• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
teknics

Help removing several hijacks

7 posts in this topic

Well I am at my boss's house so I need help ASAP.

 

I managed to get rid of ere.exe but it came back after reboot. That is when this phidlba showed up too....

 

Here is my current Hijackthis logfile:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:55:49 AM, on 6/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\AIM\aim.exe

C:\WINDOWS\System32\secupd.exe

C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

C:\Program Files\AdSubtract\adsub.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\TEMP\F84D.tmp.exe

C:\WINDOWS\system32\ere.exe

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\phidlba.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_11_0.DLL

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: Core Library - {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} - C:\WINDOWS\System32\sfg2443.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {E810BA2B-D4CF-4E2B-B790-E24E2265F392} - C:\WINDOWS\System32\phidlba.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_3_11_0.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe

O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [mediaseek] C:\WINDOWS\system32\ere.exe @run

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [security Updater] secupd.exe -nos

O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Global Startup: AdSubtract.LNK = C:\Program Files\AdSubtract\adsub.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: AIM (HKLM)

O9 - Extra button: WeatherBug (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot4_x.cab

O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab

O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

O19 - User stylesheet: C:\WINDOWS\sstyle.css (file missing)

 

Thanks in advance!

 

-TeK

Share this post


Link to post
Share on other sites

Restart computer in Safe mode!

 

In hijackthis fix checked:

 

*O4 - HKLM\..\Run: [mediaseek] C:\WINDOWS\system32\ere.exe @run

*O4 - HKCU\..\Run: [security Updater] secupd.exe -nos

 

Reboot and delete:

ere.exe, secupd.exe from System32.

And: C:\WINDOWS\TEMP\F84D.tmp.exe< file!

 

Read this page:

http://vil.nai.com/vil/content/v_121075.htm

 

If it's registered as service you'd have stop it

first and delete the service. (leave it for now)

 

Download and Install: >>Find-All.exe (Win2K/XP only!)<<

 

Run the Find-All\"Find-All.Cmd" file, wait for the log and post it here.

 

From the same page, Download: "StartDreck.zip":

Unzip, run StartDreck.exe:

Hit->config

hit>unmark all

Under: *System/Drivers, check->

*NT Services

*NT kernel and FS drivers

hit 'ok'

Use the 'save' tab, name save the log and post it here as well!

Share this post


Link to post
Share on other sites

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION 8.8 -6/02 @@@***==--

 

 

Thu Jun 03 14:25:37 2004 -- ++Results:

»»System Info:

 

Microsoft Windows XP [Version 5.1.2600]

'Find-All' is running from Drive:

C: "" (297F:12E1) - FS:FAT clusters:32k

Total: 40 006 156 288 [37G] - Free: 32 085 934 080 [30G]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 03-31-2003 iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q330994;Q824145;Q832894;Q837009;Q831167;

 

»»Google:

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe

--a-- W32i APP ENU 8.0.0.4487 shp 520,192 03-31-2003 wmplayer.exe

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

--a-- W32i APP ENU 6.4.9.1125 shp 4,639 03-31-2003 mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINDOWS\System32\msjava.dll

--a-- W32i DLL ENU 5.0.3810.0 shp 947,472 02-28-2003 msjava.dll

 

»»NotePad(s) version(s)... added Tnx to shadoWWWW ;)

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 04-16-2004 notepad.exe

? C:\WINDOWS\System32\notepad.exe

--a-- W32i - - - - 3,584 04-27-2004 notepad.exe

 

»» Regedit* version(s):

5.1.2600.1106 C:\WINDOWS\regedit.exe

--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 03-31-2003 regedit.exe

5.1.2600.0 C:\WINDOWS\System32\regedt32.exe

--a-- W32i APP ENU 5.1.2600.0 shp 3,584 03-31-2003 regedt32.exe

 

 

»»PC uptime:

2:25pm up 0 days, 0:05

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COMN.DLL +++ File read error

\\?\C:\WINDOWS\System32\COMN.DLL +++ File read error

 

 

»»Tasks (services):

0 System Process

4 System

288 SMSS.EXE

336 CSRSS.EXE Title:

360 WINLOGON.EXE Title: NetDDE Agent

408 SERVICES.EXE Svcs: Eventlog,PlugPlay

420 LSASS.EXE Svcs: PolicyAgent,ProtectedStorage,SamSs

588 SVCHOST.EXE Svcs: RpcSs

620 SVCHOST.EXE Svcs: AudioSrv,CryptSvc,Dhcp,ERSvc,EventSystem,FastUserSwitchingCompatibility,helpsvc,

idServ,lanmanserver,lanmanworkstation,Netman,Nla,RasMan,Schedule,seclogon,SENS,S

ellHWDetection,TapiSrv,TermService,Themes,TrkWks,uploadmgr,W32Time,winmgmt,WmdmP

Sp,wuauserv

696 SVCHOST.EXE Svcs: Dnscache

708 SVCHOST.EXE Svcs: LmHosts,SSDPSRV,WebClient

872 LEXBCES.EXE Svcs: LexBceS

924 SPOOLSV.EXE Svcs: Spooler

932 LEXPPS.EXE Title:

1100 ACSD.EXE Svcs: AOL ACS

1144 NVSVC32.EXE Svcs: NVSvc

1256 WANMPSVC.EXE Svcs: WANMiniportService

1632 EXPLORER.EXE Title: Program Manager

1756 ACMonitor_X73.exACMonitor_X73Title: ACMonitor_X73

1764 AcBtnMgr_X73.exeAcBtnMgr_X73Title: AcBtnMgr_X73

1792 TYPE32.EXE Title:

1832 aim.exe Title: Sign On

1916 CM_camera.exe Title: CM_camera

1944 adsub.exe Title: interMute Properties Control

424 DEVLDR32.EXE Title: DEVLDR

2140 SVCHOST.EXE Svcs: stisvc

2444 iexplore.exe Title: FreeAtLast - Microsoft Internet Explorer

3112 cmd.exe Title: C:\WINDOWS\System32\cmd.exe

3168 ntvdm.exe

3224 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

@=""

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

@="NAV Helper"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E53CD0CE-D3C4-45E2-8996-E406DE1A4EB7}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

"CLSID"="{4EDD6438-028D-4065-A44C-D9C9E80C3B0E}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

"CLSID"="{4EDD6438-028D-4065-A44C-D9C9E80C3B0E}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="WebView MIME Filter"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"

"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

"DDE Control Module"="{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(ID-NI) ALLOW Read BUILTIN\Users

(ID-IO) ALLOW Read BUILTIN\Users

(ID-NI) ALLOW Full access BUILTIN\Administrators

(ID-IO) ALLOW Full access BUILTIN\Administrators

(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM

(ID-IO) ALLOW Full access CREATOR OWNER

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read BUILTIN\Users

Full access BUILTIN\Administrators

Full access NT AUTHORITY\SYSTEM

 

 

 

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

 

»»Group/user settings:

 

 

User: [DEN\Kelly Murphy], is a member of:

 

BUILTIN\Administrators

\Everyone

DEN\None

 

User is a member of group DEN\None.

User is a member of group \Everyone.

User is a member of group BUILTIN\Administrators.

User is a member of group BUILTIN\Users.

User is a member of group \LOCAL.

User is a member of group NT AUTHORITY\INTERACTIVE.

User is a member of group NT AUTHORITY\Authenticated Users.

 

»»ACLs list:

C:\junkxxx No permissions are set. All user have full control.

ERROR: There are no more files.

»»Contents of file(s) in 'junkxxx' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Thu Jun 03 14:25:55 2004 -- ++Find-All backups created:

A C:\Find-All\Find-All\winBackup.hiv

A C:\Find-All\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

 

Share this post


Link to post
Share on other sites

StartDreck (build 2.1.5 public BETA) - 2004-06-03 @ 14:29:33

Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)

 

»Registry

»Files

»System/Drivers

»NT Services

*Alerter Alerter - on demand

*Application Layer Gateway Service ALG - on demand

*AOL Connectivity Service AOL ACS running auto

*Application Management AppMgmt - on demand

*Windows Audio AudioSrv running auto

*Background Intelligent Transfer Service BITS - on demand

*Computer Browser Browser - on demand

*Indexing Service CiSvc - on demand

*ClipBook ClipSrv - on demand

*COM+ System Application COMSysApp - on demand

*Cryptographic Services CryptSvc running auto

*DHCP Client Dhcp running auto

*Logical Disk Manager Administrative Service dmadmin - on demand

*Logical Disk Manager dmserver - on demand

*DNS Client Dnscache running auto

*Error Reporting Service ERSvc running auto

*Event Log Eventlog running auto

*COM+ Event System EventSystem running on demand

*Fast User Switching Compatibility FastUserSwitchingCom running on demand

*Help and Support helpsvc running auto

*HID Input Service HidServ running auto

*IMAPI CD-Burning COM Service ImapiService - on demand

*IPv6 Internet Connection Firewall Ip6FwHlp - on demand

*Server lanmanserver running auto

*Workstation lanmanworkstation running auto

*LexBce Server LexBceS running auto

*TCP/IP NetBIOS Helper LmHosts running auto

*Messenger Messenger - disabled

*NetMeeting Remote Desktop Sharing mnmsrvc - on demand

*Distributed Transaction Coordinator MSDTC - on demand

*Windows Installer MSIServer - on demand

*Network DDE NetDDE - on demand

*Network DDE DSDM NetDDEdsdm - on demand

*Net Logon Netlogon - on demand

*Network Connections Netman running on demand

*Network Location Awareness (NLA) Nla running on demand

*NT LM Security Support Provider NtLmSsp - on demand

*Removable Storage NtmsSvc - on demand

*NVIDIA Display Driver Service NVSvc running auto

*Plug and Play PlugPlay running auto

*IPSEC Services PolicyAgent running auto

*Protected Storage ProtectedStorage running auto

*Remote Access Auto Connection Manager RasAuto - on demand

*Remote Access Connection Manager RasMan running on demand

*Remote Desktop Help Session Manager RDSessMgr - on demand

*Routing and Remote Access RemoteAccess - disabled

*Remote Procedure Call (RPC) Locator RpcLocator - on demand

*Remote Procedure Call (RPC) RpcSs running auto

*QoS RSVP RSVP - on demand

*Security Accounts Manager SamSs running auto

*Smart Card Helper SCardDrv - on demand

*Smart Card SCardSvr - on demand

*Task Scheduler Schedule running auto

*Secondary Logon seclogon running auto

*System Event Notification SENS running auto

*Internet Connection Firewall (ICF) / Internet C SharedAccess - on demand

`onnection Sharing (ICS)

*Shell Hardware Detection ShellHWDetection running auto

*Print Spooler Spooler running auto

*System Restore Service srservice - auto

*SSDP Discovery Service SSDPSRV running on demand

*Windows Image Acquisition (WIA) stisvc running on demand

*MS Software Shadow Copy Provider SwPrv - on demand

*Performance Logs and Alerts SysmonLog - on demand

*Telephony TapiSrv running on demand

*Terminal Services TermService running on demand

*Themes Themes running auto

*Distributed Link Tracking Client TrkWks running auto

*Upload Manager uploadmgr running auto

*Universal Plug and Play Device Host upnphost - on demand

*Uninterruptible Power Supply UPS - on demand

*Volume Shadow Copy VSS - on demand

*Windows Time W32Time running auto

*WAN Miniport (ATW) Service WANMiniportService running auto

*WebClient WebClient running auto

*Windows Security Update Windows Security Upd - auto

*Windows Management Instrumentation winmgmt running auto

*Portable Media Serial Number WmdmPmSp running auto

*WMI Performance Adapter WmiApSrv - on demand

*Automatic Updates wuauserv running auto

*Wireless Zero Configuration WZCSVC running auto

»NT Kernel- and FS-drivers

*Abiosdsk Abiosdsk - disabled

*abp480n5 abp480n5 - disabled

*Microsoft ACPI Driver ACPI running boot

*ACPIEC ACPIEC - disabled

*adpu160m adpu160m - disabled

*Microsoft Kernel Acoustic Echo Canceller aec - on demand

*AFD Networking Support Environment AFD running auto

*Intel AGP Bus Filter agp440 running boot

*Aha154x Aha154x - disabled

*aic78u2 aic78u2 - disabled

*aic78xx aic78xx - disabled

*AliIde AliIde - disabled

*amsint amsint - disabled

*asc asc - disabled

*asc3350p asc3350p - disabled

*asc3550 asc3550 - disabled

*ASCTRM ASCTRM - auto

*RAS Asynchronous Media Driver AsyncMac - on demand

*Standard IDE/ESDI Hard Disk Controller atapi running boot

*Atdisk Atdisk - disabled

*ATM ARP Client Protocol Atmarpc - on demand

*Audio Stub Driver audstub running on demand

*Beep Beep running system

*cbidf2k cbidf2k - disabled

*cd20xrnt cd20xrnt - disabled

*Cdaudio Cdaudio - system

*Cdfs Cdfs running disabled

*CD-ROM Driver Cdrom running system

*Changer Changer - system

*CmdIde CmdIde - disabled

*Cpqarray Cpqarray - disabled

*Creative SBLive! Gameport ctljystk running on demand

*dac960nt dac960nt - disabled

*Disk Driver Disk running boot

*dmboot dmboot - disabled

*dmio dmio - disabled

*dmload dmload - disabled

*Microsoft Kernel DLS Syntheiszer DMusic - on demand

*dpti2o dpti2o - disabled

*Microsoft Kernel DRM Audio Descrambler drmkaud - on demand

*3Com EtherLink XL 90XB/C Adapter Driver EL90XBC running on demand

*Creative SB Live! (WDM) emu10k running on demand

*Creative Interface Manager Driver (WDM) emu10k1 running on demand

*Fastfat Fastfat running disabled

*Floppy Disk Controller Driver Fdc running on demand

*Fips Fips running system

*Floppy Disk Driver Flpydisk running on demand

*Volume Manager Driver Ftdisk running boot

*Game Port Enumerator gameenum running on demand

*Generic Packet Classifier Gpc running on demand

*Microsoft HID Class Driver hidusb - on demand

*hpn hpn - disabled

*i2omgmt i2omgmt - system

*i2omp i2omp - disabled

*i8042 Keyboard and PS/2 Mouse Port Driver i8042prt running system

*CD-Burning Filter Driver Imapi running system

*ini910u ini910u - disabled

*IntelIde IntelIde running boot

*IPv6 Firewall Driver Ip6Fw - on demand

*IP Traffic Filter Driver IpFilterDriver - on demand

*IP in IP Tunnel Driver IpInIp - on demand

*IP Network Address Translator IpNat - on demand

*IPSEC driver IPSec running system

*IR Enumerator Service IRENUM - on demand

*PnP ISA/EISA Bus Driver isapnp running boot

*Keyboard Class Driver Kbdclass running system

*Keyboard HID Driver kbdhid - system

*Microsoft Kernel Wave Audio Mixer kmixer running on demand

*KSecDD KSecDD running boot

*lbrtfdc lbrtfdc - system

*Lexmark X73 MFP Scanner LXARScan running auto

*mnmdd mnmdd running system

*Modem Modem running on demand

*Unimodem Streaming Filter Device MODEMCSA running on demand

*Mouse Class Driver Mouclass running system

*MountMgr MountMgr running boot

*mraid35x mraid35x - disabled

*WebDav Client Redirector MRxDAV running on demand

*MRxSmb MRxSmb running system

*Msfs Msfs running system

*Microsoft Streaming Service Proxy MSKSSRV - on demand

*Microsoft Streaming Clock Proxy MSPCLOCK - on demand

*Microsoft Streaming Quality Manager Proxy MSPQM - on demand

*Mup Mup running boot

*NDIS System Driver NDIS running boot

*Remote Access NDIS TAPI Driver NdisTapi running on demand

*NDIS Usermode I/O Protocol Ndisuio running on demand

*Remote Access NDIS WAN Driver NdisWan running on demand

*NDIS Proxy NDProxy running on demand

*NetBIOS Interface NetBIOS running system

*NetBios over Tcpip NetBT running system

*Npfs Npfs running system

*Ntfs Ntfs - disabled

*Null Null running system

*nv nv running on demand

*IPX Traffic Filter Driver NwlnkFlt - on demand

*IPX Traffic Forwarder Driver NwlnkFwd - on demand

*Intel PentiumIII Processor Driver P3 running system

*Parallel port driver Parport running on demand

*PartMgr PartMgr running boot

*ParVdm ParVdm running auto

*PCI Bus Driver PCI running boot

*PCIDump PCIDump - system

*PCIIde PCIIde - disabled

*Pcmcia Pcmcia - disabled

*PDCOMP PDCOMP - on demand

*PDFRAME PDFRAME - on demand

*PDRELI PDRELI - on demand

*PDRFRAME PDRFRAME - on demand

*perc2 perc2 - disabled

*perc2hib perc2hib - disabled

*WAN Miniport (PPTP) PptpMiniport running on demand

*Direct Parallel Link Driver Ptilink running on demand

*ql1080 ql1080 - disabled

*Ql10wnt Ql10wnt - disabled

*ql12160 ql12160 - disabled

*ql1240 ql1240 - disabled

*ql1280 ql1280 - disabled

*Remote Access Auto Connection Driver RasAcd running system

*WAN Miniport (L2TP) Rasl2tp running on demand

*Remote Access PPPOE Driver RasPppoe running on demand

*Direct Parallel Raspti running on demand

*Rdbss Rdbss running system

*RDPCDD RDPCDD running system

*RDPWD RDPWD - on demand

*Digital CD Audio Playback Filter Driver redbook running system

*Secdrv Secdrv - on demand

*Serenum Filter Driver serenum running on demand

*Serial port driver Serial running system

*Sfloppy Sfloppy - system

*Creative SoundFont Manager Driver (WDM) sfman running on demand

*Simbad Simbad - disabled

*Sparrow Sparrow - disabled

*Microsoft Kernel Audio Splitter splitter - on demand

*System Restore Filter Driver sr - disabled

*Srv Srv running on demand

*Software Bus Driver swenum running on demand

*Microsoft Kernel GS Wavetable Synthesizer swmidi - on demand

*symc810 symc810 - disabled

*symc8xx symc8xx - disabled

*sym_hi sym_hi - disabled

*sym_u3 sym_u3 - disabled

*Microsoft Kernel System Audio Device sysaudio running on demand

*TCP/IP Protocol Driver Tcpip running system

*TDPIPE TDPIPE - on demand

*TDTCP TDTCP - on demand

*Terminal Device Driver TermDD running system

*TosIde TosIde - disabled

*Udfs Udfs - disabled

*ultra ultra - disabled

*Microcode Update Driver Update running on demand

*Microsoft USB Generic Parent Driver usbccgp - on demand

*Microsoft USB Standard Hub Driver usbhub running on demand

*Microsoft USB PRINTER Class usbprint running on demand

*USB Mass Storage Driver usbstor - on demand

*Microsoft USB Universal Host Controller Minipor usbuhci running on demand

`t Driver

*VgaSave VgaSave running system

*ViaIde ViaIde - disabled

*VolSnap VolSnap running boot

*Remote Access IP ARP Driver Wanarp running on demand

*WAN Miniport (ATW) wanatw running on demand

*WDICA WDICA - on demand

*Microsoft WINMM WDM Audio Compatibility Driver wdmaud running on demand

»Application specific

Share this post


Link to post
Share on other sites

Seems to be ok now after reboot.

 

Now the only thing is notepad still isnt functioning, and I am afraid it will come right back.

 

I just dont feel like sitting here anymore :) Got paid for the day LOL

 

Thanks for all the help!!

Share this post


Link to post
Share on other sites

Ok, my friend...

You have multiple infections there, and I'm not even sure

where to begin...

This will take a while...

I can help you remove the most obvious villains, but

you need to scan with few working Anti virus tools, fully

updated in order to clean the rest.

 

So far...

cws trojan, positivly identified:

'Find-All' log:

 

»»Locked or 'Suspect' file(s) found...

\\?\C:\WINDOWS\System32\COMN.DLL +++ File read error

 

»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)

Size of HKEY_LOCAL_MACHINE\software\microsoft\

Windows NT\CurrentVersion\Windows: 448

 

In addition, Find-All log shows the following trojans:

 

»»NotePad(s) version(s)...

5.1.2600.0 C:\WINDOWS\notepad.exe

--a-- W32i APP ENU 5.1.2600.0 shp 66,048 04-16-2004 notepad.exe

? C:\WINDOWS\System32\notepad.exe

--a-- W32i - - - - 3,584 04-27-2004 notepad.exe

 

Your copy of notepad,exe in system32 folder is *munged*!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\ShellServiceObjectDelayLoad]

................................

"DDE Control Module"="{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}"

^^^Details:

http://securityresponse.symantec.com/avcen...or.thunker.html

 

And in StartDreck log:

 

The offending service:

»NT Services

*Windows Security Update Windows Security Upd - auto

http://vil.nai.com/vil/content/v_121075.htm

==============================================

Some are related to one another and some are not!

Let's start somewhere...

 

Run StartDreck.exe again, repeat the same steps but only select:

System\Drivers > NT services

hit ok

FIND:

*Windows Security Update Windows Security Upd - auto

 

Click once to select>hit the 'stop' tab on the lower panel

Hit>edit> Change startup type to> Disabled.

ok it.

Hit the>refresh tab once, locate it again

and be sure it's no longer in 'running' state.

 

Set new confgs in StartDreck again,

hit>config

hit>unmark all

Under: registry>check: "ShellServiceObjectDelay..."

hit ok.

Save the log (give it new name) and post it!

 

Navigate to System32 folder:

Find this file:

3,584 04-27-2004 notepad.exe

It would be notepad.exe, RightClick to identify the size:

3,584 bytes, and delete it!

Copy your Notepad.exe from Windows

folder onto your System32 folder.

 

 

 

Restart computer, and run hijackthis again, post

new log along with the new StartDreck saved log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0