the community? Can I be reasonably sure there are no latent malware/viruses attached to trusted programs on my machine? Some of the programs that you have asked me to run retain parts of themselves on my machine. I dont know if such parts are active or not. For example, bitdefender v8. Is this normal? Should I leave these things still installed? Do they need to be maintained/updated? What other programs may still be running (other than ones you have recommended I instal such as those in your latest reply above) As stated earlier, I am very impressed with your service. I WILL be recommending you to my friends. Some of my friends will be able to donate for certain. Can I help my friends by contacting you on their behalf or must you deal with one person / one computer? I recently (after I partialy cleaned my system but before you thoroughly cleaned it) changed my local passwords. Should I change them again? Prior to the infection, I had got into the habit of using a local admin password as a standard account. I hope you agree that I should go back to using a non admin password for normal activities (its just that I hate the runas command but hey)? __________________ Raeral Stay cool, stay connected Last edited by Raeral; 04-20-2006 at 10:23 PM.

04-21-2006, 04:13 PM	#20 (permalink)
Raeral Registered User Join Date: Apr 2006 Location: Cambridge, UK Posts: 15 OS: XP Pro SP2 My System	Hi Ried, Your detailed reply is very useful. Thank you so much. Keep up the good work. Im am very very happy for you to put this thread in the resolved section. I assume I can reference it in the future if I need to. Ignore my question 4. I was simply trying to establish if there were any other latent programs (other than the BitDefender we discussed) that may be left after the clean. As I said, I read the links you asked me to read on 20/4/06 at 11:03 pm. As a result, I enabled the Spybot S&D 1.4 teatimer. On my system, it is eratic. For example, the dialogue box that results from a planned registry change does not allow me to allow the change - the dialogue box appears corrupt. I have therefore disabled teatimer. All other aspects of Spybot S&D 1.4 seem fine. There is no need to reply to this as I am perfectly happy. Im just pointing this out to you. I removed all entries from trusted sites according to your reommendations above. Thank you. Thank you once again. Please keep up the excellent work. __________________ Raeral Stay cool, stay connected