Jump to content


Help removing several hijacks

  • Please log in to reply
6 replies to this topic

#1 teknics



  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 11:01 AM

Well I am at my boss's house so I need help ASAP.

I managed to get rid of ere.exe but it came back after reboot. That is when this phidlba showed up too....

Here is my current Hijackthis logfile:

Logfile of HijackThis v1.97.7
Scan saved at 11:55:49 AM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
C:\Program Files\AdSubtract\adsub.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_11_0.DLL
O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg2443.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E810BA2B-D4CF-4E2B-B790-E24E2265F392} - C:\WINDOWS\System32\phidlba.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_11_0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [mediaseek] C:\WINDOWS\system32\ere.exe @run
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Security Updater] secupd.exe -nos
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O4 - Global Startup: AdSubtract.LNK = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.game...nts/y/wt0_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing)

Thanks in advance!


#2 freeatlast


    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 01:03 PM

Restart computer in Safe mode!

In hijackthis fix checked:

*O4 - HKLM\..\Run: [mediaseek] C:\WINDOWS\system32\ere.exe @run
*O4 - HKCU\..\Run: [Security Updater] secupd.exe -nos

Reboot and delete:
ere.exe, secupd.exe from System32.
And: C:\WINDOWS\TEMP\F84D.tmp.exe< file!

Read this page:

If it's registered as service you'd have stop it
first and delete the service. (leave it for now)

Download and Install: >>Find-All.exe (Win2K/XP only!)<<

Run the Find-All\"Find-All.Cmd" file, wait for the log and post it here.

From the same page, Download: "StartDreck.zip":
Unzip, run StartDreck.exe:
hit>unmark all
Under: *System/Drivers, check->
*NT Services
*NT kernel and FS drivers
hit 'ok'
Use the 'save' tab, name save the log and post it here as well!
Submit Files: Posted Image
Posted ImagePosted ImagePosted Image

#3 teknics



  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 01:27 PM

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/02 @@@***==--

Thu Jun 03 14:25:37 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (297F:12E1) - FS:FAT clusters:32k
Total: 40 006 156 288 [37G] - Free: 32 085 934 080 [30G]

»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 03-31-2003 iexplore.exe


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q832894;Q837009;Q831167;



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

»»Wmplayer version: C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU shp 520,192 03-31-2003 wmplayer.exe C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU shp 4,639 03-31-2003 mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINDOWS\System32\msjava.dll
--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 04-16-2004 notepad.exe
? C:\WINDOWS\System32\notepad.exe
--a-- W32i - - - - 3,584 04-27-2004 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 03-31-2003 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 03-31-2003 regedt32.exe

»»PC uptime:
2:25pm up 0 days, 0:05

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMN.DLL +++ File read error
\\?\C:\WINDOWS\System32\COMN.DLL +++ File read error

»»Tasks (services):
0 System Process
4 System
336 CSRSS.EXE Title:
360 WINLOGON.EXE Title: NetDDE Agent
408 SERVICES.EXE Svcs: Eventlog,PlugPlay
420 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs
588 SVCHOST.EXE Svcs: RpcSs
620 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,helpsvc,
696 SVCHOST.EXE Svcs: Dnscache
708 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient
872 LEXBCES.EXE Svcs: LexBceS
924 SPOOLSV.EXE Svcs: Spooler
932 LEXPPS.EXE Title:
1144 NVSVC32.EXE Svcs: NVSvc
1256 WANMPSVC.EXE Svcs: WANMiniportService
1632 EXPLORER.EXE Title: Program Manager
1756 ACMonitor_X73.exACMonitor_X73Title: ACMonitor_X73
1764 AcBtnMgr_X73.exeAcBtnMgr_X73Title: AcBtnMgr_X73
1792 TYPE32.EXE Title:
1832 aim.exe Title: Sign On
1916 CM_camera.exe Title: CM_camera
1944 adsub.exe Title: interMute Properties Control
2140 SVCHOST.EXE Svcs: stisvc
2444 iexplore.exe Title: FreeAtLast - Microsoft Internet Explorer
3112 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3168 ntvdm.exe
3224 tlist.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E53CD0CE-D3C4-45E2-8996-E406DE1A4EB7}]



[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"

@="AP Deflate Encoding/Decoding Filter "

@="AP GZIP Encoding/Decoding Filter "

@="AP lzdhtml encoding/decoding Filter"



@="WebView MIME Filter"


"DDE Control Module"="{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

»»Security settings for 'Windows' key:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Full access BUILTIN\Administrators

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Group/user settings:

User: [DEN\Kelly Murphy], is a member of:


User is a member of group DEN\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx No permissions are set. All user have full control.
ERROR: There are no more files.
»»Contents of file(s) in 'junkxxx' folder:


MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

0 bytes, 0 ms = 0.00 MB/sec

Thu Jun 03 14:25:55 2004 -- ++Find-All backups created:
A C:\Find-All\Find-All\winBackup.hiv
A C:\Find-All\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:


LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#4 teknics



  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 01:29 PM

StartDreck (build 2.1.5 public BETA) - 2004-06-03 @ 14:29:33
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

»NT Services
*Alerter Alerter - on demand
*Application Layer Gateway Service ALG - on demand
*AOL Connectivity Service AOL ACS running auto
*Application Management AppMgmt - on demand
*Windows Audio AudioSrv running auto
*Background Intelligent Transfer Service BITS - on demand
*Computer Browser Browser - on demand
*Indexing Service CiSvc - on demand
*ClipBook ClipSrv - on demand
*COM+ System Application COMSysApp - on demand
*Cryptographic Services CryptSvc running auto
*DHCP Client Dhcp running auto
*Logical Disk Manager Administrative Service dmadmin - on demand
*Logical Disk Manager dmserver - on demand
*DNS Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Event Log Eventlog running auto
*COM+ Event System EventSystem running on demand
*Fast User Switching Compatibility FastUserSwitchingCom running on demand
*Help and Support helpsvc running auto
*HID Input Service HidServ running auto
*IMAPI CD-Burning COM Service ImapiService - on demand
*IPv6 Internet Connection Firewall Ip6FwHlp - on demand
*Server lanmanserver running auto
*Workstation lanmanworkstation running auto
*LexBce Server LexBceS running auto
*TCP/IP NetBIOS Helper LmHosts running auto
*Messenger Messenger - disabled
*NetMeeting Remote Desktop Sharing mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Network DDE NetDDE - on demand
*Network DDE DSDM NetDDEdsdm - on demand
*Net Logon Netlogon - on demand
*Network Connections Netman running on demand
*Network Location Awareness (NLA) Nla running on demand
*NT LM Security Support Provider NtLmSsp - on demand
*Removable Storage NtmsSvc - on demand
*NVIDIA Display Driver Service NVSvc running auto
*Plug and Play PlugPlay running auto
*IPSEC Services PolicyAgent running auto
*Protected Storage ProtectedStorage running auto
*Remote Access Auto Connection Manager RasAuto - on demand
*Remote Access Connection Manager RasMan running on demand
*Remote Desktop Help Session Manager RDSessMgr - on demand
*Routing and Remote Access RemoteAccess - disabled
*Remote Procedure Call (RPC) Locator RpcLocator - on demand
*Remote Procedure Call (RPC) RpcSs running auto
*QoS RSVP RSVP - on demand
*Security Accounts Manager SamSs running auto
*Smart Card Helper SCardDrv - on demand
*Smart Card SCardSvr - on demand
*Task Scheduler Schedule running auto
*Secondary Logon seclogon running auto
*System Event Notification SENS running auto
*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand
`onnection Sharing (ICS)
*Shell Hardware Detection ShellHWDetection running auto
*Print Spooler Spooler running auto
*System Restore Service srservice - auto
*SSDP Discovery Service SSDPSRV running on demand
*Windows Image Acquisition (WIA) stisvc running on demand
*MS Software Shadow Copy Provider SwPrv - on demand
*Performance Logs and Alerts SysmonLog - on demand
*Telephony TapiSrv running on demand
*Terminal Services TermService running on demand
*Themes Themes running auto
*Distributed Link Tracking Client TrkWks running auto
*Upload Manager uploadmgr running auto
*Universal Plug and Play Device Host upnphost - on demand
*Uninterruptible Power Supply UPS - on demand
*Volume Shadow Copy VSS - on demand
*Windows Time W32Time running auto
*WAN Miniport (ATW) Service WANMiniportService running auto
*WebClient WebClient running auto
*Windows Security Update Windows Security Upd - auto
*Windows Management Instrumentation winmgmt running auto
*Portable Media Serial Number WmdmPmSp running auto
*WMI Performance Adapter WmiApSrv - on demand
*Automatic Updates wuauserv running auto
*Wireless Zero Configuration WZCSVC running auto
»NT Kernel- and FS-drivers
*Abiosdsk Abiosdsk - disabled
*abp480n5 abp480n5 - disabled
*Microsoft ACPI Driver ACPI running boot
*ACPIEC ACPIEC - disabled
*adpu160m adpu160m - disabled
*Microsoft Kernel Acoustic Echo Canceller aec - on demand
*AFD Networking Support Environment AFD running auto
*Intel AGP Bus Filter agp440 running boot
*Aha154x Aha154x - disabled
*aic78u2 aic78u2 - disabled
*aic78xx aic78xx - disabled
*AliIde AliIde - disabled
*amsint amsint - disabled
*asc asc - disabled
*asc3350p asc3350p - disabled
*asc3550 asc3550 - disabled
*RAS Asynchronous Media Driver AsyncMac - on demand
*Standard IDE/ESDI Hard Disk Controller atapi running boot
*Atdisk Atdisk - disabled
*ATM ARP Client Protocol Atmarpc - on demand
*Audio Stub Driver audstub running on demand
*Beep Beep running system
*cbidf2k cbidf2k - disabled
*cd20xrnt cd20xrnt - disabled
*Cdaudio Cdaudio - system
*Cdfs Cdfs running disabled
*CD-ROM Driver Cdrom running system
*Changer Changer - system
*CmdIde CmdIde - disabled
*Cpqarray Cpqarray - disabled
*Creative SBLive! Gameport ctljystk running on demand
*dac960nt dac960nt - disabled
*Disk Driver Disk running boot
*dmboot dmboot - disabled
*dmio dmio - disabled
*dmload dmload - disabled
*Microsoft Kernel DLS Syntheiszer DMusic - on demand
*dpti2o dpti2o - disabled
*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand
*3Com EtherLink XL 90XB/C Adapter Driver EL90XBC running on demand
*Creative SB Live! (WDM) emu10k running on demand
*Creative Interface Manager Driver (WDM) emu10k1 running on demand
*Fastfat Fastfat running disabled
*Floppy Disk Controller Driver Fdc running on demand
*Fips Fips running system
*Floppy Disk Driver Flpydisk running on demand
*Volume Manager Driver Ftdisk running boot
*Game Port Enumerator gameenum running on demand
*Generic Packet Classifier Gpc running on demand
*Microsoft HID Class Driver hidusb - on demand
*hpn hpn - disabled
*i2omgmt i2omgmt - system
*i2omp i2omp - disabled
*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system
*CD-Burning Filter Driver Imapi running system
*ini910u ini910u - disabled
*IntelIde IntelIde running boot
*IPv6 Firewall Driver Ip6Fw - on demand
*IP Traffic Filter Driver IpFilterDriver - on demand
*IP in IP Tunnel Driver IpInIp - on demand
*IP Network Address Translator IpNat - on demand
*IPSEC driver IPSec running system
*IR Enumerator Service IRENUM - on demand
*PnP ISA/EISA Bus Driver isapnp running boot
*Keyboard Class Driver Kbdclass running system
*Keyboard HID Driver kbdhid - system
*Microsoft Kernel Wave Audio Mixer kmixer running on demand
*KSecDD KSecDD running boot
*lbrtfdc lbrtfdc - system
*Lexmark X73 MFP Scanner LXARScan running auto
*mnmdd mnmdd running system
*Modem Modem running on demand
*Unimodem Streaming Filter Device MODEMCSA running on demand
*Mouse Class Driver Mouclass running system
*MountMgr MountMgr running boot
*mraid35x mraid35x - disabled
*WebDav Client Redirector MRxDAV running on demand
*MRxSmb MRxSmb running system
*Msfs Msfs running system
*Microsoft Streaming Service Proxy MSKSSRV - on demand
*Microsoft Streaming Clock Proxy MSPCLOCK - on demand
*Microsoft Streaming Quality Manager Proxy MSPQM - on demand
*Mup Mup running boot
*NDIS System Driver NDIS running boot
*Remote Access NDIS TAPI Driver NdisTapi running on demand
*NDIS Usermode I/O Protocol Ndisuio running on demand
*Remote Access NDIS WAN Driver NdisWan running on demand
*NDIS Proxy NDProxy running on demand
*NetBIOS Interface NetBIOS running system
*NetBios over Tcpip NetBT running system
*Npfs Npfs running system
*Ntfs Ntfs - disabled
*Null Null running system
*nv nv running on demand
*IPX Traffic Filter Driver NwlnkFlt - on demand
*IPX Traffic Forwarder Driver NwlnkFwd - on demand
*Intel PentiumIII Processor Driver P3 running system
*Parallel port driver Parport running on demand
*PartMgr PartMgr running boot
*ParVdm ParVdm running auto
*PCI Bus Driver PCI running boot
*PCIDump PCIDump - system
*PCIIde PCIIde - disabled
*Pcmcia Pcmcia - disabled
*PDCOMP PDCOMP - on demand
*PDFRAME PDFRAME - on demand
*PDRELI PDRELI - on demand
*perc2 perc2 - disabled
*perc2hib perc2hib - disabled
*WAN Miniport (PPTP) PptpMiniport running on demand
*Direct Parallel Link Driver Ptilink running on demand
*ql1080 ql1080 - disabled
*Ql10wnt Ql10wnt - disabled
*ql12160 ql12160 - disabled
*ql1240 ql1240 - disabled
*ql1280 ql1280 - disabled
*Remote Access Auto Connection Driver RasAcd running system
*WAN Miniport (L2TP) Rasl2tp running on demand
*Remote Access PPPOE Driver RasPppoe running on demand
*Direct Parallel Raspti running on demand
*Rdbss Rdbss running system
*RDPCDD RDPCDD running system
*RDPWD RDPWD - on demand
*Digital CD Audio Playback Filter Driver redbook running system
*Secdrv Secdrv - on demand
*Serenum Filter Driver serenum running on demand
*Serial port driver Serial running system
*Sfloppy Sfloppy - system
*Creative SoundFont Manager Driver (WDM) sfman running on demand
*Simbad Simbad - disabled
*Sparrow Sparrow - disabled
*Microsoft Kernel Audio Splitter splitter - on demand
*System Restore Filter Driver sr - disabled
*Srv Srv running on demand
*Software Bus Driver swenum running on demand
*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand
*symc810 symc810 - disabled
*symc8xx symc8xx - disabled
*sym_hi sym_hi - disabled
*sym_u3 sym_u3 - disabled
*Microsoft Kernel System Audio Device sysaudio running on demand
*TCP/IP Protocol Driver Tcpip running system
*TDPIPE TDPIPE - on demand
*TDTCP TDTCP - on demand
*Terminal Device Driver TermDD running system
*TosIde TosIde - disabled
*Udfs Udfs - disabled
*ultra ultra - disabled
*Microcode Update Driver Update running on demand
*Microsoft USB Generic Parent Driver usbccgp - on demand
*Microsoft USB Standard Hub Driver usbhub running on demand
*Microsoft USB PRINTER Class usbprint running on demand
*USB Mass Storage Driver usbstor - on demand
*Microsoft USB Universal Host Controller Minipor usbuhci running on demand
`t Driver
*VgaSave VgaSave running system
*ViaIde ViaIde - disabled
*VolSnap VolSnap running boot
*Remote Access IP ARP Driver Wanarp running on demand
*WAN Miniport (ATW) wanatw running on demand
*WDICA WDICA - on demand
*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand
»Application specific

#5 teknics



  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 01:31 PM

Ok, hopefully you see this soon because ive been messing with his computer since 1130 LOL



#6 teknics



  • Full Member
  • Pip
  • 6 posts

Posted 03 June 2004 - 01:50 PM

Seems to be ok now after reboot.

Now the only thing is notepad still isnt functioning, and I am afraid it will come right back.

I just dont feel like sitting here anymore :) Got paid for the day LOL

Thanks for all the help!!

#7 freeatlast


    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 03 June 2004 - 02:04 PM

Ok, my friend...
You have multiple infections there, and I'm not even sure
where to begin...
This will take a while...
I can help you remove the most obvious villains, but
you need to scan with few working Anti virus tools, fully
updated in order to clean the rest.

So far...
cws trojan, positivly identified:
'Find-All' log:

»»Locked or 'Suspect' file(s) found...
\\?\C:\WINDOWS\System32\COMN.DLL +++ File read error

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\
Windows NT\CurrentVersion\Windows: 448

In addition, Find-All log shows the following trojans:

»»NotePad(s) version(s)...
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 04-16-2004 notepad.exe
? C:\WINDOWS\System32\notepad.exe
--a-- W32i - - - - 3,584 04-27-2004 notepad.exe

Your copy of notepad,exe in system32 folder is *munged*!!!

"DDE Control Module"="{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

And in StartDreck log:

The offending service:
»NT Services
*Windows Security Update Windows Security Upd - auto
Some are related to one another and some are not!
Let's start somewhere...

Run StartDreck.exe again, repeat the same steps but only select:
System\Drivers > NT services
hit ok
*Windows Security Update Windows Security Upd - auto

Click once to select>hit the 'stop' tab on the lower panel
Hit>edit> Change startup type to> Disabled.
ok it.
Hit the>refresh tab once, locate it again
and be sure it's no longer in 'running' state.

Set new confgs in StartDreck again,
hit>unmark all
Under: registry>check: "ShellServiceObjectDelay..."
hit ok.
Save the log (give it new name) and post it!

Navigate to System32 folder:
Find this file:
3,584 04-27-2004 notepad.exe
It would be notepad.exe, RightClick to identify the size:
3,584 bytes, and delete it!
Copy your Notepad.exe from Windows
folder onto your System32 folder.

Restart computer, and run hijackthis again, post
new log along with the new StartDreck saved log.
Submit Files: Posted Image
Posted ImagePosted ImagePosted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!