Under Safe Mode and with System Restore disabled, I scanned my PC with the following: (with the latest update)
AVG Free Edition v7.1.375; eWido v3.5; Spybot Search & Destroy v1.4; Ad-Aware SE Personal; Microsoft Anti Spyware Beta 1; CWShredder v2.19; Symantec W32.Blackmal.E Remover 1.0.1; Symantec W32.Blaster.Worm Fix Tool 1.0.6.1; Microsoft Windows Malicious Software Removal Tool vFeb 2006, and found nothing. Scanned also with Rootkit Revealer of Systinternals and found nothing. Spyware Blaster v3.5.1 is also installed.
Logfile of HijackThis v1.99.1
Scan saved at 3:34:37 PM, on 3/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!!!AntiHook] "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S4C.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8D910B0-E2B7-4815-8134-D083467AF167}: NameServer = 203.172.25.21 202.163.239.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CUG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\CUG.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ITRB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\ITRB.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: PPSPXEIOFKI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\PPSPXEIOFKI.exe
O23 - Service: SFUBOSPODBOQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\SFUBOSPODBOQ.exe
O23 - Service: V - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\V.exe
O23 - Service: WNEOWU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\WNEOWU.exe
2
PLEASE ANALYZE MY HJT LOG FILE!
Started by allyssajoy3, Mar 17 2006 07:39 AM
5 replies to this topic
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 17 March 2006 - 09:51 AM
Hi allyssajoy3
You have signs of the RBot virus showing but it may just be the startup entry that remains if you have run so many different protection programs,
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next search for this file .
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
msgconfigre.exe
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Can you also confirm that your Internet Service Provider is based in the Philippines ?
You really need to update your system as its wide open to attacks in its current state. Please Visit http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Your current versions are outdated. I cannot stress enough how important this is.
.
Do not get Service Pack 2 at this stage untill we are sure the system is clean but do get Service Pack 1 and all the security updates
Rootkit Revealer should run and then remove its own service but if it has any problems and hangs then the services can get left on the system, you have afew of these services so we can remove them now
open Notepad (Start menu > run > type notepad and press OK) then copy and paste the contents of the below code box into notepad:
Goto file on the top bar of Notepad and choose Save As, on the Save As Type change it to all files, name it remove.bat then save it to your dekstop, double click remove.bat to remove the services. (cmd screen will just flash on then off and its then finished)
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post back the Pandascan log and a new Hijack This log
Cheers Andy
You have signs of the RBot virus showing but it may just be the startup entry that remains if you have run so many different protection programs,
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
- Run Spybot-S&D
- Go to the Mode menu, and make sure "Advanced Mode" is selected
- On the left hand side, choose Tools -> Resident
- Uncheck "Resident TeaTimer" and OK any prompts
You can re-enable TeaTimer once your system is clean.
- Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
- Click on "Security Agents Status".
- Click on "Disable real-time protection".
You can re-enable Microsoft Antispyware once the system is clean
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next search for this file .
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
msgconfigre.exe
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Can you also confirm that your Internet Service Provider is based in the Philippines ?
You really need to update your system as its wide open to attacks in its current state. Please Visit http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Your current versions are outdated. I cannot stress enough how important this is.
.
Do not get Service Pack 2 at this stage untill we are sure the system is clean but do get Service Pack 1 and all the security updates
Rootkit Revealer should run and then remove its own service but if it has any problems and hangs then the services can get left on the system, you have afew of these services so we can remove them now
open Notepad (Start menu > run > type notepad and press OK) then copy and paste the contents of the below code box into notepad:
sc stop CUG sc delete CUG sc stop ITRB sc delete ITRB sc stop PPSPXEIOFKI sc delete PPSPXEIOFKI sc stop SFUBOSPODBOQ sc delete SFUBOSPODBOQ sc stop V sc delete V sc stop WNEOWU sc delete WNEOWU
Goto file on the top bar of Notepad and choose Save As, on the Save As Type change it to all files, name it remove.bat then save it to your dekstop, double click remove.bat to remove the services. (cmd screen will just flash on then off and its then finished)
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post back the Pandascan log and a new Hijack This log
Cheers Andy
#3 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 20 March 2006 - 08:30 AM
AndyManchesta, on Mar 17 2006, 05:51 PM, said:
Hi allyssajoy3
You have signs of the RBot virus showing but it may just be the startup entry that remains if you have run so many different protection programs,
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next search for this file .
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
msgconfigre.exe
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Can you also confirm that your Internet Service Provider is based in the Philippines ?
You really need to update your system as its wide open to attacks in its current state. Please Visit http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Your current versions are outdated. I cannot stress enough how important this is.
.
Do not get Service Pack 2 at this stage untill we are sure the system is clean but do get Service Pack 1 and all the security updates
Rootkit Revealer should run and then remove its own service but if it has any problems and hangs then the services can get left on the system, you have afew of these services so we can remove them now
open Notepad (Start menu > run > type notepad and press OK) then copy and paste the contents of the below code box into notepad:
Goto file on the top bar of Notepad and choose Save As, on the Save As Type change it to all files, name it remove.bat then save it to your dekstop, double click remove.bat to remove the services. (cmd screen will just flash on then off and its then finished)
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post back the Pandascan log and a new Hijack This log
Cheers Andy
You have signs of the RBot virus showing but it may just be the startup entry that remains if you have run so many different protection programs,
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
- Run Spybot-S&D
- Go to the Mode menu, and make sure "Advanced Mode" is selected
- On the left hand side, choose Tools -> Resident
- Uncheck "Resident TeaTimer" and OK any prompts
You can re-enable TeaTimer once your system is clean.
- Right-click on the Microsoft Anti-Spyware tray icon by your clock (it's the one with the red and yellow bulls-eye).
- Click on "Security Agents Status".
- Click on "Disable real-time protection".
You can re-enable Microsoft Antispyware once the system is clean
O4 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Next search for this file .
Goto Start Menu > Search > Click All Files and Folders, scroll down to the More Advanced Options which is the last option, click that and then make sure there is a check next to Search System Folders, Search Hidden Files and Folders & Search Subfolders
Once they are enabled scroll back up to the All or part of the filename: area and enter this
msgconfigre.exe
Press Search and delete any that are found by right clicking the file in the results pane to the right and choosing delete
Can you also confirm that your Internet Service Provider is based in the Philippines ?
You really need to update your system as its wide open to attacks in its current state. Please Visit http://windowsupdate.microsoft.com. Download all the critical updates for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. This may require you to Reboot and revisit Windows Updates again to get the remaining updates. Please follow the prompts on the Windows Updates site and keep re-visiting untill there is no more updates available.
Your current versions are outdated. I cannot stress enough how important this is.
.
Do not get Service Pack 2 at this stage untill we are sure the system is clean but do get Service Pack 1 and all the security updates
Rootkit Revealer should run and then remove its own service but if it has any problems and hangs then the services can get left on the system, you have afew of these services so we can remove them now
open Notepad (Start menu > run > type notepad and press OK) then copy and paste the contents of the below code box into notepad:
sc stop CUG sc delete CUG sc stop ITRB sc delete ITRB sc stop PPSPXEIOFKI sc delete PPSPXEIOFKI sc stop SFUBOSPODBOQ sc delete SFUBOSPODBOQ sc stop V sc delete V sc stop WNEOWU sc delete WNEOWU
Goto file on the top bar of Notepad and choose Save As, on the Save As Type change it to all files, name it remove.bat then save it to your dekstop, double click remove.bat to remove the services. (cmd screen will just flash on then off and its then finished)
Finally run Panda Activescan from Here.
Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back.
Please post back the Pandascan log and a new Hijack This log
Cheers Andy
I did what you had instructed me to do; Unchecked Spybot's Resident Tea Timer, and disabled Microsoft's real time protection. However, "msgconfigre.exe" could not be found/searched in my PC. As to my ISP, yes it is based in the Philippines. Kindly, educate me on this "Rootkit Revealer should run and then remove its own service but if it has any problems and hangs then the services can get left on the system, you have a few of these services so we can remove them now."
I did also what you told me to do in the Notepad and hereunder is the Pandascan log, and a new HJT.
Incident Status Location
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\JOSIE\Cookies\josie@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\JOSIE\Cookies\josie@dist.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\JOSIE\Application Data\Mozilla\Firefox\Profiles\zne5apso.default\cookies.txt[]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Josie.NIATSCI-LYFFT7E\Cookies\josie@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Josie.NIATSCI-LYFFT7E\Cookies\josie@dist.belnk[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Josie.NIATSCI-LYFFT7E\Cookies\josie@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Josie.NIATSCI-LYFFT7E\Application Data\Mozilla\Firefox\Profiles\xji5pkyl.default\cookies.txt[]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\My Documents\My Music\sheenae\Cookies\sheenae@dist.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\My Documents\My Music\sheenae\Cookies\sheenae@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\Cookies\administrator@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\Cookies\administrator@dist.belnk[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\Application Data\Mozilla\Firefox\Profiles\igw7o8dk.default\cookies.txt[]
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\system32\i
Virus:W32/Sdbot.FLI.worm Not disinfected C:\WINDOWS\system32\eraseme_72886.exe
Spyware:Cookie/Versiontracker Not disinfected C:\FOUND.064\FILE0000.CHK[]
Logfile of HijackThis v1.99.1
Scan saved at 4:03:22 PM, on 3/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\Administrator.NIATSCI-LYFFT7E\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!!!AntiHook] "C:\Program Files\InfoProcess\AntiHook\2.5\AntiHook.exe"
O4 - HKCU\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S4C.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download using LeechGet - file://C:\Program Files\LeechGet 2005\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://C:\Program Files\LeechGet 2005\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://C:\Program Files\LeechGet 2005\\Parser.html
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8D910B0-E2B7-4815-8134-D083467AF167}: NameServer = 203.172.25.21 202.163.239.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
#4 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 20 March 2006 - 09:42 AM
Hi again allyssajoy3 
Sysinternals Rootkit Revealer creates random named services before it scans and then should remove the service when the scan is finished. It uses random names to prevent any malware being able to stop or close the program when it scans. In your original log you had alot of these random named services still on the system, Here was the entries in the log
So all you did by running the code in Notepad was stop and remove each of the above services
The RBot virus has been found on your system so we should run another scanner once you have removed the files below to be sure there isnt more traces of the infection. If you cannot find the file msgconfigre.exe then its likely its already removed itself after creating the other virus files or another scanner has detected it and removed the file. Having the 04 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe line show in Hijack This doesnt always mean the file will still be there, Hijack This is listing the run keys in the registry so that file has been run on the system at some stage and may of left the run key entry in place.
You will need to set Windows to show hidden files and folders before searching for these files (If you have any problems let me know and I can make a small batch script to remove them for you)
To enable hidden files:
Click Start. Goto MyComputer then c:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended) " option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the restore defaults button.
Next Delete these files:
C:\WINDOWS\system32\i <--This maybe a file or folder so check for both
C:\WINDOWS\system32\eraseme_72886.exe <--Delete this file
You can then Set windows Folder options to default as explained above then re-enable Microsoft Antispyware and Spybots Real Time protection.
Just to be sure its now clean can you please run this final Online scanner and post back the log it produces (This scan will take along time but its very thorough and precise).
Run Kaspersky WebScanner
Please post the Kaspersky scan log and that will show if there is any remaining issues on the system.
Here is some information of the Virus files that Pandascan found:
Sdbot.FLI & Sdbot.ftp
It appears it was able to detect your system is vulnerable and then infect it, so its important you upgrade your system via Windows Updates as explained in my first reply. If its not a genuine Windows installation then the pc will keep having malware problems untill you are able to upgrade. If you bought the cd and then found out later its not genuine then you can report the supplier to Microsoft and they will replace it with a genuine disk if they can take some action against the person who gave it to you.
Regards
Andy
Sysinternals Rootkit Revealer creates random named services before it scans and then should remove the service when the scan is finished. It uses random names to prevent any malware being able to stop or close the program when it scans. In your original log you had alot of these random named services still on the system, Here was the entries in the log
O23 - Service: CUG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\CUG.exe O23 - Service: ITRB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\ITRB.exe O23 - Service: PPSPXEIOFKI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\PPSPXEIOFKI.exe O23 - Service: SFUBOSPODBOQ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\SFUBOSPODBOQ.exe O23 - Service: V - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\V.exe O23 - Service: WNEOWU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1.NIA\LOCALS~1\Temp\WNEOWU.exe
So all you did by running the code in Notepad was stop and remove each of the above services
The RBot virus has been found on your system so we should run another scanner once you have removed the files below to be sure there isnt more traces of the infection. If you cannot find the file msgconfigre.exe then its likely its already removed itself after creating the other virus files or another scanner has detected it and removed the file. Having the 04 - HKLM\..\Run: [Microsoft Configure 32] msgconfigre.exe line show in Hijack This doesnt always mean the file will still be there, Hijack This is listing the run keys in the registry so that file has been run on the system at some stage and may of left the run key entry in place.
You will need to set Windows to show hidden files and folders before searching for these files (If you have any problems let me know and I can make a small batch script to remove them for you)
To enable hidden files:
Click Start. Goto MyComputer then c:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended) " option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the restore defaults button.
Next Delete these files:
C:\WINDOWS\system32\i <--This maybe a file or folder so check for both
C:\WINDOWS\system32\eraseme_72886.exe <--Delete this file
You can then Set windows Folder options to default as explained above then re-enable Microsoft Antispyware and Spybots Real Time protection.
Just to be sure its now clean can you please run this final Online scanner and post back the log it produces (This scan will take along time but its very thorough and precise).
Run Kaspersky WebScanner
- Please go HERE and click Kaspersky Online Scanner
- Read and Accept the Agreement
- You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- If you see a Windows dialog asking if you want to install this software, click the Install button.
- The program will launch and then begin downloading the latest definition files,
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
- Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
- When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Please post the Kaspersky scan log and that will show if there is any remaining issues on the system.
Here is some information of the Virus files that Pandascan found:
Sdbot.FLI & Sdbot.ftp
It appears it was able to detect your system is vulnerable and then infect it, so its important you upgrade your system via Windows Updates as explained in my first reply. If its not a genuine Windows installation then the pc will keep having malware problems untill you are able to upgrade. If you bought the cd and then found out later its not genuine then you can report the supplier to Microsoft and they will replace it with a genuine disk if they can take some action against the person who gave it to you.
Regards
Andy
#5 OFFLINE
-
- Members
-
- 10 posts
Member
Posted 23 March 2006 - 05:13 AM
Good afternoon, Mr. Andy,
I did the following:To enable hidden files:
Click Start. Goto MyComputer then c:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended) " option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the restore defaults button.
Next Delete these files:
C:\WINDOWS\system32\i <--This maybe a file or folder so check for both
C:\WINDOWS\system32\eraseme_72886.exe <--Delete this file
but I could not find these 2 above files you want me to delete. What I did was I searched it via (Start>Search>All files and folders and was able to find "eraseme_72886.exe and deleted it.)
And when I tried to download ActiveX components of Kaspersky online scanner this was what I got "Failed to load Kaspersky online scannerActiveX control! You must have administrator rights on this computer; you also must hav e the IE security settings to the Medium Level.
I own this PC so I have the administrator rights and when I checked the security settings under the Internet Options > Internet properties> securities, it is set to Medium.
Please guide me on this. Also, can I now upgrade to SP1 even without first knowing the result of the Kaspersky online scan assuming that you could help me how to do this?
I did the following:To enable hidden files:
Click Start. Goto MyComputer then c:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended) " option.
Click Yes to confirm then OK
Set this back once you have removed the files by opening the same page and pressing the restore defaults button.
Next Delete these files:
C:\WINDOWS\system32\i <--This maybe a file or folder so check for both
C:\WINDOWS\system32\eraseme_72886.exe <--Delete this file
but I could not find these 2 above files you want me to delete. What I did was I searched it via (Start>Search>All files and folders and was able to find "eraseme_72886.exe and deleted it.)
And when I tried to download ActiveX components of Kaspersky online scanner this was what I got "Failed to load Kaspersky online scannerActiveX control! You must have administrator rights on this computer; you also must hav e the IE security settings to the Medium Level.
I own this PC so I have the administrator rights and when I checked the security settings under the Internet Options > Internet properties> securities, it is set to Medium.
Please guide me on this. Also, can I now upgrade to SP1 even without first knowing the result of the Kaspersky online scan assuming that you could help me how to do this?
#6 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 23 March 2006 - 05:03 PM
Hi Allyssajoy3
Its likely some of the infections have caused some damage on your system but you will be able to upgrade to SP1 even if the system still has problems, Its SP2 that we need to hold off on for now untill we are sure the system is clean. Update Ewido and run a Complete system scan then run Ad-Aware SE on a full system scan and remove anything found.
Then open a I.E browser window then goto Tools on the top bar then Internet Options
Cheers
Andy
Its likely some of the infections have caused some damage on your system but you will be able to upgrade to SP1 even if the system still has problems, Its SP2 that we need to hold off on for now untill we are sure the system is clean. Update Ewido and run a Complete system scan then run Ad-Aware SE on a full system scan and remove anything found.
Then open a I.E browser window then goto Tools on the top bar then Internet Options
- Goto The Advanced Tab and Press Restore Defaults
- Goto The Security Tab and PressCustom Level then press Reset and Yes on the pop up confirmation box, then press OK to close the Security Settings screen.
- Goto The General Tab and press Delete Cookies and OK to confirm then press Delete Files, Place a check next to Delete All Offline Content then press OK
- Finally Press the Apply button then Press OK to Close The Internet Options screen.
Cheers
Andy
