View Full Version : Spyware removal
Benado1
01-15-2005, 09:06 PM
Hello. My system has been attacked by spyware so I have scanned with AdAware and Spybot S&D. These have removed some problems, but not all. So I have run HiJackThis and included the log below...
Logfile of HijackThis v1.99.0
Scan saved at 5:48:03 PM, on 1/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM32\XPSP2FW.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANCTL.EXE
C:\CLLIGCH.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\NYUGMFW.EXE
C:\WINDOWS\VCPDLL.EXE
C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANKEEP.EXE
C:\WINDOWS\APPLICATION DATA\SSHD.EXE
C:\WINDOWS\SYSTEM\EYML.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\DLLDMT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
F1 - win.ini: run=c:\windows\system\dlldmt.exe
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\SSYSPRS.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Admanager Controller] C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANCTL.EXE
O4 - HKLM\..\Run: [xHfdqEt] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [Dlldmt] c:\windows\system\dlldmt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [whcrhlm] c:\windows\nyugmfw.exe
O4 - HKCU\..\Run: [cmsound] c:\windows\vcpdll.exe
O4 - HKCU\..\Run: [winltmpv] c:\windows\wutop.exe
O4 - HKCU\..\Run: [Acic] C:\WINDOWS\Application Data\sshd.exe
O4 - HKCU\..\Run: [Aalnn] C:\WINDOWS\SYSTEM\eyml.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=3548
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.178,69.31.80.244
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
Any ideas on what files should be deleted would be greatly appreciated.
Thank you.
pop pop
01-15-2005, 10:42 PM
Hello and Welcome to PCGuide.
I'm not one of the resident HJT experts, but based on what I see in your log, I think you are going to enjoy your visit(s) here.
Be patient, one of the experts, maybe even the Malware Zen Master Budfred himself, will be along to help. IMHO, your PC needs it.
EDIT:
BTW, for future reference, malware issues are best posted in the Applications and Security section. Since you have already posted here for this problem, keep it here (one problem, one thread is the general rule--makes it easier to track for the experts).
Thanks
Budfred
01-15-2005, 11:27 PM
Malware Zen Master Budfred himselfMore than a bit of an exaggeration I am afraid....
You do have a nasty selection of garbage there though...
Please open an HJT scan and check these items:
F1 - win.ini: run=c:\windows\system\dlldmt.exe
O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\SSYSPRS.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Admanager Controller] C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANCTL.EXE
O4 - HKLM\..\Run: [xHfdqEt] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [whcrhlm] c:\windows\nyugmfw.exe
O4 - HKCU\..\Run: [cmsound] c:\windows\vcpdll.exe
O4 - HKCU\..\Run: [winltmpv] c:\windows\wutop.exe
O4 - HKCU\..\Run: [Acic] C:\WINDOWS\Application Data\sshd.exe
O4 - HKCU\..\Run: [Aalnn] C:\WINDOWS\SYSTEM\eyml.exe
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://67.19.185.246/i/8/loader2.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTic....cab?refid=3548
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
This is suspicious, but I wasn't able to find much on it... If this is not familiar, it may be worthwhile to check it too... If you have a problem, you can restore it from the HJT backup... ATRIVOTECHNOLOGIES...
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.188.178,69.31.80.244
Then close all open windows except HJT and click Fix Checked...
Then download the file I attached in this post and unzip it and run the bat file... Follow these instructions with it:
Unzip the files in it (remv3.bat and zip.exe) to your C:\WINDOWS\System32 directory.
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
To get back to normal mode just restart the computer as you normally would.
Start | Run | type C:\WINDOWS\System32\remv3.bat | OK
The .BAT file will run and should produce three files (log.txt, bad.zip, and bad.reg) in your C:\ directory.
Reboot normally
Please post the log (located at C:\log.txt) it produces with the next HJT log...
http://www.pcguide.com/vb/showpost.php?p=211092&postcount=5
Reboot and post a fresh HJT log...
Benado1
01-17-2005, 09:19 PM
Hiya Budfred. Ran remv3.bat as stated, but the log doesn't seem to say much. When I tried to run it, it didn't seem to produce the files bad.zip and bad.reg, only log.txt. At any rate, I have posted that log following the latest HJT log.
Logfile of HijackThis v1.99.0
Scan saved at 5:59:27 PM, on 1/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP2 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\CLLIGCH.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\EZULA\MMOD.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\WINDOWS\SYSTEM\IDECNTL.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [¢?¸ï0�4Ã�4}¤Á��?�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [Idecntl] c:\windows\system\idecntl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: text/html - {8EFA7720-6828-11D9-9948-008035EEDFD9} - C:\WINDOWS\SYSTEM\CBBG.DLL
O18 - Filter: text/plain - {8EFA7720-6828-11D9-9948-008035EEDFD9} - C:\WINDOWS\SYSTEM\CBBG.DLL
Here's the log.txt...
ECHO is on
Checking for version 1 Files.......
"Files found"
---------------------------------------------------------------------
run_dos.dll
deleting files........
---------------------------------------------------------
"Files Not Deleted"
---------------------------------------------------------------------
Checking for version 2 files..........
Files Found
------------------------------------------------------------
deleting files........
---------------------------------------------------------
Files Not deleted
------------------------------------------------------------
Checking version 3 Files...................
Files Found ..................
----------------------------------------
Files not Deleted.............
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please Note that This might also list Legit Files, be careful while Deleting
-----------------------------------------------------------------
Finished
If this has run incorrectly, please let me know and I'll try again.
(In order to get this log, I clicked on the link you provided, extracted the file to system32\remv3, and rebooted in Safemode. When I typed in the path name under "run", it couldn't find the file, so I browsed for it and ran it.
Thx
Budfred
01-17-2005, 09:50 PM
The good news is that you don't have the infection I was afraid you had... The bad news is that you still have a bunch of stuff including what looks like some new things... Please be extremely careful about where you surf until we can clean this up and put more protection on your system... Before we go on to the HJT fixes, please run an online virus scan with Housecall and fix what it finds... Then download and manually update the trial version of TrojanHunter and run that....
Now open an HJT scan and check these if they are still there:
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - (no file)
O4 - HKLM\..\Run: [¢?¸ï0�4Ã�4}¤Á��?�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\RunServices: [Idecntl] c:\windows\system\idecntl.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
These are probably bad, but I couldn't find confirmation.... I suggest fixing them and then restore them from backup if you have a problem:
O18 - Filter: text/html - {8EFA7720-6828-11D9-9948-008035EEDFD9} - C:\WINDOWS\SYSTEM\CBBG.DLL
O18 - Filter: text/plain - {8EFA7720-6828-11D9-9948-008035EEDFD9} - C:\WINDOWS\SYSTEM\CBBG.DLL
Then close all open windows except HJT and click Fix Checked....
Reboot to Safe Mode and be sure you are set to show all hidden and system files... Check to see if you can remove any of these in Add/Remove programs... If you can't, find and remove these:
C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\SYSTEM\netda.exe
c:\windows\system\idecntl.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\Web Offer\wo.exe
Then reboot and post a fresh log along with details about how the other scans went and if you had problems with the removals... If this doesn't work, there is another fix to try...
Benado1
01-18-2005, 06:41 AM
Hi. I managed to run Housecall no problem. TrojanHunter, however, gave me a few problems. The scan found 11 Trojans, but twice while trying to fix the results, my system froze halfway through. I don't know why this occurred, but I can certainly try it again if you think it may work. I looked at running TDS-3, but it was more complex and I wasn't too sure how it operates.
I fixed the results from HJT and ran an updated scan...
Logfile of HijackThis v1.99.0
Scan saved at 3:34:23 AM, on 1/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\ADVMON32.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
F1 - win.ini: run=c:\windows\system\mdmdll32.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [¢‰¸ï0�4Ã�4}¤Á��œ�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*�àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [Sysdpt] c:\windows\system\sysdpt.exe
O4 - HKLM\..\RunServices: [Audcntr] c:\windows\system\audcntr.exe
O4 - HKLM\..\RunServices: [Scopedll] c:\windows\system\scopedll.exe
O4 - HKLM\..\RunServices: [Advmon32] c:\windows\system\advmon32.exe
O4 - HKLM\..\RunServices: [Mdmdll32] c:\windows\system\mdmdll32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
I think these 2 files need to be deleted, but how does the rest look?
O4 - HKLM\..\Run: [¢‰¸ï0�4Ã�4}¤Á��œ�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*�àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
Thanks again for your help.
If I have a few malware/trojans/etc on the system and try to reinstall the OS, will I have recurring problems? (I just purchased a new computer and will be giving this one to my parents strictly for digital photos...no internet connection)
Budfred
01-18-2005, 08:18 PM
Try running TrojanHunter in Safe Mode... If it crashes, try again and if it still crashes we will go to the next fix...
Also, check in Safe Mode to see if any of these are showing up in HJT and fix them there if they are:
F1 - win.ini: run=c:\windows\system\mdmdll32.exe
O4 - HKLM\..\Run: [¢‰¸ï0�4Ã�4}¤Á��œ�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*�àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\RunServices: [Sysdpt] c:\windows\system\sysdpt.exe
O4 - HKLM\..\RunServices: [Scopedll] c:\windows\system\scopedll.exe
O4 - HKLM\..\RunServices: [Advmon32] c:\windows\system\advmon32.exe
O4 - HKLM\..\RunServices: [Mdmdll32] c:\windows\system\mdmdll32.exe
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
Then go to Misc Tools in HJT and use the "Delete on reboot" utility to kill these:
C:\CLLIGCH.EXE
C:\WINDOWS\SYSTEM\netda.exe
c:\windows\system\sysdpt.exe
c:\windows\system\scopedll.exe
c:\windows\system\advmon32.exe
c:\windows\system\mdmdll32.exe
Reboot and post a fresh log with an update on how things went...
Benado1
01-18-2005, 10:57 PM
TrojanHunter worked successfully this time (run in SafeMode) and cleaned all trojans.
However I'm having problems deleting a few files with HJT, specifically
O4 - HKLM\..\Run: [¢?¸ï0�4Ã�4}¤Á��?�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [¢?¸ï0+¿ÔÇè]mú*�àaî?iC:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
I try to delete these files every scan, but they continue to show up. I also tried to use the "Delete on Reboot" command to clear the files you mentioned, but this function is disabled on my HJT (the other 3 system tools under Misc Tools are enabled though).
Here's the latest scan.
Logfile of HijackThis v1.99.0
Scan saved at 7:51:03 PM, on 1/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\CDDRV32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
F1 - win.ini: run=c:\windows\system\dlldmt.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [¢?¸ï0�4Ã�4}¤Á��?�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [¢?¸ï0+¿ÔÇè]mú*�àaî?iC:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [Cddrv32] c:\windows\system\cddrv32.exe
O4 - HKLM\..\RunServices: [Dlldmt] c:\windows\system\dlldmt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
Thx
Budfred
01-19-2005, 12:00 AM
When you tried to use the Delete on reboot function were you in Safe Mode?? I believe it may need to be run from Normal mode....
For the main problem we can try this:
Launch Notepad, and copy/paste the box below into a new text file. Save it as Export.bat and save it on your Desktop.
regedit /e HKCURun.reg "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run"
ren HKCURun.reg HKCURun.txt
regedit /e HKLMRun.reg "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run"
ren HKLMRun.reg HKLMRun.txt
copy HKLMRun.txt + HKCURun.txt = Output.txt
del /q HKLMRun.txt
del /q HKCURun.txt
notepad Output.txt
del /q Output.txt
Locate Export.bat on your Desktop and double-click on it. This will open Notepad with some text in it. Post that.When I previewed this, some spacing was off on the word Current, adjust that in Notepad before running it if needed... It should look like this: "CurrentVersion"
We can see what we get from this and proceed from there...
Benado1
01-19-2005, 03:29 AM
My "Delete a file on reboot" button is still disabled on HJT even in Normal Mode. Is it possible something in MSConfig could be disabling it? Do you think it would help to try reinstall it, or would that be detrimental to backups?
I went into MSConfig and under 'startup' I disabled
C:\CLLIGCH.EXE and
C:\WINDOWS\SYSTEM\netda.exe (I didn't change anything else).
The first file doesn't show up in my HJT scan anymore, but the second file does. Here are the scan results
Logfile of HijackThis v1.99.0
Scan saved at 12:07:11 AM, on 1/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\UNLDR16.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
F1 - win.ini: run=c:\windows\system\msmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [Unldr16] c:\windows\system\unldr16.exe
O4 - HKLM\..\RunServices: [Msmon] c:\windows\system\msmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
As far as running Export.bat, my scan results are coming up in MSDOS as...
\Windows\CurrentVersion\Run"
Cannot execute C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\Desktop>ren HKLMRun.reg HKLMRun.txt
File not found - HKLMRun.reg
C:\WINDOWS\Desktop>copy HKLMRun.txt + HKCURun.txt = Output.txt
0 file(s) copied
C:\WINDOWS\Desktop>del /q HKLMRun.txt
Invalid switch - /Q
C:\WINDOWS\Desktop>del /q HKCURun.txt
Invalid switch - /Q
C:\WINDOWS\Desktop>notepad Output.txt
Cannot execute C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\Desktop>del /q Output.txt
Invalid switch - /Q
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>
Due to the invalid switch message, I also tried flipping the switches to \q (just in case), but this resulted in...
Cannot execute C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\Desktop>regedit /e HKLMRun.reg "HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows\CurrentVersion\Run" ren HKLMRun.reg HKLMRun.txt
Cannot execute C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\Desktop>copy HKLMRun.txt + HKCURun.txt = Output.txt
0 file(s) copied
C:\WINDOWS\Desktop>del \q HKLMRun.txt
Too many parameters - HKLMRun.txt
C:\WINDOWS\Desktop>del \q HKCURun.txt
Too many parameters - HKCURun.txt
C:\WINDOWS\Desktop>notepad Output.txt
Cannot execute C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\Desktop>del \q Output.txt
Too many parameters - Output.txt
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>
Thx again.
Budfred
01-19-2005, 10:59 PM
My "Delete a file on reboot" button is still disabled on HJT even in Normal Mode. Is it possible something in MSConfig could be disabling it? Do you think it would help to try reinstall it, or would that be detrimental to backups?
I went into MSConfig and under 'startup' I disabled
C:\CLLIGCH.EXE and
C:\WINDOWS\SYSTEM\netda.exe (I didn't change anything else).
The first file doesn't show up in my HJT scan anymore, but the second file does. Here are the scan results
It won't hurt anything to download a fresh copy of HJT and try it, but it isn't all that likely to work any better... I am not sure what is happening with it, but what you can do instead is go to the same site as the HJT link and download KillBox... Use the delete on reboot option in KillBox instead...
Disabling something in msconfig will not fix it, it will just defer the need to fix it.... I am waiting for some help on what to do with that fix since the log you got doesn't look like the one you should have gotten... Those O15 items are still a major problem we need to deal with as well and I may need some more help with that since the indicated fix didn't work there either... You have some heavy duty garbage on that system... :eek: :eek:
While we wait for more help, use HJT to fix these:
F1 - win.ini: run=c:\windows\system\msmon.exe
O4 - HKLM\..\RunServices: [Unldr16] c:\windows\system\unldr16.exe
O4 - HKLM\..\RunServices: [Msmon] c:\windows\system\msmon.exe
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
And then try to kill these with KillBox:
c:\windows\system\unldr16.exe
c:\windows\system\msmon.exe
Then reboot and post a fresh log with an update on how things are going...
Benado1
01-20-2005, 03:39 AM
Here is the updated HJT log
Logfile of HijackThis v1.99.0
Scan saved at 12:34:51 AM, on 1/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [¢‰¸ï0�4Ã�4}¤Á��œ�5�]C:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [¢‰¸ï0+¿ÔÇè]mú*�àaîžiC:\Program Files\ISTsvc\istsvc.exe] C:\CLLIGCH.EXE
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\netda.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
The O15s, CLLIGCH.exe, and load32 (netda.exe) are still causing headaches , but everything else from your last post has been cleaned up. I was able to run KillBox successfully, but it didn't work for netda.exe.
Thanx
Budfred
01-20-2005, 11:29 PM
Try running TrojanHunter in Safe Mode again to see if it will take care of netda.exe... If it doesn't follow the instructions here to see if you can kill it...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DUMARU.AI
I am going to have to do a little more digging for the other problem... I think there is an update to the fix and I will post it later if there is...
Budfred
01-21-2005, 12:44 AM
Okay, we can try this: Copy/paste this into Notepad where you had that other Regedit:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
And run it like you did before... Hopefully it will give us more usable results... Post the log that it makes back here with the HJT log... and update on how things are going with the other fixes I suggested...
Benado1
01-21-2005, 07:01 AM
I ran TrojanHunter and it found and cleaned netda.exe, but it showed up again when I rebooted. So I followed the link (trendmicro) and it seems to have taken care of the problem. I also managed to delete the 2 recurring CLLIGCH.exe files too. Now if we can just get rid of those 015s.
Logfile of HijackThis v1.99.0
Scan saved at 3:53:05 AM, on 1/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
I ran the updated Regedit, but the results don't appear to be very useful this time either (although I should leave that decision up to the expert!).
Bad command or file name
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersio
n\Run]
Bad command or file name
C:\WINDOWS\Desktop>"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,
NvStartup"
Bad command or file name
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>REGEDIT4
Bad command or file name
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion
\Run]
Bad command or file name
C:\WINDOWS\Desktop>"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,
NvStartup"
Bad command or file name
Once again, thank you.
Paleo Pete
01-21-2005, 10:41 AM
Budfred:
Don't know what's going on but look at your text box above, same problem as before...
Curr entVersion\Run
Still have a space in there for some reason. Is that a half-screen notepad line break? That's why he got the "Bad command or filename" error messages above.
Benado1:
Edit the notepad file you copied from above to remove the space in the word curre_nt, where I placed the underscore, it's there again in this text box, probably not Budfred's fault, except that I'm going to give him a hard time for not proofreading :D :D :D (I don't get to do that often...) After the spaces in both lines have been edited out it should run fine.
Also what happened to CDDRV32.EXE? It's there in one HJT log and not there next time and I didn't see anything that should have removed it, unless I simply missed it. Anyway, that's a Trojan (http://computercops.biz/startuplist-5555.html) if it hasn't already been intentionally removed, it should be.
Also noticed Hijack This is still running from a Temp folder, it really should be in its own folder. One scan showed Netscape running, this last one shows Internet Explorer. Both should be closed when running HJT. One strange thing, I still see your 015 lines in your log, but nothing listed in that HJT log that could put them there, everything I see is legitimate.
NOTE: Budfred has the last word here, he's the one dealing with this problem, consider my comments about the HJT log COMMENTARY ONLY...
Benado1
01-21-2005, 04:37 PM
I reran export.bat with the corrected text, but I'm still getting the same result.
C:\WINDOWS\Desktop>REGEDIT4
Bad command or file name
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion
\Run]
Bad command or file name
C:\WINDOWS\Desktop>"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,
NvStartup"
Bad command or file name
C:\WINDOWS\Desktop>REGEDIT4
Bad command or file name
C:\WINDOWS\Desktop>
C:\WINDOWS\Desktop>[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\
Run]
Bad command or file name
C:\WINDOWS\Desktop>"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,
NvStartup"
Bad command or file name
As for running HJT from it's own folder...it is. It was initiallyin a temp folder, but I have since moved it to a HJT folder under program files.
Regarding CDDRV32.exe, TrojanHunter took care of this one.
Budfred
01-21-2005, 11:55 PM
Here is another batch file to run in place of that one... Check for that extra space before running it, I am not sure why it is showing up, but it is causing problems and it doesn't show in the Reply window, so I can't fix it on this end...
cd\
regedit /e /a HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run"
regedit /e /a HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run"
copy HKLMRun.txt + HKCURun.txt = Output.txt
notepad Output.txt
And here is a fix for the O15s:
Download WinHelp2002's DelDomains.inf here: http://www.mvps.org/winhelp2002/DelDomains.inf
Choose File - Save As and save the file
Right-click the file and select: Install (no need to restart)
This will remove all entries in the "Trusted Zone".
Benado1
01-22-2005, 02:04 AM
I tried to run that new batch file, but it still isn't working. I corrected the space in "current", so I'm not sure what the problem is (when I run it, there is a break in the text at current anyway...does this cause a problem, and if so, are there any display changes I can make in the DOS window?)
C:\WINDOWS\Desktop>cd\
C:\>regedit /e /a HKCURun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\Curr
entVersion\Run"
Cannot execute C:\WINDOWS\REGEDIT.EXE
C:\>regedit /e /a HKLMRun.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Cur
rentVersion\Run"
Cannot execute C:\WINDOWS\REGEDIT.EXE
C:\>
C:\>copy HKLMRun.txt + HKCURun.txt = Output.txt
0 file(s) copied
C:\>notepad Output.txt
Cannot execute C:\WINDOWS\NOTEPAD.EXE
The fix worked for the O15s.
Logfile of HijackThis v1.99.0
Scan saved at 10:58:05 PM, on 1/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PP2000 Taskbar Control] C:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 Real-time Scan] C:\PROGRA~1\PROTEC~1\PPVstop.exe
O4 - HKLM\..\Run: [PP2000 InstaUpdate] C:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
Thanx
Budfred
01-22-2005, 08:50 AM
I am not sure what is going on with the Regedit... Since the syntax has to be just right, I suspect that we won't get it to work... On the other hand, your log looks clean!! Are you having any more problems??
Paleo Pete
01-22-2005, 10:15 AM
That's really odd...I'm wondering if the original was typed into Notepad, using a half size window, not full size. The space/break could be related to the word wrap used to size it to the right screen...Or maybe turning OFF word wrap entirely might help???
If it isn't visible in Budfred's review window, I think if it was copied and pasted from Notepad it must be picking up the formatting for screen size or something of that nature.
Budfred if you want to we can try this out in the lounge, I'd say testing area but I wouldn't want to post anything someone could try and use and get ummmm...less than favorable results...try notepad full size (maximized) and NO word wrap, let's see how it turns out, either here or lounge.
shanmuga
01-22-2005, 01:31 PM
The log looks allright, but wondering about the batch file......
The syntax is right and the spacing is unlikely to affect the output. The particular batch file is harmless and it can be tried by anyone interested, it just outputs whatever is starting with Windows from those particular registry keys in a text file. Just copy and paste the entire text in notepad or any compatible text editor and save it as "anyname.bat", click or doubleclick it and notepad should popup with the result. It works as it is in WinXP SP2.
Another thought in this particular case, the regedit.exe may be corrupt or it may not be in its default location..try running "regedit" from the run command....copying a good copy of regedit.exe to the %systemroot% folder might also help.
Check if this works, Go to Start > Run, and paste the following (dont mind the space) into the box, then click OK:
regedit /e C:\run.txt HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run This will export the contents of the particular reg key to C:\Run.txt file
Do a copy and paste of the contents of the Run.txt file here for Budfred to peruse.
Benado1
01-23-2005, 05:46 AM
I haven't had any more problems. I ran Ad-aware and Spybot S&D and everything looks good. I followed Shanmuga's post and here is the log I received:
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiCwd32"="Aticwd32.exe"
"AtiKey"="Atitask.exe"
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"LoadQM"="loadqm.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"PP2000 Taskbar Control"="C:\\PROGRA~1\\PROTEC~1\\PPTbc.EXE"
"PP2000 Real-time Scan"="C:\\PROGRA~1\\PROTEC~1\\PPVstop.exe"
"PP2000 InstaUpdate"="C:\\PROGRA~1\\PROTEC~1\\PPInupdt.exe"
"QuickTime Task"="\"C:\\WINDOWS\\SYSTEM\\QTTASK.EXE\" -atboottime"
Now that everything is looking clean (unless the above log says otherwise), I can pass this computer on to my parents (sans the internet connection). So one final question for you...I hope. In starting up my new computer, are there any extra precautions you can suggest to prevent such an attack prior to connecting to the internet? (ie. Any specific software, etc? The system comes with Norton Personal Firewall and Norton Antivirus 2004).
Thanks again for all your assistance. It's greatly appreciated.
Budfred
01-23-2005, 09:39 AM
It does appear to be clean!! Congratulations!!
I would be careful about the Norton 2004... the subscription is likely to be running out soon and your parents will either need to pay a fee to upgrade or they will need to get another AV program... AVG is a good alternative that is free and Avast is free as well...
Here is my prevention speech for more clues:
This is a good time to set up protection against further attacks. Read the article linked below about "How did I get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
http://www.computercops.biz/postlite7736-.html
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.