# Solved: Wareout.exe Virus/Spyware Package



## Crowfoot (Jul 2, 2005)

Once again I have contracted another nasty package of junk that I'm unable to remove, so I'd very much appreciate your valuable assistance.

I've run a virus scan with both Anti Virus Guard and Panda On-line Virus Scan, and ran Ad Aware, which got rid of some but not all of the problems. I also tried to run Spybot and Search and Destroy but the programs will no longer function.

When using IE 6.0 and particularly when using Google hot links I get redirected to various other sites I had no intention of going to.

Attached is a Hijack This log for your perusal:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:44 AM, on 8/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8

Thank you in advance for your anticipated reply.

Crowfoot


----------



## khazars (Feb 15, 2004)

hi, welcome to TSG.

download a new spybot and run it in safe mo.de

where is wareout.exe being found and by what programme?

*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set 
when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

reboot again

All tools can be downloaded at the link below and found on that page!

. SpyBot search and destroy
. AdAware SE

http://www.majorgeeks.com/downloads31.html

have hijakc this fix these entries.

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)

Now run cleanup

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS 
SAFE to do so LET IT FIX WHATEVER IT FINDS

Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. 
Make a note of the file location of anything that cannot be deleted so you 
can delete it yourself.
- Save the results from the scan!

paste another log and the active scan log


----------



## Crowfoot (Jul 2, 2005)

Hello khazars, 

The wareout.exe file is in my start up menu and I have disabled it. As well, I uninstalled the Wareout Program from the Program Files with the Add/Remove Programs function in the Control Panel. 

I will do what you suggested and post the logs when completed. 

Thanks for your help! 

Crowfoot


----------



## khazars (Feb 15, 2004)

yes, but where is wareout.exe's location, 

C:\windows or
C:\windows\system ?


----------



## Crowfoot (Jul 2, 2005)

I just did a file search and I no longer have a wareout.exe file in the directory! 

After running Ad Aware and Spybot, which had a reference to "Wareout" that was successfully removed along with a bunch of other junk, there no longer appears to be such a file. Or, perhaps it was removed successfully on the uninstall I did earlier but still remained in the Start Up Menu for some unknown reason. It still shows up in the Start Up Menu currently as: 

"C:\Program Files\WareOut\WareOut.exe" 

Presently my anti virus is still advising of two trojans: 

1) DMVWH.EXE ie.) DNSChanger.S.1.B 
2) DMHQE.EXE ie.) DNSChanger.S.1.B 

I will continue with your earlier instructions and hopefully these will be removed with the virus scans I will be doing. I will post the logs mentioned when I'm finished. 

Regards, 

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, delete that folder

C:\Program Files\WareOut

where does it say these dudes reside?

1) DMVWH.EXE ie.) DNSChanger.S.1.B
2) DMHQE.EXE ie.) DNSChanger.S.1.B

Wait and see what Kaspersky and active scan find, post their logs as they are good at finding hidden baddies.

In the meantime download the killbox!

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php


----------



## Crowfoot (Jul 2, 2005)

Both .exe files are in the C:\WINDOWS\SYSTEMS directory. 

As well, I still have the Killbox program on my system from an earlier problem I had with the Smitfrad virus which was succesfully resolved. 

After running the virus scans do you want me to run the Killbox program before posting the logs? 

Crowfoot


----------



## khazars (Feb 15, 2004)

no, post the anti virus logs first we want to se what they say.

upload those files to here and see what thye say about them? 
post the results back with the kaspersky and active scan logs!

http://www.virustotal.com/flash/index_en.html

ok, i have googled them and they are bad, only 1 reference to the 2nd and and nothing on the first, you can use the killbox on tem if you know how and know the full path?


----------



## Crowfoot (Jul 2, 2005)

Two additional trojans are now being flagged by my anti virus program: 

1) C:\WINDOWS\SYSTEM\HCLEAN32.EXE ie) Qhost.QR 

2) C:\WINDOWS\SYSTEM\RDSNDIN.EXE ie) Click.526 

I will send these along with the other two trojans to the site indicated and await a reply which I will post along with the indicated logs once everything is received and completed. 

I'm not that familiar with Killbox so I think it's best to wait until everything else is completed prior to moving on to this step. 

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, jst get the kaspersky and active scans done and post a hijack this log!


----------



## Crowfoot (Jul 2, 2005)

OK,

I sent an email to virustotal.com whith an accompanying link to this thread regarding the 4 trojan files and our correspondence. I just received a reply that I didn't send any attachments (which I didn't send because I'm not sure what it is I'm supposed to attach.) Do I send them the 4 C:\WINDOWS\SYSTEM trojan files in the attachment???

Here is a copy of the email I sent them:

The good people at Techguys.org advised me to send you these files for
analysis with regards to an infection we are trying to correct
associated with the Wareout virus/ spyware package that has infected my
computer. The thread in which this problem is being addressed is as
follows:

http://forums.techguy.org/showthread.php?p=2877646#post2877646

The files in question are as follows:

1) DMVWH.EXE ie.) DNSChanger.S.1.B
2) DMHQE.EXE ie.) DNSChanger.S.1.B
3) HCLEAN32.EXE ie) Qhost.QR
4) RDSNDIN.EXE ie) Click.526

All files are located in my C:\WINDOWS\SYSTEM directory and any light
you may be able to shed on them would be greatly appreciated.

Thank you in advance for your assistance.

Are they able to scan these files directly from my computer with the requested attachment???


----------



## khazars (Feb 15, 2004)

Ihm, you just go into the virus total site and at the top of the page you'll see a box with browse, you click browse and point it to your Windows\system folder or wherever the files are stored on your pc, and then you click send and wait for the results! Do it one at a time and wait for the results of the first one beofre moving on to the second file, copy and paste the results here!

It's quite easy!


----------



## khazars (Feb 15, 2004)

ok, forget the virus total thing, we know they are all bad! 
What I need you to do is tell me exactly where all these 4 files are being found?

1) DMVWH.EXE ie.) DNSChanger.S.1.B
2) DMHQE.EXE ie.) DNSChanger.S.1.B
3) HCLEAN32.EXE ie) Qhost.QR
4) RDSNDIN.EXE ie) Click.526


Are they all in the :

c:\windows\system ?


----------



## Crowfoot (Jul 2, 2005)

Hello khazars,

I did a file search for both HCLEAN32.EXE and RDSNDIN.EXE and they are not in my system directory. Two previously unmentioned Trojans were picked up by Kapersky: csfvo.exe and csfot.exe, which I suspect may be disguised as the HCLEAN32.EXE and RDSNDIN.EXE files that my anti virus program tells me are causing part of the overall infection.

I've generated reports from VirusTotal.com on the 4 Trojans Kapersky has reported as follows:

1) This is a report processed by VirusTotal on 08/19/2005 at 19:38:11 (CET) after scanning the file "dmvwh.exe" file.

Antivirus	Version	Update	Result
AntiVir	6.31.1.0	08.19.2005	TR/DNSChanger.S.1.B
Avast	4.6.695.0	08.19.2005	Win32:Vidlo-H
AVG	718	08.19.2005	no virus found
Avira	6.31.1.0	08.19.2005	TR/DNSChanger.S.1.B
BitDefender	7.0	08.19.2005	no virus found
CAT-QuickHeal	7.03	08.19.2005	TrojanDropper.Vidro.u
ClamAV	devel-20050725	08.18.2005	no virus found
DrWeb	4.32b	08.19.2005	Trojan.Ysearch
eTrust-Iris	7.1.194.0	08.18.2005	no virus found
eTrust-Vet	11.9.1.0	08.19.2005	Win32.Alureon
Fortinet	2.41.0.0	08.18.2005	W32/Vidro.U-tr
F-Prot	3.16c	08.19.2005	no virus found
Ikarus	0.2.59.0	08.19.2005	no virus found
Kaspersky	4.0.2.24	08.19.2005	Trojan-Dropper.Win32.Vidro.u
McAfee	4563	08.19.2005	MultiDropper-NW
NOD32v2	1.1197	08.18.2005	Win32/TrojanDropper.Vidro.U
Norman	5.70.10	08.18.2005	no virus found
Panda	8.02.00	08.19.2005	Trj/Troiram.A
Sophos	3.96.0	08.19.2005	no virus found
Sybari	7.5.1314	08.19.2005	Trojan-Dropper.Win32.Vidro.u
Symantec	8.0	08.18.2005	no virus found
TheHacker	5.8.2.091	08.18.2005	Trojan/Dropper.Vidro.u
VBA32	3.10.4	08.19.2005	Trojan.Ysearch

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contact En español
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [email protected]

2) This is a report processed by VirusTotal on 08/19/2005 at 19:33:28 (CET) after scanning the file "dmhqe.exe" file.

Antivirus	Version	Update	Result
AntiVir	6.31.1.0	08.19.2005	TR/DNSChanger.S.1.B
Avast	4.6.695.0	08.19.2005	Win32:Vidlo-H
AVG	718	08.19.2005	no virus found
Avira	6.31.1.0	08.19.2005	TR/DNSChanger.S.1.B
BitDefender	7.0	08.19.2005	no virus found
CAT-QuickHeal	7.03	08.19.2005	TrojanDropper.Vidro.u
ClamAV	devel-20050725	08.18.2005	no virus found
DrWeb	4.32b	08.19.2005	Trojan.Ysearch
eTrust-Iris	7.1.194.0	08.18.2005	no virus found
eTrust-Vet	11.9.1.0	08.19.2005	Win32.Alureon
Fortinet	2.41.0.0	08.18.2005	W32/Vidro.U-tr
F-Prot	3.16c	08.19.2005	no virus found
Ikarus	0.2.59.0	08.19.2005	no virus found
Kaspersky	4.0.2.24	08.19.2005	Trojan-Dropper.Win32.Vidro.u
McAfee	4563	08.19.2005	MultiDropper-NW
NOD32v2	1.1197	08.18.2005	Win32/TrojanDropper.Vidro.U
Norman	5.70.10	08.18.2005	no virus found
Panda	8.02.00	08.19.2005	Trj/Troiram.A
Sophos	3.96.0	08.19.2005	no virus found
Sybari	7.5.1314	08.19.2005	Trojan-Dropper.Win32.Vidro.u
TheHacker	5.8.2.091	08.18.2005	Trojan/Dropper.Vidro.u
VBA32	3.10.4	08.19.2005	Trojan.Ysearch

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contact En español
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [email protected]

3) This is a report processed by VirusTotal on 08/19/2005 at 20:07:46 (CET) after scanning the file "csfot.exe" file.

Antivirus	Version	Update	Result
AntiVir	6.31.1.0	08.19.2005	no virus found
Avast	4.6.695.0	08.19.2005	Win32:Vidlo-H
AVG	718	08.19.2005	Dropper.Generic.MK
Avira	6.31.1.0	08.19.2005	no virus found
BitDefender	7.0	08.19.2005	Trojan.Dropper.Vidro.U
CAT-QuickHeal	7.03	08.19.2005	(Suspicious) - DNAScan
ClamAV	devel-20050725	08.18.2005	no virus found
DrWeb	4.32b	08.19.2005	no virus found
eTrust-Iris	7.1.194.0	08.18.2005	no virus found
eTrust-Vet	11.9.1.0	08.19.2005	Win32.Alureon
Fortinet	2.41.0.0	08.18.2005	W32/Vidro.U-tr
F-Prot	3.16c	08.19.2005	dropper for W32/[email protected]
Ikarus	0.2.59.0	08.19.2005	no virus found
Kaspersky	4.0.2.24	08.19.2005	Trojan-Dropper.Win32.Vidro.u
McAfee	4563	08.19.2005	MultiDropper-NW
NOD32v2	1.1197	08.18.2005	probably unknown WIN32 virus
Norman	5.70.10	08.18.2005	no virus found
Panda	8.02.00	08.19.2005	Trj/DelCache.A
Sophos	3.96.0	08.19.2005	no virus found
Sybari	7.5.1314	08.19.2005	MultiDropper-NW
Symantec	8.0	08.18.2005	no virus found
TheHacker	5.8.2.091	08.18.2005	Trojan/Dropper.Vidro.u
VBA32	3.10.4	08.19.2005	Trojan-Dropper.Win32.Vidro.u

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contact En español
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [email protected]

4) This is a report processed by VirusTotal on 08/19/2005 at 20:12:51 (CET) after scanning the file "csfvo.exe" file.

Antivirus	Version	Update	Result
AntiVir	6.31.1.0	08.19.2005	no virus found
Avast	4.6.695.0	08.19.2005	Win32:Vidlo-H
AVG	718	08.19.2005	Dropper.Generic.MK
Avira	6.31.1.0	08.19.2005	no virus found
BitDefender	7.0	08.19.2005	Trojan.Dropper.Vidro.U
CAT-QuickHeal	7.03	08.19.2005	(Suspicious) - DNAScan
ClamAV	devel-20050725	08.18.2005	no virus found
DrWeb	4.32b	08.19.2005	no virus found
eTrust-Iris	7.1.194.0	08.18.2005	no virus found
eTrust-Vet	11.9.1.0	08.19.2005	Win32.Alureon
Fortinet	2.41.0.0	08.18.2005	W32/Vidro.U-tr
F-Prot	3.16c	08.19.2005	dropper for W32/[email protected]
Ikarus	0.2.59.0	08.19.2005	no virus found
Kaspersky	4.0.2.24	08.19.2005	Trojan-Dropper.Win32.Vidro.u
McAfee	4563	08.19.2005	MultiDropper-NW
NOD32v2	1.1197	08.18.2005	probably unknown WIN32 virus
Norman	5.70.10	08.18.2005	no virus found
Panda	8.02.00	08.19.2005	Trj/DelCache.A
Sophos	3.96.0	08.19.2005	no virus found
Sybari	7.5.1314	08.19.2005	MultiDropper-NW
TheHacker	5.8.2.091	08.18.2005	Trojan/Dropper.Vidro.u
VBA32	3.10.4	08.19.2005	Trojan-Dropper.Win32.Vidro.u

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contact En español
www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail [email protected]

The results of the Kapersky Online Scan are as follows:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, August 19, 2005 11:49:44
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/08/2005
Kaspersky Anti-Virus database records: 135941
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 12684
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 8796 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\dmvwh.exe	Infected: Trojan-Dropper.Win32.Vidro.u
c:\WINDOWS\SYSTEM\csfvo.exe	Infected: Trojan-Dropper.Win32.Vidro.u
c:\WINDOWS\SYSTEM\csfot.exe	Infected: Trojan-Dropper.Win32.Vidro.u
c:\WINDOWS\SYSTEM\dmhqe.exe	Infected: Trojan-Dropper.Win32.Vidro.u

Scan process completed.

The results of the Panda Online Scan are as follows:

Incident Status Location

Spyware:spyware/wareout No disinfected C:\WINDOWS\APPLICATION DATA\wo.tmp 
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini 
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Winad Client 
Adware:adware/mediatickets No disinfected Windows Registry 
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmvwh.exe 
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\SYSTEM\csfvo.exe 
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\SYSTEM\csfot.exe 
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmhqe.exe  
Adware:Adware/Startpage.CBL No disinfected C:\WINDOWS\SYSTEM32\secure33.txt 
Security Risk:Application/ProcessorNo disinfected C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\FixO.exe[Process.exe] 
Security Risk:Application/ProcessorNo disinfected C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\FixO\Process.exe 
Adware:Adware/WUpd No disinfected C:\Program Files\Winad Client\WinClt.exe 
Adware:Adware/WUpd No disinfected C:\Hijack This\backups\backup-20050626-154845-110.inf 
Dialerialer.AP No disinfected C:\Hijack This\backups\backup-20050626-154845-457.dll

Well, that took quite awhile to complete and it seems like a lot of data to digest, but here it all is!

I will send a new Hijack This Log shortly!

Crowfoot.


----------



## Crowfoot (Jul 2, 2005)

I rebooted and generated a new Hijack This Log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:30 PM, on 8/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8

I hope you can make sense of all of this because I find it all just a little bit overwhelming!

Crowfoot.


----------



## khazars (Feb 15, 2004)

yip, I have did a bit of digging and we seem to have, or rather yu have been hit by a pretty nasty lookingh trojan/virus, there's a few others out there having the same problems, one other on this forum.

Well, what we can try is using the killbox on them. The hclean.exe seems to be the one causing the most problems, it's being detected but then it's changing, or re-emging after being deleted or after rebooting.

Anyway, let's try this, see if we can get at least the others off!

Firstly, tis entry is suspicoous because others have this IP address to!

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8

Can you check your internet IP address, click on your network connection in control panel,right click and choose properties and see if it matches this one here?

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\APPLICATION DATA\wo.tmp
C:\WINDOWS\rdt.ini
C:\PROGRAM FILES\Winad Client
C:\WINDOWS\SYSTEM\dmvwh.exe
C:\WINDOWS\SYSTEM\csfvo.exe
C:\WINDOWS\SYSTEM\csfot.exe
C:\WINDOWS\SYSTEM\dmhqe.exe
C:\WINDOWS\SYSTEM32\secure33.txt
C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\FixO\Process.exe
C:\Program Files\Winad Client\WinClt.exe

Right click on

http://www.silentrunners.org/Silent Runners.vbs

and choose Save As...Save it to your Desktop. Make sure you have disabled any programs 
that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double
click on 'Silent Runners' to run it. This will take a few minutes. It will 
create a file called 'Startup Programs' followed by your computer name and 
current date. Open up that file and post all the contents here in your next 
post..ph...=post&id=134981 and save it to your Desktop.

run kaspersky again to see what's left and run panda.

post their logs and the silent runners log


----------



## Crowfoot (Jul 2, 2005)

I am unable to check the internet IP address with the instructions provided???

I have looked around in both Internet Options and Network in the Control Panel but am unable to locate this info and right clicking does not bring up a Properties Option that I can peruse.

I've run Killbox successfully and rebooted but I hit a problem when I try to run Silent Runners.vbs.

I get an error message pop-up that "WMI is not Installed! This script requires "WMI", Windows Management Instrumentation to be run. It can be downloaded at http://tinyurl.com/jbxe Press OK to direct your browser to the download site or "Cancel" to quit."

I went to this location and downloaded the Program mentioned at http://tinyurl.com/jbxe but when I was going to install it, a pop-up advised that I already had a WMI program and to install this new one would make permanent changes to the Program that could not be changed once installed.

As I don't know the consequences of these "permanent changes" I elected to abort the installation and decided to seek your advise just to be sure I don't make matters worse than they already are!

Crowfoot.


----------



## Crowfoot (Jul 2, 2005)

In hindsite, as the http://tinyurl.com/jbxe is a Microsoft URL which I think can be trusted, I've gone ahead and did the upgrade. I've run the Silent Runners.vbs program and am currently running the virus scans. I will post the indicated reports once the scans are completed.

Regards,

Crowfoot


----------



## Crowfoot (Jul 2, 2005)

With the exception of the internet IP address check, here are the new reports:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [file not found]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVGCtrl" = "C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min" ["H+BEDV Datentechnik GmbH"]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Q17583396_DISK.DLL" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Plus!.bmp"

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Norton AntiVirus - Scan my computer" -> launches: "c:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\APPLIC~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" [file not found]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [file not found]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, August 19, 2005 22:59:04
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/08/2005
Kaspersky Anti-Virus database records: 136096
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 12753
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 7277 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\csxao.exe	Infected: Trojan-Dropper.Win32.Vidro.u

Scan process completed.

Incident Status Location

Virus:Trj/Qhost.BP Disinfected Operating system 
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Winad Client 
Adware:adware/sbsoft No disinfected Windows Registry 
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\SYSTEM\csxao.exe 
Security Risk:Application/ProcessorNo disinfected C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\FixO.exe[Process.exe] 
Adware:Adware/WUpd No disinfected C:\Hijack This\backups\backup-20050626-154845-110.inf 
Dialerialer.AP No disinfected C:\Hijack This\backups\backup-20050626-154845-457.dll

I'm also including a new Hijack This log for your perusal:

Logfile of HijackThis v1.99.1
Scan saved at 2:21:41 AM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8

Crowfoot.


----------



## khazars (Feb 15, 2004)

it looks good at the moment.

go to start/run/type cmd, a dos window should open/, type

ipconfig /all

check your Ip address and see if it matches that 017 entry.

If that doesn't work, go to start/programmes/accessories and see if you can open dos cmd prompt and type the above. make sure to leave a space between ipconfig /all

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\SYSTEM\csxao.exe

find and delete this folder if there.

How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

C:\PROGRAM FILES\Winad Client<--- delete this folder

did you download Fixo.exe yourself, the reason I ask is this is a fix for another problem, but this pest is known to alter mozilla?

If you know nothing about FixO.exe find and delete it

C:\Program Files\Common Files\mozilla.org\GRE\1.4f_2003062408\FixO.exe

post another log, run another scan either kaspersky or panda, hopefully you'll be clean.
update and run AVG it was finding them as well?


----------



## Crowfoot (Jul 2, 2005)

My IP address is **.***.***.*** which doesn't match the one in your earlier correspondence. 

Do you want me to do something with this entry prior to doing the scan and posting the logs: 

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8 

Crowfoot.


----------



## khazars (Feb 15, 2004)

yea, delete that one, you might lose your internet connection but I doubt it because this one looks a baddie and your ISp is different, I used ID serve on it and it's masked!

Note, edit your last post and remove your IP address!


did killbox get that file and did you find fixO.exe?

post another log


----------



## Crowfoot (Jul 2, 2005)

OK,

I think you've solved another one!

The Kapersky scan came back clean so Killbox must have got the infected file. I deleted the above mentioned folder and the fixO.exe file.

Here is the log after deleting the suspicious entry:

Logfile of HijackThis v1.99.1
Scan saved at 6:19:51 AM, on 8/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Regards,

Crowfoot.


----------



## khazars (Feb 15, 2004)

clean log!

have hijack this fix this one.

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

here's some free tools to keep you from getting infected in the future.

to stop reinfection get these two tools, spywareguard and spywareblaster 
from

www.javacoolsoftware.com

get the hosts file from here.

http://www.mvps.org/winhelp2002/hosts.htm

put it into :

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

https://netfiles.uiuc.edu/ehowes/www/resource.htm

http://www.winpatrol.com/winpatrol.html

Use spybot's immunize button and use spywareblaster' enable 
protection once you update it. you can put spybot's hosts file into 
your own and lock it.

I would also suggest switching to Mozilla's firefox browser, it's safer, has a built in pop up blocker, blocks cookies and adds.

http://www.mozilla.org/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as 
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of 
the page.


----------



## Crowfoot (Jul 2, 2005)

Khazars, 

Thank you very much for your time and valuable assistance in resolving this matter!!! 

I will do what you suggested in your last post and certainly check out the Firefox browser as I'm totally fed up with Explorer. 

Once again, thank you. You guys are the best!!! 

Kind regards, 

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok, your welcome!


----------



## rgdixon4546 (Aug 23, 2005)

khazers...I have same thing....where do I get hijack this?


----------



## khazars (Feb 15, 2004)

start your own thread.

hi, welcome to TSG.

Download hijack this from the link below.Please do this. Click here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

to download HijackThis. Click scan and save a logfile, then post it here so 
we can take a look at it for you. Don't click fix on anything in hijack this 
as most of the files are legitimate.


----------



## montague457 (Aug 24, 2005)

MANY people are having this problem and I just wanted to make this post on this forum to help out. I was repeatedly getting infected with a Trojan Horse virus because of the following registry entry(Found through HiJackThis):

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8

Simply remove the registry entry through HiJackThis and then use Ewido Security suite to remove the Trojan. I used Norton. Anyway, I did a WHOIS on the IP 69.50.176.158 and found out that it's some a-hole in California using his Hi-Speed Internet connection to host his own Apache server on which he has a little servlet which he uses to steal people's "data" through the Trojan. I said it in quotes because I don't know what kind of information he's trying to steal. I did a "netstat -a" in a command prompt window and found the little trojan connected to his IP. His ISP is Atrivo.

You can find the WHOIS on his IP which contains the contact information for Atrivo Services at:

WHOIS 69.50.176.158 

I am going to go as far as contacting them and demanding that they put a stop to this man/kid/a-hole. Apparently, his server is still up and running. If you are one of the people affected by this or if you just want to put a stop to this, please call the number on this WHOIS of Atrivo which is 1-925-550-3947 and ask for the site Administrator or Kacperski Emil and give them the 69.50.176.158 IP address and they'll know EXACTLY who it is. People like these have to stop or be stopped. Thanks, hope this helps someone out and I hope I don't sound too vengeful but this angered me.


----------



## Crowfoot (Jul 2, 2005)

Hello khazars,

I am re-opening this thread as I'm still experiencing problems with this infection. I hope you can help me further on this problem.

I'm getting a little yellow "balloon " and pop up box in the system tray which says my system still may be infected with spyware. When I click on it I'm sent to a page that looks like a Microsoft Help Page with a bunch of stuff about spyware removal and hot links to Spyware Removal Sites.

Shortly thereafter, I get a pop up that looks like a legitimate Windows pop up that says I'm infected with spyware and takes me to another Help menu that looks like a Microsoft help page, but similarly takes me to an internet page with info and hot links on spyware removal.

Both of these "help" items appear to be bogus and I suspect are part of the overall Wareout virus infection.

My anti virus program still gives me pop ups indicating both the hclean32.exe and the RDSNDIN.exe trojans are trying to access my system but is being blocked by the program.

When I scan the system for viruses the anti virus program indicates my system is clean and is unable to find these items.

I've tightened up my security with the programs suggested but am unable to run SpywareBlaster as I get an Error Message:

"Error while unpacking program, Code4. Please report to author."

As well, WinPatrol gives me a pop up every couple of minutes wit an Alert that a new auto startup program has been detected and will run each time you login or restart your machine. The Program in question is described in some encrypted language which I believe is Russian and reference is made to: C:\WINDOWS\SYSTEM\Userinit.exe, as being the offending program.

There is no userinit.exe file to be found in my directory when I do a search for this file. I suspect this has something to do with the Russian language encryption used to identify the program or is disguised as something else.

As well, in perusing the directory, I came across a file named:

C:\WINDOWS\SYSTEM\msexnpbi.exe

which was installed on my system the date I received this virus. I believe this file is part of the overall problem.

The start up menu still contains the Wareout.exe program although I've unchecked it and not allowed it to run.

Attached is a new Hijack This log for your perusal:

Logfile of HijackThis v1.99.1
Scan saved at 2:52:26 AM, on 8/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Sorry to be such a pain but I hope you can help me further.

Regards,

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, spywareblaster just tuns in the backgorund, just update it and click the enable all protection option! If your having trouble with it, uninstall it and download a new one.

Well it appears the pests are being kept at bay by the security tools you have with the exception of just one! You need to watch which sites you are visiting, that's why having a hosts file and IEspyad is so important as they block many nasty sites, this sounds like a Russia Mafia scam !

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\WINDOWS\SYSTEM\msexnpbi.exe

run the full kaspersky and Panda scans again! I also want you to run a few anti trojan scans, download A2 and run it, you can keep the free version and download the trial trojan hunter, run both their scans ! It might be tomorrow before your back, but take your time and do all the scans!

Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. 
Make a note of the file location of anything that cannot be deleted so you 
can delete it yourself.
- Save the results from the scan!

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS 
SAFE to do so LET IT FIX WHATEVER IT FINDS

run an anti-trojan program by downloading a free version or a trial version 
from at least one and preferably 2 of the following sites....

http://www.emsisoft.com/en/software/free/
http://www.misec.net/trojanhunter/

make sure autoclean is enabled on the scans

post the logs again!


----------



## Crowfoot (Jul 2, 2005)

OK, 

I'll do all that and get back to you in a couple of hours. 

Crowfoot


----------



## Crowfoot (Jul 2, 2005)

I've completed the scans and here are the respective reports:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, August 25, 2005 06:46:08
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136930
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 13056
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 5956 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

Panda Online Scan:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry 
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT 
Adware:adware/wupd No disinfected Windows Registry 
Adware:Adware/WUpd No disinfected C:\Hijack This\backups\backup-20050626-154845-110.inf 
Dialerialer.AP No disinfected C:\Hijack This\backups\backup-20050626-154845-457.dll

a² Report

Filename Diagnosis 
c:\WINDOWS\Cookies\[email protected][1].txt Trace.TrackingCookie 
c:\WINDOWS\Cookies\[email protected][1].txt Trace.TrackingCookie 
c:\WINDOWS\Cookies\[email protected][2].txt Trace.TrackingCookie 
c:\WINDOWS\Cookies\[email protected][1].txt Trace.TrackingCookie 
c:\Program Files\SDP\SDP Downloader\sdpreadme.exe Backdoor.Win32.DSSdoor.a 
c:\Hijack This\backups\backup-20050626-154845-457.dll Dialer

Note: All of these items were removed but the c:\Program Files\SDP\SDP Downloader\sdpreadme.exe is apparently a legitimate program and this entry is a false positive result according to the SDB website.

TrojanHunter Scan Report

Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\Software\SearchToolbar (matches Adware.SearchToolbar.100) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found trojan file: C:\WINDOWS\desktop.exe (Adware.AvenueMedia.Dyfuca.109)
Error: Error while scanning C:\!Submit\msexnpbi.exe: Access violation at address 00405123 in module 'TROJANHUNTER.EXE'. Read of address 82898004
Error: Directory not found: D:\
1 trojan files found

Note: This access violation error may be a result of my having WinPatrol running at the same time as this scan. WinPatrol is currently blocking the balloon message and false Windows Security Warning pop ups mentioned earlier. The other entries flagged as problems have been removed by TrojanHunter.

Here is the new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 10:18:22 AM, on 8/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

One other point I should mention is that when running the on-line Panda scan I receive a pop up indicating my C: drive is full and then the Disk Cleanup Utility tool pops up prompting me to acquire additional disk space by deleting the Temp Files and emptying the Recycle Bin. I have almost a full gigabite of space free on this drive and despite this fact I still get these pop ups. The virus scan will continue to run through to completion even if I don't respond to these pop ups. I suspect that this is either a result of a bug in the Panda Scan Program or may be an additional side effect of this overall infection.

Also I got rid of the entry mentioned in your last post with the Killbox Program.

Regards,

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, you seem to be clean. maybe the report concerning your drive being full is just a watning you only have 1 gig left, it aint much.

DO you have a firewall, I can give you a quite excellent free firewall which does run in the back ground and uses no resources, it blocks all incoming, you can run it with your other firewall and use the other firewall to control applications going out?


----------



## Crowfoot (Jul 2, 2005)

Yes, I'm running Zone Aalarm presently although it's a bit of a resource hog and on occasion seems to inerfere with some programs and browsing capabilities. Zone Alarm was turned off when I produced the last HijackThis Log. But, if you have a better alternative firewall I'd like to check it out. 

What about this entry: C:\!Submit\msexnpbi.exe, that TrojanHunter couldn't delete and still exists in my file directory. Should I get rid of it with Killbox? 

I just this moment got an advisory from the A2 Trojan program that these files are back: 

C:\WINDOWS\SYSTEM\hclean32.exe ie.) diagnosed as Trojan.Win32.Qhost.qr, and, 

C:\WINDOWS\SYSTEM\rdsndin.exe ie.) diagnosed as Adware.FindSpy.a

My Anti Virus program has flagged these on a number of occasions but can't get rid of them. I have deleted them with the A2 Program but I guess we'll have to see if it works. Now, IE has encountered a problem and wants to close and says this thread entry might be lost but I'll try to send it anyway and hope it goes through! 

Crowfoot


----------



## khazars (Feb 15, 2004)

that folder is created by killbox, it's killbox's back up folder, you can delete it if you like?

Run another Kaspersky and see if anything is there.

run silent runners again and post it's log

you can try this firewall.

ChX-I

download link for 2.8 version.

http://www.windowsfirewall.info/downloads.htm

use this link to download the bindPE and the filter set

http://members.shaw.ca/BIND-PE_and_ICS/chxi.htm

use this link to configure it.

http://www.wilderssecurity.com/showthread.php?t=87307

this is also said to be a very good firewall.

free firewalls

http://www.filseclab.com/eng/products/firewall.htm

here's some info on it from here.

http://www.wilderssecurity.com/forumdisplay.php?f=31&page=1&sort=lastpost&order=&pp=25&daysprune=-1


----------



## khazars (Feb 15, 2004)

where does A2 say the files are, or is it just an alert. 

Don't turn off Zone alarm until you have something else installed, it's probably ZA which is protecting you!


----------



## Crowfoot (Jul 2, 2005)

I have received a few more alerts from both A2 and TrojanHunter: 

1) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE 

Found a possible trojan or spyware downloader 

While executing the program a² detected a possible malicious behavior. The program tries to invisibly download and install files from the internet. If you don't know that program its highly recommended to terminate the program and to send it in for further analysis. 

2) C:\WINDOWS\SYSTEM\ntfsnlpa.exe 

Adware.Msnagent.b 

The program described above was trying to be executed. The scan result was that this file is infected by Malware. You are urgently advised to deny this program! 

3) TrojanHunter Guard has found trojans running in memory. (I didn't save the rest of this text message but it was in reference to this item): 

Adware.Cyberfirewall.100 

This program was stopped from running at the urgent request of TrojanHunter Guard and once again I tried to remove all files mentioned with the Trojan removal programs when prompted to do so. 

I'm going to reboot and see if this makes any difference. 

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, rerun the scans, kaspy , panda and a2 and trojan,use the killbox on those new files found!

post back with the logs


----------



## Crowfoot (Jul 2, 2005)

Sorry for the delay but I crashed a couple of times and ran TrojanHunter again on the advice of the Program after removing Adaware.CyberFirewall.100. Here are the results of the new scan: 

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Error: Error while pre-processing C:\!Submit\msexnpbi.exe: Access violation at address 00405123 in module 'TROJANHUNTER.EXE'. Read of address 825AE01C
Error: Error while scanning C:\!Submit\msexnpbi.exe: Access violation at address 00405123 in module 'TROJANHUNTER.EXE'. Read of address 825AE01C
Error: Directory not found: D:\
No trojan files found


While running Trojanhunter and before going on-line, I received about 20 warnings that: 

C:\WINDOWS\SYSTEM\Userinit.exe, a "new auto Startup Program" was detected by WinPatrol. "This program will run each time you login or restart your machine." I didn't allow it to run and there is no such file to be found in my directory. 

Meanwhile, my anti-virus program advises that: 

C:\WINDOWS\TEMP\JDM18XS5.EXE ie.) a dial-up program DIAL/302181 has been blocked. 

Once again, this file was not found in the directory. 

Killbox could not delete the IEXPLORE.EXE file as apparently it has something to do with the KERNEL32.Dll function. Nor could it find the ntfsnlpa.exe file to delete it from the directory as no file exists in my directory by this name. 

These infections appear to continue to reinvent themselves and use different names to do so!!!

I am in the process of running the scans you have mentioned above but will not run another TrojanHunter scan unless you say it's necessary. 

I trust this is OK with you and will post the results of the other scans when completed. 

Regards, 

Crowfoot


----------



## khazars (Feb 15, 2004)

yes ok don't run trojan hunter if it's crashing you!

C:\WINDOWS\SYSTEM\Userinit.exe

this is a legit programme so don't block it!

don't delete this either it's also a legit windows file, I meant the others which are being found!

IEXPLORE.EXE<---- Don't touch this file!

run panda and kaspersky, and run this tool and post their logs. I was going to say that A2 ight be giving false postives but it's actually finding the files we have already dealt with, or the one's which keep changing, mainly hclean.exe and the other one !

Right click on

http://www.silentrunners.org/Silent Runners.vbs

and choose Save As...Save it to your Desktop. Make sure you have disabled any programs 
that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double
click on 'Silent Runners' to run it. This will take a few minutes. It will 
create a file called 'Startup Programs' followed by your computer name and 
current date. Open up that file and post all the contents here in your next 
post..ph...=post&id=134981 and save it to your Desktop.

And post another hijack this log!


----------



## khazars (Feb 15, 2004)

oops, correction, this iis not legit in Win 98.

C:\WINDOWS\SYSTEM\Userinit.exe

keep blocking it!


----------



## Crowfoot (Jul 2, 2005)

Ok,

I did all that and here is the file generated by Silent%20Runners.vbs:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVGCtrl" = "C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min" ["H+BEDV Datentechnik GmbH"]
"WinPatrol" = "C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe" ["BillP Studios"]
"THGuard" = ""C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"" ["Mischel Internet Security"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Q17583396_DISK.DLL" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Plus!.bmp"

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [file not found]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
HIJACK WARNING! "SearchAssistant" = "http://mbjgvt.outhost.info/sp.php"

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "blank" = "http://awebfind.biz/" [file not found]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 73 seconds, including 18 seconds for message boxes)

This file was generated while WinPatrol was running and was blocking Userinit.exe.

Here is the Kaspersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, August 25, 2005 15:55:25
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/08/2005
Kaspersky Anti-Virus database records: 136999
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 13988
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 6682 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\csyqy.exe	Infected: Trojan-Dropper.Win32.Vidro.u

Scan process completed.

And, the Panda Scan:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry 
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT 
Adware:adware/wupd No disinfected Windows Registry 
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\SYSTEM\csyqy.exe  
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe 
Adware:Adware/WUpd No disinfected C:\Hijack This\backups\backup-20050626-154845-110.inf 
I've been on-line now for approximately 10 minutes and have received no alerts or warnings that anything is wrong from any of the running programs!!!

Regards,

Crowfoot

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:39 PM, on 8/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Note: I had to reboot as the Silent%20Runners.vbs log didn't appear on the Desktop when I ran it. Upon rebooting the system I received no warnings from any of the running programs as of this point in time.

Regards,

Crowfoot


----------



## Crowfoot (Jul 2, 2005)

Just for your information, I was on-line for about 1 hour, rebooted, and none of the running Programs indicate there are any problems with the programs installed earlier. 

Everything appears to be working well once again!

Is this problem finally fixed??? 

I certainly hope so! 

Thanks, 

Crowfoot


----------



## rgdixon4546 (Aug 23, 2005)

khazars, I went through same problem as crowfoot. Gentleman helping me got wareout.exe off my computer...but now im getting yellow balloon at bottom of computer trying to get me to by spyware removal and norton keeps detecting hclean.exe but cannot fix it..it keeps quarantining it. Can you help?

Logfile of HijackThis v1.99.1
Scan saved at 9:50:22 PM, on 8/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net/cci/home?
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=MEDIAGEN
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098568456344
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://ipgweb.cce.hp.com/psgna/caller/SysQuery.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe


----------



## khazars (Feb 15, 2004)

Rgdixon start your own thread and I'll have a look. Follow the same steps as here.

Download and run silent runners and also rkfiles. The links are in these posts above and below

Download and run A2, ewido, and do online scans at panda and Kaspersky. Post all the llogs!

Actually, you are getting help here from cheesy, stick to that thread!

http://forums.techguy.org/showthread.php?t=392845&page=2&pp=15

Crowfoot!

Also look again for any of the below files and delete them. Let me know if you find any of them:

How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

C:\WINDOWS\SYSTEM32\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE
C:\WINDOWS\RDT.INI
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
C:\WINDOWS\BALLOON.WAV or C:\WINDOWS\BALOON.WAV

Download rkfiles

http://skads.org/special/rkfiles.zip

and unzip the contents to a new folder on your desktop.

How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

REBOOT TO SAFE MODE. These tools MUST be run in safe mode!
Once in safe mode, double click rkfiles.bat file to run it. It will scan for 
a while, so please be patient. Wait until the DOS window closes. Post the log it generates.


----------



## Crowfoot (Jul 2, 2005)

Hello khazars, 

Same old problems again this morning! 

I deleted the balloon.wav file as it was the only one found in the directory (hidden files are showing). 

Here is the rkfiles log: 

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\o1716ov0.tmp: UPX!
C:\WINDOWS\SYSTEM\ntfsnlpa.exe: UPX!
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\SYSTEM\RDSNDIN.EXE.VIR: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\DOTEST.EXE: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye


Regards, 

Crowfoot.


----------



## khazars (Feb 15, 2004)

firstly upload this file and see if it's bad , if so then delete it with the killbox

C:\WINDOWS\SYSTEM\cpuinf32.dll

http://www.virustotal.com/flash/index_en.html

Let's try the delete on reboot method in killbox!

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\SYSTEM\o1716ov0.tmp
C:\WINDOWS\SYSTEM\ntfsnlpa.exe
C:\WINDOWS\SYSTEM\RDSNDIN.EXE.

run a few scans, whatever one's you want, say a anti virus and A2?

post another log and the logs from the scans


----------



## Crowfoot (Jul 2, 2005)

Ok,

That took a long time but here are the results.

Virustotal.com could find nothing wrong with this file so I didn't delete it with Killbox:

C:\WINDOWS\SYSTEM\cpuinf32.dll.

Here is the Kaspersky Scan log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, August 26, 2005 13:00:25
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/08/2005
Kaspersky Anti-Virus database records: 137161
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 14889
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 7505 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\csfqs.exe	Infected: Trojan-Dropper.Win32.Vidro.u

Scan process completed.

And, the a2 log:

a² Report
Filename Diagnosis 
c:\WINDOWS\SYSTEM\csfqs.exe Trojan-Dropper.Win32.Vidro.u

Plus, I've run another Hijack This log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 1:46:29 PM, on 8/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\A2\A2START.EXE
C:\PROGRAM FILES\A2\A2SCAN.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

The other files mentioned were run through Killbox as directed and I rebooted thereafter.

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok, put this one in the killbox. same again, delete on reboot, run another kaspersky scan.


c:\WINDOWS\SYSTEM\csfqs.exe


----------



## khazars (Feb 15, 2004)

you must be getting fed up with all these scans and the bugger changing and coming back?


----------



## Crowfoot (Jul 2, 2005)

No kidding!!! This is more than a little frustrating! 

If you know George W. why don't you have him find the Author of this Virus and have him go "nookular" on this scumbag!!! Sure would be nice to hear about any class action suits against these guys and the companies they represent. I'd be one of the first to sign up. 

Anyway, all griping aside, I'll do what you suggest, and get back to you when done. 

Keep smiling! 

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok, I've asked around to see if there's anything new on this pest in the way of a fix, but because it keeps changing it's problematic !


----------



## khazars (Feb 15, 2004)

Bush couldn't find his foot if it was stuck in his mouth!


----------



## Crowfoot (Jul 2, 2005)

I think the Author of this virus hangs out with Osama and their presently guarding a cache of Weapons of Mass Destruction!!! Shouldn't be to hard to find!

Ohoh, I think I just heard a knock at my door! 

Hmmmm! "Problematic", that can't be a good thing. So, the scan is in process, and I'm beginning to wonder if there's any point to continue running these scans for something that keeps changing. 

One other thing, could you change the Subject matter of this thread and remove "Solved" from it as I don't know how to do that. 

I think a lot of people are reading this string of posts hoping to find a solution to this problem, only to be disappointed with the results so far. 

In no way is this a reflection on your efforts because they have been stellar to say the least! 

But, I'd like to apologize to the people who have earlier read this Thread with the hopes they might find a solution to this problem, only to find out it has not been figured out as of yet. 

Regards,

Crowfoot.


----------



## Crowfoot (Jul 2, 2005)

OK,

I've done the Killbox thing with this file:

c:\WINDOWS\SYSTEM\csfqs.exe

Here is the newest Kaspersky Scan which came back clean:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, August 26, 2005 17:50:08
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/08/2005
Kaspersky Anti-Virus database records: 137184
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 14911
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 10371 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

And, a new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:38 PM, on 8/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\MPLAYER2.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

These Virus Scans are taking a very long time today, but I think this is what you asked for!

Regards,

Crowfoot


----------



## khazars (Feb 15, 2004)

Copy everything in the quote box below (starting with REGEDIT4) and paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixware.reg on your desktop.



> REGEDIT4
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
> "System"=-
> "System"=""


Double-click fixware.reg and when asked if you want to merge with the registry click YES.

After the merged successfully prompt, please reboot your computer.

After reboot, please download RKFiles

* Unzip RKfiles.zip to the desktop
* Double-click RKFiles.bat to run it.
o It may take a while.
* When it is finished a window should appear with a log.
* Please copy the contents of the log and paste them here
o Note: the log with be saved at c:\log.txt


----------



## khazars (Feb 15, 2004)

I'm going to bed, I'll post back with instructions in the morning, post the rkfile log. Hopefully this will be the end of it soon!?


----------



## Crowfoot (Jul 2, 2005)

The Registry change has been completed and here are the results of the RKFiles.bat program: 

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye


Crowfoot


----------



## khazars (Feb 15, 2004)

I hope I'm not going to preempt the bugger but it's looking good!

ok, can you run rkfiles again as I want to see a fresh one as this pest changes and you probably have rebooted since last night?

Also download this tool.

download FindT

http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip

- Extract the files to a folder in C:\ of your choice.
- open the "FindT" folder and run the runthis.bat file
- a text will open post the results

post both there logs and a hijack this!


----------



## Crowfoot (Jul 2, 2005)

OK,

Here are the results for the RKFiles.bat program:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

And, the FindT runthis.bat program:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»» Search by size & name's...

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE

And, the latest HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:23:33 AM, on 8/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Regards,

Crowfoot.


----------



## khazars (Feb 15, 2004)

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE

Now reboot to safe mode find and delete these files and folders if there?

How to boot to safe mode

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE

run cleanup again

Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav, double click on it and it will extract to C:\kaspersky. Click 
on the kaspersky folder and click on Kavupd, a black dos window will open 
and it will update the programme for you, be patient it will take 5-10 
minutes to download the new definitions. Once it's updated, click on mwavscan 
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders 
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post 
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your 
pc is.

http://www.spywareinfo.dk/download/mwav.exe

post another log and the Mwav log!


----------



## khazars (Feb 15, 2004)

Could you also run rkfiles and findT again and post their logs to!


----------



## Crowfoot (Jul 2, 2005)

Sorry, I fell asleep for a few hours while running the eScan Anti-Virus Utilityand I see now that I got you're instructions mixed up as I was getting a little bit "punchy" from lack of sleep. 

So here's what I did. 

I booted into Safe Mode, ran Killbox and entered the two files in question. Then I ran Cleanup in Safe Mode. I then rebooted back into Normal Mode and searched the file directory for the 2 files but again they were not found so I went ahead and ran the eScan Anti Virus Utility which has produced a huuuuuuge mwav.log of about 15,000 files. I can't imagine that you would want me to post a log of that size and some of the info. therein is sensitive and I do not wish to make it public. 

I'm not sure how to go about compressing this mwav.log file from WordPad and I am unable to Copy the Virus Log Information itself from the eScan Utility by itself. 

Here is a Summary of what the log reveals: 

Sat Aug 27 08:56:27 2005 => ***** Scanning complete. *****

Sat Aug 27 08:56:28 2005 => Total Number of Files Scanned: 15429
Sat Aug 27 08:56:28 2005 => Total Number of Virus(es) Found: 9
Sat Aug 27 08:56:28 2005 => Total Number of Disinfected Files: 0
Sat Aug 27 08:56:28 2005 => Total Number of Files Renamed: 1
Sat Aug 27 08:56:28 2005 => Total Number of Deleted Files: 7
Sat Aug 27 08:56:28 2005 => Total Number of Errors: 3
Sat Aug 27 08:56:28 2005 => Time Elapsed: 02:56:29
Sat Aug 27 08:56:28 2005 => Virus Database Date: 2005/08/15
Sat Aug 27 08:56:29 2005 => Virus Database Count: 143767

Is there a way to obtain the Virus Information Log only from the eScan utility? And, as I screwed up earlier, do you want me to start over from scratch, and try again? 

If necessary, I'd rather type out the Virus Information Log rather than post the whole mwav.log file as it does have detailed info. on the infected files mentioned in the above Summary. 

My apologies and I have not persued this matter beyond this point. 

Crowfoot.


----------



## Crowfoot (Jul 2, 2005)

Just some additional, I have gone through the mwav.log and "cherry-picked" the virus detections and anomolies found: 


Anomolies Found in the mwav.log Scan

Sat Aug 27 06:04:31 2005 => Scanning File C:\WINDOWS\SYSTEM\csnzu.exe
Sat Aug 27 06:04:42 2005 => File C:\WINDOWS\SYSTEM\csnzu.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.


Sat Aug 27 06:05:02 2005 => Scanning File C:\WINDOWS\SYSTEM\cskxu.exe
Sat Aug 27 06:05:04 2005 => File C:\WINDOWS\SYSTEM\cskxu.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:05:04 2005 => Scanning File C:\WINDOWS\SYSTEM\csmbi.exe
Sat Aug 27 06:05:04 2005 => File C:\WINDOWS\SYSTEM\csmbi.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:05:05 2005 => Scanning File C:\WINDOWS\SYSTEM\csets.exe
Sat Aug 27 06:05:05 2005 => File C:\WINDOWS\SYSTEM\csets.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:35 2005 => Scanning File C:\WINDOWS\SYSTEM\csbeh.exe
Sat Aug 27 06:09:36 2005 => File C:\WINDOWS\SYSTEM\csbeh.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:49 2005 => Scanning File C:\WINDOWS\SYSTEM\csofo.exe
Sat Aug 27 06:09:50 2005 => File C:\WINDOWS\SYSTEM\csofo.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:50 2005 => Scanning File C:\WINDOWS\SYSTEM\csluz.exe
Sat Aug 27 06:09:51 2005 => File C:\WINDOWS\SYSTEM\csluz.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 07:39:52 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF12A5.TMP
Sat Aug 27 07:39:52 2005 => Scanning File C:\WINDOWS\TEMP\~DF55D0.TMP

Sat Aug 27 07:39:52 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF55D0.TMP
Sat Aug 27 07:39:55 2005 => Scanning File 

C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat
Sat Aug 27 07:39:55 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828 

2005 => Scanning File C:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Sat Aug 27 07:40:32 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\LOCALS~1\APPLIC~1\MICROS~1\INTERN~1\MSIMGSIZ.DAT

2005 => Scanning File C:\WINDOWS\SchedLog.Txt
Sat Aug 27 07:59:39 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt

2005 => Scanning File C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Sat Aug 27 07:59:39 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

Sat Aug 27 07:59:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 07:59:58 2005 => Result: ERROR!!! File C:\WINDOWS\Temporary Internet 

Files\Content.IE5\KDMJKPIN\showcase_red______________: Scanning Failure!!!
Sat Aug 27 07:59:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!

Sat Aug 27 07:59:58 2005 => File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Sat Aug 27 08:00:43 2005 => Scanning File C:\WINDOWS\Cookies\index.dat
Sat Aug 27 08:00:43 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\Cookies\index.dat 

Sat Aug 27 08:00:44 2005 => Scanning File C:\WINDOWS\History\History.IE5\index.dat
Sat Aug 27 08:00:45 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\History\History.IE5\index.dat

Sat Aug 27 08:01:23 2005 => Scanning File C:\WINDOWS\Internet Logs\tvDebug.log
Sat Aug 27 08:01:23 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\TVDEBUG.LOG

Sat Aug 27 08:01:23 2005 => Scanning File C:\WINDOWS\Internet Logs\IAMDB.RDB
Sat Aug 27 08:01:24 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\IAMDB.RDB

Sat Aug 27 08:01:24 2005 => Scanning File C:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb
Sat Aug 27 08:01:24 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\OEMCOM~1.LDB

Sat Aug 27 08:43:50 2005 => Scanning File C:\Program Files\AVPersonal\LOGFILES\AVGUARD.LOG
Sat Aug 27 08:43:51 2005 => ERROR!!! ScanFile fails for C:\PROGRA~1\AVPERS~1\LOGFILES\AVGUARD.LOG

Sat Aug 27 08:51:42 2005 => Scanning File C:\viewer15624864.exe
Sat Aug 27 08:51:44 2005 => File C:\viewer15624864.exe tagged as not-a-virusorn-Downloader.Win32.Holistyc.b. No Action Taken.

Sat Aug 27 08:56:25 2005 => ***** Checking for specific ITW Viruses *****
Sat Aug 27 08:56:25 2005 => Checking for Welchia Virus...
Sat Aug 27 08:56:25 2005 => Checking for LovGate Virus...
Sat Aug 27 08:56:26 2005 => Checking for CodeRed Virus...
Sat Aug 27 08:56:26 2005 => Checking for OpaServ Virus...
Sat Aug 27 08:56:26 2005 => Checking for Sobig.e Virus...
Sat Aug 27 08:56:26 2005 => Checking for Winupie Virus...
Sat Aug 27 08:56:26 2005 => Checking for Swen Virus...
Sat Aug 27 08:56:27 2005 => Checking for JS.Fortnight Virus...
Sat Aug 27 08:56:27 2005 => Checking for Novarg Virus...
Sat Aug 27 08:56:27 2005 => Checking for Pagabot Virus...
Sat Aug 27 08:56:27 2005 => Checking for Parite.b Virus...
Sat Aug 27 08:56:27 2005 => Checking for Parite.a Virus...

Sat Aug 27 08:56:27 2005 => ***** Scanning complete. *****

Sat Aug 27 08:56:28 2005 => Total Number of Files Scanned: 15429
Sat Aug 27 08:56:28 2005 => Total Number of Virus(es) Found: 9
Sat Aug 27 08:56:28 2005 => Total Number of Disinfected Files: 0
Sat Aug 27 08:56:28 2005 => Total Number of Files Renamed: 1
Sat Aug 27 08:56:28 2005 => Total Number of Deleted Files: 7
Sat Aug 27 08:56:28 2005 => Total Number of Errors: 3
Sat Aug 27 08:56:28 2005 => Time Elapsed: 02:56:29
Sat Aug 27 08:56:28 2005 => Virus Database Date: 2005/08/15
Sat Aug 27 08:56:29 2005 => Virus Database Count: 143767

Sat Aug 27 08:56:29 2005 => Scan Completed.


I have not included thefiles that had size restrictions on them.

As well, I've decided to start overfrom scratch and will post the data requested in your last 2 posts. 


Crowfoot


----------



## khazars (Feb 15, 2004)

ok, good it deleted all those one's linked to hclean32.exe. 


You did the right thing in just posting the part of the log where it reports what it finds, I should have mentioned that!


Use the kilbox on this dialer one.


C:\viewer15624864.exe


also run cleanup again !

now just post the rkfiles and findT logs, you can do that tomorrow if you want and get some sleep, no point knocking yourself out over a few viruses, and it is Saturday!


----------



## Crowfoot (Jul 2, 2005)

Khazars, 

I know it's Saturday, but I'm having a few "bubblies" and have had a nap while we continue to try to resolve this matter! The BBQ is on, the Budweiser's are nice and cold, and the weather is beautiful! Only, wish you were here to share it with you!!! So, I'm doing OK, thanks! 

Currently, I'm running the eScan Anti-Virus Utility and 2 new viruses have been found and disinfected by the Program: 

C:\WINDOWS\SYSTEM\csjkn.exe 

C:\WINDOWS\SYSTEM\csrpa.exe 

I'm only half way through the Scan so I'll let the Program run to completion and advise further once completed and finished what you have recommended above. 

Thanks again, 

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok, cya later then !


----------



## khazars (Feb 15, 2004)

when your finished I would put these in the killbox again just to make sure, delete on reboot.


Also look again for any of the below files and delete them. Let me know if you find any of them:



Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.


C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE
C:\WINDOWS\SYSTEM\HCLEAN32.EXE


post the logs when finished


----------



## Crowfoot (Jul 2, 2005)

I just want to post the New Anomolies from the eScan Antivirus Utility, which have been very carefully "cherry-picked" from the mwav.log as I don't want to lose this data (it took over 3 hours to get to this point): 


Sat Aug 27 05:54:22 2005 => Scanning File C:\WINDOWS\SchedLog.Txt
Sat Aug 27 05:54:23 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt

Sat Aug 27 06:05:02 2005 => Scanning File C:\WINDOWS\SYSTEM\cskxu.exe
Sat Aug 27 06:05:04 2005 => File C:\WINDOWS\SYSTEM\cskxu.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:05:04 2005 => Scanning File C:\WINDOWS\SYSTEM\csmbi.exe
Sat Aug 27 06:05:04 2005 => File C:\WINDOWS\SYSTEM\csmbi.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:05:05 2005 => Scanning File C:\WINDOWS\SYSTEM\csets.exe
Sat Aug 27 06:05:05 2005 => File C:\WINDOWS\SYSTEM\csets.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:35 2005 => Scanning File C:\WINDOWS\SYSTEM\csbeh.exe
Sat Aug 27 06:09:36 2005 => File C:\WINDOWS\SYSTEM\csbeh.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:49 2005 => Scanning File C:\WINDOWS\SYSTEM\csofo.exe
Sat Aug 27 06:09:50 2005 => File C:\WINDOWS\SYSTEM\csofo.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:50 2005 => Scanning File C:\WINDOWS\SYSTEM\csluz.exe
Sat Aug 27 06:09:51 2005 => File C:\WINDOWS\SYSTEM\csluz.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 07:39:51 2005 => Scanning File C:\WINDOWS\TEMP\~DF12A5.TMP
Sat Aug 27 07:39:52 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF12A5.TMP
Sat Aug 27 07:39:52 2005 => Scanning File C:\WINDOWS\TEMP\~DF55D0.TMP
Sat Aug 27 07:39:52 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF55D0.TMP

Sat Aug 27 07:39:55 2005 => Scanning File C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat
Sat Aug 27 07:39:55 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat 

Sat Aug 27 07:40:32 2005 => Scanning File C:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Sat Aug 27 07:40:32 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\LOCALS~1\APPLIC~1\MICROS~1\INTERN~1\MSIMGSIZ.DAT

Sat Aug 27 07:59:38 2005 => Scanning File C:\WINDOWS\SchedLog.Txt
Sat Aug 27 07:59:39 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt

Sat Aug 27 07:59:39 2005 => Scanning File C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Sat ASat Aug 27 07:59:39 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT 

Sat Aug 27 07:59:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 07:59:58 2005 => Result: ERROR!!! File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________: Scanning Failure!!!

Sat Aug 27 08:00:43 2005 => Scanning File C:\WINDOWS\Cookies\index.dat
Sat Aug 27 08:00:43 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\Cookies\index.dat

Sat Aug 27 08:00:44 2005 => Scanning File C:\WINDOWS\History\History.IE5\index.dat
Sat Aug 27 08:00:45 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\History\History.IE5\index.dat

Sat Aug 27 08:01:23 2005 => Scanning File C:\WINDOWS\Internet Logs\tvDebug.log
Sat Aug 27 08:01:23 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\TVDEBUG.LOG

Sat Aug 27 08:01:23 2005 => Scanning File C:\WINDOWS\Internet Logs\IAMDB.RDB
Sat Aug 27 08:01:24 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\IAMDB.RDB 

Sat Aug 27 08:01:24 2005 => Scanning File C:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb
Sat Aug 27 08:01:24 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\OEMCOM~1.LDB

Sat Aug 27 08:43:50 2005 => Scanning File C:\Program Files\AVPersonal\LOGFILES\AVGUARD.LOG
Sat Aug 27 08:43:51 2005 => ERROR!!! ScanFile fails for C:\PROGRA~1\AVPERS~1\LOGFILES\AVGUARD.LOG

Aug 27 08:56:25 2005 => ***** Checking for specific ITW Viruses *****
Sat Aug 27 08:56:25 2005 => Checking for Welchia Virus...
Sat Aug 27 08:56:25 2005 => Checking for LovGate Virus...
Sat Aug 27 08:56:26 2005 => Checking for CodeRed Virus...
Sat Aug 27 08:56:26 2005 => Checking for OpaServ Virus...
Sat Aug 27 08:56:26 2005 => Checking for Sobig.e Virus...
Sat Aug 27 08:56:26 2005 => Checking for Winupie Virus...
Sat Aug 27 08:56:26 2005 => Checking for Swen Virus...
Sat Aug 27 08:56:27 2005 => Checking for JS.Fortnight Virus...
Sat Aug 27 08:56:27 2005 => Checking for Novarg Virus...
Sat Aug 27 08:56:27 2005 => Checking for Pagabot Virus...
Sat Aug 27 08:56:27 2005 => Checking for Parite.b Virus...
Sat Aug 27 08:56:27 2005 => Checking for Parite.a Virus...

Sat Aug 27 08:56:27 2005 => ***** Scanning complete. *****

Sat Aug 27 08:56:28 2005 => Total Number of Files Scanned: 15429
Sat Aug 27 08:56:28 2005 => Total Number of Virus(es) Found: 9
Sat Aug 27 08:56:28 2005 => Total Number of Disinfected Files: 0
Sat Aug 27 08:56:28 2005 => Total Number of Files Renamed: 1
Sat Aug 27 08:56:28 2005 => Total Number of Deleted Files: 7
Sat Aug 27 08:56:28 2005 => Total Number of Errors: 3
Sat Aug 27 08:56:28 2005 => Time Elapsed: 02:56:29
Sat Aug 27 08:56:28 2005 => Virus Database Date: 2005/08/15
Sat Aug 27 08:56:29 2005 => Virus Database Count: 143767

Sat Aug 27 08:56:29 2005 => Scan Completed.




Aug 27 13:56:42 2005 => Scanning File C:\WINDOWS\SYSTEM\csjkn.exe
Sat Aug 27 13:56:52 2005 => File C:\WINDOWS\SYSTEM\csjkn.exe infected by "Trojan-Dropper.Win32.Vidro.u" 

Sat Aug 27 14:00:44 2005 => Scanning File C:\WINDOWS\SYSTEM\csrpa.exe
Sat Aug 27 14:00:45 2005 => File C:\WINDOWS\SYSTEM\csrpa.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 15:19:28 2005 => Scanning File C:\WINDOWS\TEMP\~DF7F5.TMP
Sat Aug 27 15:19:28 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF7F5.TMP
Sat Aug 27 15:19:28 2005 => Scanning File C:\WINDOWS\TEMP\~DF5C0C.TMP
Sat Aug 27 15:19:29 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF5C0C.TMP
Sat Aug 27 15:19:29 2005 => Scanning File C:\WINDOWS\TEMP\~DF44A8.TMP
Sat Aug 27 15:19:29 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF44A8.TMP

Sat Aug 27 15:19:32 2005 => Scanning File C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat
Sat Aug 27 15:19:32 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828 

Sat Aug 27 15:20:09 2005 => Scanning File C:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Sat Aug 27 15:20:09 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\LOCALS~1\APPLIC~1\MICROS~1\INTERN~1\MSIMGSIZ.DAT

Sat Aug 27 15:39:43 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt
Sat Aug 27 15:39:43 2005 => Scanning Folder: C:\WINDOWS\Temporary Internet Files\*.*

Sat Aug 27 15:39:44 2005 => Scanning File C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Sat Aug 27 15:39:44 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

Sat Aug 27 15:39:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 15:39:58 2005 => Result: ERROR!!! File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________: Scanning Failure!!!
Sat Aug 27 15:39:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 15:39:58 2005 => File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.


Sat Aug 27 15:40:34 2005 => Scanning File C:\WINDOWS\Cookies\index.dat
Sat Aug 27 15:40:34 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\Cookies\index.dat


Sat Aug 27 15:40:35 2005 => Scanning File C:\WINDOWS\History\History.IE5\index.dat
Sat Aug 27 15:40:35 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\History\History.IE5\index.dat

Sat Aug 27 15:41:14 2005 => Scanning File C:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb
Sat Aug 27 15:41:14 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\OEMCOM~1.LDB

Sat Aug 27 16:22:42 2005 => Scanning File C:\Program Files\AVPersonal\LOGFILES\AVGUARD.LOG
Sat Aug 27 16:22:42 2005 => ERROR!!! ScanFile fails for C:\PROGRA~1\AVPERS~1\LOGFILES\AVGUARD.LOG

Sat Aug 27 16:35:32 2005 => ***** Checking for specific ITW Viruses *****
Sat Aug 27 16:35:32 2005 => Checking for Welchia Virus...
Sat Aug 27 16:35:33 2005 => Checking for LovGate Virus...
Sat Aug 27 16:35:33 2005 => Checking for CodeRed Virus...
Sat Aug 27 16:35:34 2005 => Checking for OpaServ Virus...
Sat Aug 27 16:35:34 2005 => Checking for Sobig.e Virus...
Sat Aug 27 16:35:34 2005 => Checking for Winupie Virus...
Sat Aug 27 16:35:34 2005 => Checking for Swen Virus...
Sat Aug 27 16:35:34 2005 => Checking for JS.Fortnight Virus...
Sat Aug 27 16:35:34 2005 => Checking for Novarg Virus...
Sat Aug 27 16:35:34 2005 => Checking for Pagabot Virus...
Sat Aug 27 16:35:34 2005 => Checking for Parite.b Virus...
Sat Aug 27 16:35:35 2005 => Checking for Parite.a Virus...

Sat Aug 27 16:35:35 2005 => ***** Scanning complete. *****

Sat Aug 27 16:35:35 2005 => Total Number of Files Scanned: 15404
Sat Aug 27 16:35:35 2005 => Total Number of Virus(es) Found: 4
Sat Aug 27 16:35:35 2005 => Total Number of Disinfected Files: 0
Sat Aug 27 16:35:35 2005 => Total Number of Files Renamed: 1
Sat Aug 27 16:35:35 2005 => Total Number of Deleted Files: 2
Sat Aug 27 16:35:36 2005 => Total Number of Errors: 3
Sat Aug 27 16:35:36 2005 => Time Elapsed: 02:43:17
Sat Aug 27 16:35:36 2005 => Virus Database Date: 2005/08/15
Sat Aug 27 16:35:36 2005 => Virus Database Count: 143767

Sat Aug 27 16:35:36 2005 => Scan Completed.

The rest of the info. will follow after dinner! 

I'm starving!!!!!!!! 

Crowfoot.


----------



## Crowfoot (Jul 2, 2005)

I've gotten a pop-up from one of the running programs in the Start Menu, which indicates this file is a problem (C:\VIEWER~1.EXE) and will be deleted upon start up! I did a file search of my directory and it reveals that the above mentioned file, is in fact this file:

C:\viewer15624864.exe

I think this file:

C:\VIEWER~1.EXE

is what we've been looking for and is responsible for the virus re-inventing itself!!!

I'm reluctant to run this thru Killbox and then run Cleanup without seeking you're advice!

But, I'm hopeful we've finally discovered the bugger (or at least one of them) that's causing all of the problems.

Here are the logs requested earlier:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

And:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»» Search by size & name's...

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE

Also, the newest HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:02:20 PM, on 8/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\KASPERSKY\MWAVSCAN.COM
C:\KASPERSKY\KAVSS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

According to the eScan Anti-virus Utility (in the "Virus Log Information" section of the Scan report) this file is a problem as follows:

"File C:\viewer15624864.exe tagged as not-a-virusorn-Downloader.Win32.Holystyc.b. No Action Taken".

I didn't catch this item when I perused the mwav log but I've corrected the Anomolies Report to include this item. Here is the corrected Anomolies Report reflecting the results of the 2 scans conducted:

Anomolies mwav3.log Report

Sat Aug 27 05:54:22 2005 => Scanning File C:\WINDOWS\SchedLog.Txt
Sat Aug 27 05:54:23 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt

Sat Aug 27 06:05:02 2005 => Scanning File C:\WINDOWS\SYSTEM\cskxu.exe
Sat Aug 27 06:05:04 2005 => File C:\WINDOWS\SYSTEM\cskxu.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:05:04 2005 => Scanning File C:\WINDOWS\SYSTEM\csmbi.exe
Sat Aug 27 06:05:04 2005 => File C:\WINDOWS\SYSTEM\csmbi.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:05:05 2005 => Scanning File C:\WINDOWS\SYSTEM\csets.exe
Sat Aug 27 06:05:05 2005 => File C:\WINDOWS\SYSTEM\csets.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:35 2005 => Scanning File C:\WINDOWS\SYSTEM\csbeh.exe
Sat Aug 27 06:09:36 2005 => File C:\WINDOWS\SYSTEM\csbeh.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:49 2005 => Scanning File C:\WINDOWS\SYSTEM\csofo.exe
Sat Aug 27 06:09:50 2005 => File C:\WINDOWS\SYSTEM\csofo.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 06:09:50 2005 => Scanning File C:\WINDOWS\SYSTEM\csluz.exe
Sat Aug 27 06:09:51 2005 => File C:\WINDOWS\SYSTEM\csluz.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 07:39:51 2005 => Scanning File C:\WINDOWS\TEMP\~DF12A5.TMP
Sat Aug 27 07:39:52 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF12A5.TMP
Sat Aug 27 07:39:52 2005 => Scanning File C:\WINDOWS\TEMP\~DF55D0.TMP
Sat Aug 27 07:39:52 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF55D0.TMP

Sat Aug 27 07:39:55 2005 => Scanning File C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat
Sat Aug 27 07:39:55 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat

Sat Aug 27 07:40:32 2005 => Scanning File C:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Sat Aug 27 07:40:32 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\LOCALS~1\APPLIC~1\MICROS~1\INTERN~1\MSIMGSIZ.DAT

Sat Aug 27 07:59:38 2005 => Scanning File C:\WINDOWS\SchedLog.Txt
Sat Aug 27 07:59:39 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt

Sat Aug 27 07:59:39 2005 => Scanning File C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Sat ASat Aug 27 07:59:39 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

Sat Aug 27 07:59:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 07:59:58 2005 => Result: ERROR!!! File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________: Scanning Failure!!!

Sat Aug 27 08:00:43 2005 => Scanning File C:\WINDOWS\Cookies\index.dat
Sat Aug 27 08:00:43 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\Cookies\index.dat

Sat Aug 27 08:00:44 2005 => Scanning File C:\WINDOWS\History\History.IE5\index.dat
Sat Aug 27 08:00:45 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\History\History.IE5\index.dat

Sat Aug 27 08:01:23 2005 => Scanning File C:\WINDOWS\Internet Logs\tvDebug.log
Sat Aug 27 08:01:23 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\TVDEBUG.LOG

Sat Aug 27 08:01:23 2005 => Scanning File C:\WINDOWS\Internet Logs\IAMDB.RDB
Sat Aug 27 08:01:24 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\IAMDB.RDB

Sat Aug 27 08:01:24 2005 => Scanning File C:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb
Sat Aug 27 08:01:24 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\OEMCOM~1.LDB

Sat Aug 27 08:43:50 2005 => Scanning File C:\Program Files\AVPersonal\LOGFILES\AVGUARD.LOG
Sat Aug 27 08:43:51 2005 => ERROR!!! ScanFile fails for C:\PROGRA~1\AVPERS~1\LOGFILES\AVGUARD.LOG

Sat Aug 27 08:51:42 2005 => Scanning File C:\viewer15624864.exe
Sat Aug 27 08:51:44 2005 => File C:\viewer15624864.exe tagged as not-a-virusorn-Downloader.Win32.Holistyc.b. No Action Taken.

Aug 27 08:56:25 2005 => ***** Checking for specific ITW Viruses *****
Sat Aug 27 08:56:25 2005 => Checking for Welchia Virus...
Sat Aug 27 08:56:25 2005 => Checking for LovGate Virus...
Sat Aug 27 08:56:26 2005 => Checking for CodeRed Virus...
Sat Aug 27 08:56:26 2005 => Checking for OpaServ Virus...
Sat Aug 27 08:56:26 2005 => Checking for Sobig.e Virus...
Sat Aug 27 08:56:26 2005 => Checking for Winupie Virus...
Sat Aug 27 08:56:26 2005 => Checking for Swen Virus...
Sat Aug 27 08:56:27 2005 => Checking for JS.Fortnight Virus...
Sat Aug 27 08:56:27 2005 => Checking for Novarg Virus...
Sat Aug 27 08:56:27 2005 => Checking for Pagabot Virus...
Sat Aug 27 08:56:27 2005 => Checking for Parite.b Virus...
Sat Aug 27 08:56:27 2005 => Checking for Parite.a Virus...

Sat Aug 27 08:56:27 2005 => ***** Scanning complete. *****

Sat Aug 27 08:56:28 2005 => Total Number of Files Scanned: 15429
Sat Aug 27 08:56:28 2005 => Total Number of Virus(es) Found: 9
Sat Aug 27 08:56:28 2005 => Total Number of Disinfected Files: 0
Sat Aug 27 08:56:28 2005 => Total Number of Files Renamed: 1
Sat Aug 27 08:56:28 2005 => Total Number of Deleted Files: 7
Sat Aug 27 08:56:28 2005 => Total Number of Errors: 3
Sat Aug 27 08:56:28 2005 => Time Elapsed: 02:56:29
Sat Aug 27 08:56:28 2005 => Virus Database Date: 2005/08/15
Sat Aug 27 08:56:29 2005 => Virus Database Count: 143767

Sat Aug 27 08:56:29 2005 => Scan Completed.

Aug 27 13:56:42 2005 => Scanning File C:\WINDOWS\SYSTEM\csjkn.exe
Sat Aug 27 13:56:52 2005 => File C:\WINDOWS\SYSTEM\csjkn.exe infected by "Trojan-Dropper.Win32.Vidro.u"

Sat Aug 27 14:00:44 2005 => Scanning File C:\WINDOWS\SYSTEM\csrpa.exe
Sat Aug 27 14:00:45 2005 => File C:\WINDOWS\SYSTEM\csrpa.exe infected by "Trojan-Dropper.Win32.Vidro.u" Virus. Action Taken: File Deleted.

Sat Aug 27 15:19:28 2005 => Scanning File C:\WINDOWS\TEMP\~DF7F5.TMP
Sat Aug 27 15:19:28 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF7F5.TMP
Sat Aug 27 15:19:28 2005 => Scanning File C:\WINDOWS\TEMP\~DF5C0C.TMP
Sat Aug 27 15:19:29 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF5C0C.TMP
Sat Aug 27 15:19:29 2005 => Scanning File C:\WINDOWS\TEMP\~DF44A8.TMP
Sat Aug 27 15:19:29 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\~DF44A8.TMP

Sat Aug 27 15:19:32 2005 => Scanning File C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828\index.dat
Sat Aug 27 15:19:32 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMP\History\History.IE5\MSHist012005082720050828

Sat Aug 27 15:20:09 2005 => Scanning File C:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Sat Aug 27 15:20:09 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\LOCALS~1\APPLIC~1\MICROS~1\INTERN~1\MSIMGSIZ.DAT

Sat Aug 27 15:39:43 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\SchedLog.Txt
Sat Aug 27 15:39:43 2005 => Scanning Folder: C:\WINDOWS\Temporary Internet Files\*.*

Sat Aug 27 15:39:44 2005 => Scanning File C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Sat Aug 27 15:39:44 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT

Sat Aug 27 15:39:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 15:39:58 2005 => Result: ERROR!!! File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________: Scanning Failure!!!
Sat Aug 27 15:39:58 2005 => C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ possibly infected and removed by background antivirus package!
Sat Aug 27 15:39:58 2005 => File C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN\showcase_red______________ infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Sat Aug 27 15:40:34 2005 => Scanning File C:\WINDOWS\Cookies\index.dat
Sat Aug 27 15:40:34 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\Cookies\index.dat

Sat Aug 27 15:40:35 2005 => Scanning File C:\WINDOWS\History\History.IE5\index.dat
Sat Aug 27 15:40:35 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\History\History.IE5\index.dat

Sat Aug 27 15:41:14 2005 => Scanning File C:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb
Sat Aug 27 15:41:14 2005 => ERROR!!! ScanFile fails for C:\WINDOWS\INTERN~1\OEMCOM~1.LDB

Sat Aug 27 16:22:42 2005 => Scanning File C:\Program Files\AVPersonal\LOGFILES\AVGUARD.LOG
Sat Aug 27 16:22:42 2005 => ERROR!!! ScanFile fails for C:\PROGRA~1\AVPERS~1\LOGFILES\AVGUARD.LOG

Sat Aug 27 16:30:39 2005 => Scanning File C:\viewer15624864.exe
Sat Aug 27 16:30:41 2005 => File C:\viewer15624864.exe tagged as not-a-virusorn-Downloader.Win32.Holistyc.b. No Action Taken.

Sat Aug 27 16:35:32 2005 => ***** Checking for specific ITW Viruses *****
Sat Aug 27 16:35:32 2005 => Checking for Welchia Virus...
Sat Aug 27 16:35:33 2005 => Checking for LovGate Virus...
Sat Aug 27 16:35:33 2005 => Checking for CodeRed Virus...
Sat Aug 27 16:35:34 2005 => Checking for OpaServ Virus...
Sat Aug 27 16:35:34 2005 => Checking for Sobig.e Virus...
Sat Aug 27 16:35:34 2005 => Checking for Winupie Virus...
Sat Aug 27 16:35:34 2005 => Checking for Swen Virus...
Sat Aug 27 16:35:34 2005 => Checking for JS.Fortnight Virus...
Sat Aug 27 16:35:34 2005 => Checking for Novarg Virus...
Sat Aug 27 16:35:34 2005 => Checking for Pagabot Virus...
Sat Aug 27 16:35:34 2005 => Checking for Parite.b Virus...
Sat Aug 27 16:35:35 2005 => Checking for Parite.a Virus...

Sat Aug 27 16:35:35 2005 => ***** Scanning complete. *****

Sat Aug 27 16:35:35 2005 => Total Number of Files Scanned: 15404
Sat Aug 27 16:35:35 2005 => Total Number of Virus(es) Found: 4
Sat Aug 27 16:35:35 2005 => Total Number of Disinfected Files: 0
Sat Aug 27 16:35:35 2005 => Total Number of Files Renamed: 1
Sat Aug 27 16:35:35 2005 => Total Number of Deleted Files: 2
Sat Aug 27 16:35:36 2005 => Total Number of Errors: 3
Sat Aug 27 16:35:36 2005 => Time Elapsed: 02:43:17
Sat Aug 27 16:35:36 2005 => Virus Database Date: 2005/08/15
Sat Aug 27 16:35:36 2005 => Virus Database Count: 143767

Sat Aug 27 16:35:36 2005 => Scan Completed.

I think this may be the one we've been looking for!

I'll do nothing further until I hear back from you.

Crowfoot


----------



## khazars (Feb 15, 2004)

Yes, this file was found in the Mwav scan, I told you to delete it with the killbox. Anyway, let's do that now.

Is any of your progs saying they have found instances of these 3 files below? It's strange that Rkfiles doesn't show them but Find T does!

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE

Use the delete on reboot method with killbox!

Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

C:\viewer15624864.exe 
C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE
C:\WINDOWS\SYSTEM\csjkn.exe

run cleanup after you reboot.

find and delete these files and folders if there?

How to show hidden files in Windows

http://service1.symantec.com/SUPPOR...Virus Corporate Edition&ver=8.x&osv=&osv_lvl=

C:\viewer15624864.exe 
C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE
C:\WINDOWS\RDT.INI
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE
C:\WINDOWS\BALLOON.WAV 
C:\WINDOWS\BALOON.WAV
C:\WINDOWS\SYSTEM\csjkn.exe

run rkfiles again and findT, post their logs and a hijack this log. Run a kaspersky or a Panda scan, we might actually be clean here apart form that viewer file, and findT is misreporting the other 2 files?


----------



## khazars (Feb 15, 2004)

oops delete this one also with the killbox.


C:\WINDOWS\SYSTEM\csjkn.exe


----------



## Crowfoot (Jul 2, 2005)

No, 

I've run these 3 files through the Find function (Edit>Find) in WordPad on the mwav.log report and none of them were found: 

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM\RDSNDIN.EXE
C:\WINDOWS\SYSTEM32\HCLEAN32.EXE 

I'll do as you advise above and get back to you when complete. 

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, it's a long slog with this one. I have fought this one before, but this one must be a new variant, the other one was I think, csivvc.exe or something, that one took a lot of scans as well to find it's hidden friends and a few killboxes to kill them, but it was cleanable, this one is a bit more tougher and resilient, but it's cleanable to!!


----------



## Crowfoot (Jul 2, 2005)

OK,

I've run the indicated files through Killbox (in Normal Mode), rebooted, ran Cleanup, rebooted, and did file searches for the above mentioned files/folders (none were found in the directory.)

Here is the RKFiles log:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

And, the FindT log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»» Search by size & name's...

C:\WINDOWS\SYSTEM\HCLEAN32.EXE

Also, the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:28:00 AM, on 8/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

I have received no pop ups or warnings of infection up to this point in time.

I'll post the Kaspersky scan when completed.

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, run a search for hclean32.exe and delete it if there.

C:\WINDOWS\SYSTEM\HCLEAN32.EXE

post the logs when you've finished!


----------



## Crowfoot (Jul 2, 2005)

OK,

There is no C:\WINDOWS\SYSTEM\HCLEAN32.EXE file in the directory.

Here's The Kaspersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, August 28, 2005 08:58:53
Operating System: Microsoft Windows 98 SE 
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/08/2005
Kaspersky Anti-Virus database records: 137329
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 14292
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 7505 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\csqgk.exe	Infected: Trojan-Dropper.Win32.Vidro.u

Scan process completed.

I've run this file: c:\WINDOWS\SYSTEM\csqgk.exe through Killbox, rebooted, then ran Cleanup and rebooted again. This file no longer exists in the directory.

Here is a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:28:05 AM, on 8/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

I am going to run my own Anti Virus program and then run Kaspersky again thereafter just to double check if I'm finally clear of this infection.

As you mentioned earlier, we may be getting a false reading from the FindT program on the HCLEAN32.EXE file.

Regards,

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok, just do what you intend to do and run a rkfiles and a silent runners and if your clean we'll call it a day. You can check back in a day or so and let me know if your still clean!


----------



## Crowfoot (Jul 2, 2005)

Will do! 

Thanks again. 

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, your welcome!


----------



## Crowfoot (Jul 2, 2005)

As George W. would have said "Mission Accomplished"!

Hmmmmm! But, wait a minute here, I'm being "irrationally exhuberant", once again.

I ran my Anti Virus Program and it showed the following results which I have edited as there are too many scan entries to post:

Creation date of the report file: Sunday, August 28, 2005 09:58

AntiVir®/9x PersonalEdition Classic
Build 1047 vom 07.06.2005
Mainprogram 6.31.00.03 of 10.05.2005
VDF file 6.31.1.187 (0) of 26.08.2005

Scanning for 207733 virus strains and unwanted programs.

FindSpyA1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN
showcase_red______________
Access denied! Error during file opening!
Error code: 0x0002
WARNING! Access error/file locked!

End of scan: Sunday, August 28, 2005 10:42
Time taken: 44:22 min

910 directories were scanned
28244 files were scanned
1 warning message was issued
0 files were deleted
0 files were repaired
0 detections

Shortly thereafter my little yellow "balloon" friend was back as was the false Windows Security Warning pop-up.

Rdsndin was found in running processes but is not in the Start Up Menu.

The KDMJKPIN Temporary Internet folder was found in the directory and I deleted it but it is still in my Recycle Bin ie.) see the warning in the AVwin.log above.)

And, the rkfiles log:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

Also, the SilentRunners info:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVGCtrl" = "C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min" ["H+BEDV Datentechnik GmbH"]
"WinPatrol" = "C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe" ["BillP Studios"]
"THGuard" = ""C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"" ["Mischel Internet Security"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Q17583396_DISK.DLL" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Plus!.bmp"

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [file not found]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
HIJACK WARNING! "SearchAssistant" = "http://mbjgvt.outhost.info/sp.php"

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "blank" = "http://awebfind.biz/" [file not found]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 73 seconds, including 18 seconds for message boxes)

As well, a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:33:05 PM, on 8/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AVPERSONAL\AVWIN.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

As you know, I have the Wareout.exe Program disabled in the Start Up Menu.

I'm beginning to wonder whether this may have something to do with our inability to effectively find what were looking for???

Just a thought!

Crowfoot


----------



## khazars (Feb 15, 2004)

you have got to be kidding, I thought you had deleted it?

you must get rid of it, through add/trmove, remove it's folder from C:\program files?


----------



## khazars (Feb 15, 2004)

empty the recyle bin, run another Find T see what it says. Have you been getting any pop ups about hclean.exe or it's other two companions ?

C:\WINDOWS\SYSTEM32\NTFSNLPA.EXE
C:\WINDOWS\SYSTEM32\RDSNDIN.EXE


----------



## Crowfoot (Jul 2, 2005)

It was removed from the Program Files from the very start!!! (Start>Settings>Control Panel>Add/Remove Programs>Uninstall and is perhaps the first thing I did. It's not there and hasn't been from the start of this!) There is no Wareout Program in the Program Files Menu! 

However, it has never vanished from the Start Up Menu and has remained unchecked throught this Process. 

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, you have deleted it lol.

If your confident in editing the registry then do this, make a back up of any of the keys first before deleting just in case!



go to start/run/type regedit/click ok/ go to these keys and delete wareout if there! Right click wreout and choose delete!


Go to the follow registry keys and remove any items you don't want displayed


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-


----------



## Crowfoot (Jul 2, 2005)

I think you're level of frustration with this whole matter is about the same as mine, and I'm the one with the problem, lol. 

I've edited the registry and the referrence to the Wareout program is gone from the Start Up Menu! 

I get an Error Deleting File message when I try to empty the Recycle Bin. 

"Cannot delete Showcase_red__________:Cannot find specified file. Make sure you specify the correct pathand filename." 

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok, you wanna leave it and see what happens, you think it's gone?


----------



## Crowfoot (Jul 2, 2005)

See above edited post. 

The KDMJKPIN Folder is no longer in the directory but remains in the Recycle Bin.


----------



## khazars (Feb 15, 2004)

ihm, well run cleanup and hopefully that should empty it, or boot to safe mode and try emptying it!

find and delete this file.


C:\WINDOWS\SYSTEM32\RDSNDIN.EXE


look for these as well!


C:\WINDOWS\RDT.INI
C:\WINDOWS\BALLOON.WAV 
C:\WINDOWS\BALOON.WAV


----------



## Crowfoot (Jul 2, 2005)

None of the above files were found in the directory! 

I'm 25% through doing another Kaspersky Scan which has found 1 virus so I'll run it through to completion, do the Killbox thing on the infection, then run Cleanup. If that won't remove the Folder from the Recycle Bin, I'll reboot into Safe Mode and try to remove the Folder that way. 

Crowfoot.


----------



## Crowfoot (Jul 2, 2005)

Khazars,

I've done a bunch of stuff and have been running trouble free for approximately 1 1/2 hours now and my computer speed is much improved.

I ran the Kaspersky Scan and it advised of this virus:

csgub.exe

I ran Kill box on it, rebooted into Safe Mode, ran Cleanup in safe Mode and got the error message:

"Cannot delete Showcase_red__________:Cannot find specified file. Make sure you specify the correct pathand filename."

As you will recall, this entry showed up in an earlier scan by my anti virus program:

FindSpyA1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN
showcase_red______________
Access denied! Error during file opening!
Error code: 0x0002
WARNING! Access error/file locked!

The C:\WINDOWS\Temporary Internet Files\Content.IE5\KDMJKPIN was deleted from the directory and sent to the Recycle Bin but I couldn't empty it, as I got this same error message:

"Cannot delete Showcase_red__________:Cannot find specified file. Make sure you specify the correct pathand filename."

I rebooted again into Safe Mode, ran Cleanup again, and no error message appeared. I checked the Recycle Bin and it was empty.

I then rebooted again into Normal Mode, and my Anti-Virus Program advised that HCLEAN32.exe was trying to run on my system. I did a file search and of course it wasn't there.

I rebooted again to Safe Mode, did a file search, and lo and behold there was the HCLEAN32.EXE file. I ran this through Killbox and did a search for the RDSNDIN.EXE virus. Lo and behold, it was also there! I ran this through Killbox, deleted all references to hclean and rdsndin found in a search of the file directory and ran Cleanup again, all while being in Safe Mode.

I got this error message again:

"Cannot delete Showcase_red__________:Cannot find specified file. Make sure you specify the correct pathand filename."

So, I rebooted once again into Safe Mode, ran Cleanup again and no error message appeared.

Then, I rebooted back into Normal Mode and received a message from WinPatrol that these files were trying to run in the auto start up process and would run every time I started my computer:

dmflh.exe 
HClean32.exe, and 
csaqp.exe

In WinPatrol I prevented them from reinstalling, rebooted back into Safe Mode and did a file search for the above files but they were not in the directory.

I ran Cleanup again and then rebooted back into Normal Mode. I did a file search again in Normal Mode for the above files but they were not found.

My Anti Virus Program flagged this file:

C:\WINDOWS\COOKIES\Index.dat as another TrojanDropper so I blocked it from installing. I did a Google Search on the Index.dat file and there didn't appear to be any harm in getting rid of it. So once again I rebooted back into Safe Mode, ran the Index.dat file through Killbox, ran Cleanup and rebooted back into Normal Mode.

I did a file search in both Normal Mode and Safe Mode for the following files:

dmflh.exe 
HClean32.exe 
csaqp.exe 
rdsndin.exe 
balloon.wav

and for the KDMJKPIN folder that was earlier sent to the Recycle Bin.

None of these files were found and as I've said I've been running trouble free ever since.

Sorry for being so long winded in this post, but I've tried to be as specific as possible in describing the process I went through, and I don't know whether or not all of what I did was necessary.

But, 2 1\2 hours have gone by and still no problems. No little yellow balloons, no fake Security Warnings and no warnings from any of the other running processes!

Attached is a new HijackThis log for your perusal:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:05 AM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Please note, I did another FindT Scan and this file was found:

C:\WINDOWS\SYSTEM\NTFSNLPA.EXE

The file was found in the directory after I rebooted into Safe Mode.

I ran it through Killbox in Safe Mode, rebooted back into Safe Mode and it was gone from the file directory, ran Cleanup, and rebooted back into Normal Mode.

I ran FindT again and the report came back clean!

Regards,

Crowfoot


----------



## khazars (Feb 15, 2004)

yes, well done! 

It's a persistant bugger and that's what you need to do to get rid of it, it's a tiresome process but running the searches and running it through killbox and then running the scans needs to be done to see what's coming back and then repeating again and again

hopefully now, you'll stay free.

Here's a useful free tool to install, it's called watcher. It boots up when your desktop etc is booting up and runs a scan through the system folder! It produces a log of any changes, most of which are harmless like logs for a firewall, changes to dlls , but if these baddied show up, have it remove them. Any files you don't recognise do a google on it to see what it is!

Watcher.

http://www.h5.dion.ne.jp/~legoland/minuscule/watcher/index.html


----------



## Crowfoot (Jul 2, 2005)

Thanks for the additional tool to add to my arsenol! 

Just to let you know, I've been online for about 5 hours and none of the annoying pop ups/messages have reappeared. 

I'm doing another Kaspersky scan and 1 virus is being reported. I'll kill this with the same method as before and advise. 

I am getting a message from I think WinPatrol that the Cookies\Index.dat file and another .dat file is trying to reinstall itself. I have denied this installation but from what I read in Google on this file it is to be expected. But, I don't want to reinstall a potential TrojanDropper, and I didn't save or write down the exact specifics of the message I received. 

I'm sure it will reappear and I'll give you the particulars on it. 

I've run another RKFiles Scan but I don't think there's anything really new here but here it is: 

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\DOTEST.EXE: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

I"m going to catch a few hours of sleep and let you know later the results of the Kaspersky scan, Killbox and Cleanup process. 

You know the length of this thread is getting downright embarrasing! 

I think I'll have to change my handle or you guys will probably try to avoid me like the plague in future!!! 

Smitfraud first and then this! 

Sheesh!!! 

Crowfoot


----------



## khazars (Feb 15, 2004)

Yes, index.dat will come back, it's a micorsoft file for cookies, just scan it and make sure it's clean!

You'll just have to wait and see if you stay clean!

Best to run a FindT as well!


----------



## khazars (Feb 15, 2004)

Don't worry, this has been a nasty new variant, and many are still struggling to get fixed!


----------



## Crowfoot (Jul 2, 2005)

OK, 

I left my computer running, had a snooze, came back, and no pop ups or warnings of any kind have reappeared. 

Kaspersky found this virus: 

c:\WINDOWS\SYSTEM\csclg.exe	Infected: Trojan-Dropper.Win32.Vidro.u 

I rebooted into Safe Mode, ran the file through Killbox, rebooted back into Safe Mode, did a file search for this file and any references to hclean, NTFSNLPA, and RDSNDIN, and no files of these Types were found. 

I ran Cleanup again, this time it cleaned all of the files without any "file deletion error," rebooted back into Safe Mode and ran FindT once again. 

The FindT log came back clean.

I'll do another Kaspersky Scan to see if Trojans are still being generated and advise when completed. 

Still no popups or warnings, and my computers performance has improved substantially!!! 

Regards, 

Crowfoot


----------



## khazars (Feb 15, 2004)

Next time if you find any of these cs**8.exes just try and find and delete them manually in safe mode and then see what happens? 

Or, right click the exe in question and choose properties and rename it cs***.xxxx

but, it's good that FindT is not finding anything, try running another rkfiles and silentrunners logs to, but they shoudl be clean!


----------



## Crowfoot (Jul 2, 2005)

OK,

The Kaspersky Scan came back clean.

Here are the FindT results:

ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
Files Found in system Folder............ 
------------------------
C:\WINDOWS\SYSTEM\cpuinf32.dll: UPX!
C:\WINDOWS\pcboot.exe: pec2
C:\WINDOWS\DOTEST.EXE: pec2
C:\WINDOWS\realtime.exe: pec2

Files Found in all users startup Folder............ 
------------------------
Files Found in all users windows Folder............ 
------------------------
C:\WINDOWS\vsapi32.dll: UPX!t4
C:\WINDOWS\tsc.exe: UPX!
Finished
bye

And, the SilentRunners log:

"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"AVGCtrl" = "C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min" ["H+BEDV Datentechnik GmbH"]
"WinPatrol" = "C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe" ["BillP Studios"]
"THGuard" = ""C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"" ["Mischel Internet Security"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SchedulingAgent" = "mstask.exe" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{6AC3806F-8B39-4746-9C38-6B01CB7331FF}" = "Memory monitor"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\Q17583396_DISK.DLL" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Plus!.bmp"

Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [file not found]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6

Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes\
HIJACK WARNING! "SearchAssistant" = "http://mbjgvt.outhost.info/sp.php"

Miscellaneous IE Hijack Points
------------------------------

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

Missing lines (compared with English-language version):
HIJACK WARNING! "blank" = "http://awebfind.biz/" [file not found]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 29 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 55 seconds.
---------- (total run time: 171 seconds)

Finally, I've run another HijackThis and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:40:28 PM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

I've experienced no problems whatsoever in the last 18 hours or so!

Regards,

Crowfoot


----------



## khazars (Feb 15, 2004)

ok, it looks like you did it, I should have told you to search in safe mode for those files, totally slipped my mind!


----------



## Crowfoot (Jul 2, 2005)

Far from it!!! 

Without your help, I would have been "dead in the water." 

I'll wait a day or two before marking this thread solved, but things are looking good as I continue to run problem-free. 

Thanks sooooooo much for all the time you spent on this matter and of course your valuable advice along the way! 

Best wishes, 

Crowfoot.


----------



## khazars (Feb 15, 2004)

ok! :up: 

your welcome! 

Glad to hear your still error and virus free. :


----------

