View Full Version : Malware: TeslaPlus
moinmoin
2006-05-06, 18:25
Greetings!
my problem is as following:
i caught some malware while surfing. it went along with "your PC is infected..." and so on
then the desktop went:
Your computer has several fatal errors due to spyware activity.
Your IP address is via this address an unauthorized
access was gained by another computer. It is strictly recommeded
to install an anti-virus software to close all security breaches.
Your IP address: They know you're using: Internet Explorer
Your computer is: ****
Risk status for further investigation: VERY HIGH RISK
To protect your computer from spyware attacks - click here
To erase the tracks of your internet activity - click here
(quickquestion had the same problem i think http://forums.spybot.info/showthread.php?p=21489#post21489)
--> System crashed --> reboot --> system freezes and autoreboot 10 secs after winlogon
in safe mode i had no possibility to go online
plus when i tried to invoke the taskmanager there was a message
"the tskmgr was disabled by the administartor" well....
i am glad that i installed SuSe Linux a while ago, so i was able to look up the internet for help.
ok right down to it,
windows in "safe mode"
Spybot S & D installed, scanned several times (oh that was good, cleaning up all the garbage) ---> keeps finding an entry "TeslaPlus" that wont be deleted when i click "fix problems".
smitfraud and ewido are downloaded but not yet installed or executed
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 16:52:36, on 06.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CherryKeyMan] C:\Program Files\Cherry\KeyMan\KeyMan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [OGjefW] C:\WINDOWS\fayci.exe
O4 - HKLM\..\Run: [Yizepv] C:\Program Files\Xrlpn\Yrjvzji.exe
O4 - HKLM\..\Run: [MNI.UWFX5U_0001_LP1710] "C:\WinFixer2005ScannerInstallDE.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ajbgb.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [orderShell] C:\Documents and Settings\"""\orderixim.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\vxgame6.exe3584.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Documents\Settings\2014.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
please, can someone have a look at it??
Thanks in andvance!
LonnyRJones
2006-05-07, 02:50
Hello
Run Hijackthis click >"config" then "misc tools" >"delete file on reboot"
Copy/Paste the bolded line below into the File name box then click Open,
C:\Documents and Settings\All Users\Documents\Settings\2014.dll
choose yes to the reboot prompt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Start Hijackthis and place a check next to these items If there.
F2 - REG:system.ini: Shell=explorer.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [OGjefW] C:\WINDOWS\fayci.exe
O4 - HKLM\..\Run: [Yizepv] C:\Program Files\Xrlpn\Yrjvzji.exe
O4 - HKLM\..\Run: [MNI.UWFX5U_0001_LP1710] "C:\WinFixer2005ScannerInstallDE.exe"
O4 - HKLM\..\Run: [ReJf5vH] C:\WINDOWS\ajbgb.exe
O4 - HKLM\..\Run: [orderShell] C:\Documents and Settings\"""\orderixim.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [Microsoft Windows System] srwhost.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] srwhost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\system32\vxgame6.exe3584.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Documents\Settings\2014.dll 9file missing)
====================================
Hit fix checked and close Hijackthis.
Restart the PC to a none safe mode session
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fallow the instructions on this page
http://forums.spybot.info/showthread.php?t=4015
moinmoin
2006-05-07, 18:19
so far...
there are two rapport of smitfraudcmd... one after the search and one after the clean... i'll post them both they are not that big anyway
rapport.search:
SmitFraudFix v2.40
Scan done at 15:53:58,88, 07.05.2006
Run from C:\Documents and Settings\el_puornogott\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\oleext.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\el_puornogott\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{87A3E824-A726-4CF4-8A66-6314B11BDA0C}"="OLE Object"
[HKEY_CLASSES_ROOT\CLSID\{87A3E824-A726-4CF4-8A66-6314B11BDA0C}\InProcServer32]
@="C:\WINDOWS\system32\barseek.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{87A3E824-A726-4CF4-8A66-6314B11BDA0C}\InProcServer32]
@="C:\WINDOWS\system32\barseek.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{786C369D-409A-456f-A13C-971EADA850C6}"="DertertDE"
[HKEY_CLASSES_ROOT\CLSID\{786C369D-409A-456f-A13C-971EADA850C6}\InProcServer32]
@="C:\WINDOWS\system32\birdasfihuy32.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{786C369D-409A-456f-A13C-971EADA850C6}\InProcServer32]
@="C:\WINDOWS\system32\birdasfihuy32.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
C:\WINDOWS\system32\wininet.dll infected !
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup
Volume in drive C has no label.
Volume Serial Number is 180E-A661
Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE
29.09.2004 20:27 656.896 wininet.dll
1 File(s) 656.896 bytes
Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE
27.01.2005 19:08 657.920 wininet.dll
1 File(s) 657.920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE
02.05.2005 22:57 658.944 wininet.dll
1 File(s) 658.944 bytes
Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE
10.03.2005 09:43 657.920 wininet.dll
1 File(s) 657.920 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE
03.09.2005 01:53 660.480 wininet.dll
1 File(s) 660.480 bytes
Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE
03.07.2005 04:09 659.456 wininet.dll
1 File(s) 659.456 bytes
Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE
21.10.2005 05:38 661.504 wininet.dll
1 File(s) 661.504 bytes
Directory of C:\WINDOWS\$NtServicePackUninstall$
23.08.2001 14:00 593.920 wininet.dll
1 File(s) 593.920 bytes
Directory of C:\WINDOWS\$NtUninstallKB834707$
04.08.2004 00:56 656.384 wininet.dll
1 File(s) 656.384 bytes
Directory of C:\WINDOWS\$NtUninstallKB867282$
29.09.2004 20:47 656.896 wininet.dll
1 File(s) 656.896 bytes
Directory of C:\WINDOWS\$NtUninstallKB883939$
10.03.2005 10:02 656.896 wininet.dll
1 File(s) 656.896 bytes
Directory of C:\WINDOWS\$NtUninstallKB890923$
27.01.2005 19:13 656.896 wininet.dll
1 File(s) 656.896 bytes
Directory of C:\WINDOWS\$NtUninstallKB896688$
03.07.2005 04:11 658.432 wininet.dll
1 File(s) 658.432 bytes
Directory of C:\WINDOWS\$NtUninstallKB896727$
02.05.2005 22:52 657.920 wininet.dll
1 File(s) 657.920 bytes
Directory of C:\WINDOWS\$NtUninstallKB905915$
03.09.2005 01:52 658.432 wininet.dll
1 File(s) 658.432 bytes
Directory of C:\WINDOWS\ServicePackFiles\i386
04.08.2004 00:56 656.384 wininet.dll
1 File(s) 656.384 bytes
Directory of C:\WINDOWS\system32
21.10.2005 05:39 658.432 wininet.dll
1 File(s) 658.432 bytes
»»»»»»»»»»»»»»»»»»»»»»»» End
moinmoin
2006-05-07, 18:20
rapport.clean:
SmitFraudFix v2.40
Scan done at 17:11:36,18, 07.05.2006
Run from C:\Documents and Settings\el_puornogott\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
Problem while deleting C:\WINDOWS\system32\oleext.dll
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll
C:\WINDOWS\system32\wininet.dll infected !
Searching wininet.dll backup file...
C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
C:\WINDOWS\ServicePackFiles\i386\wininet.dll
C:\WINDOWS\system32\wininet.dll
File Found : C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\\wininet.dll
System Version : 6.0.2900.2781
BackUp Version : 6.0.2900.2781
Wininet.dll Remplacement (reboot necessary)
»»»»»»»»»»»»»»»»»»»»»»»» Reboot
C:\WINDOWS\system32\oleext.dll Deleted
»»»»»»»»»»»»»»»»»»»»»»»» End
moinmoin
2006-05-07, 18:21
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 16:54:37, 07.05.2006
+ Report-Checksum: 11FA416E
+ Scan result:
C:\Documents and Settings\!"§$%\My Documents\!"§$%\!"§$%/!"§$%.exe -> Downloader.INService.ja : Error during cleaning
C:\Documents and Settings\el_puornogott\orderixim.exe -> Dropper.Agent.anv : Cleaned with backup
C:\jldphc.exe -> Trojan.Sinowal.d : Cleaned with backup
C:\nuto.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll -> Trojan.Sinowal.m : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.dll -> Trojan.Sinowal.k : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00006.dll -> Trojan.Sinowal.i : Cleaned with backup
C:\WINDOWS\system32\barseek.dll -> Proxy.Small.du : Cleaned with backup
C:\WINDOWS\system32\ipod.raw.exe -> Proxy.Lager.ba : Cleaned with backup
C:\WINDOWS\system32\msvcrl.dll -> Worm.Locksky.ao : Cleaned with backup
C:\WINDOWS\system32\ordermas2.dll -> Downloader.Small.chk : Cleaned with backup
C:\WINDOWS\system32\senssrv.dll -> Downloader.Agent.afl : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__birdasfihuy32.dll -> Proxy.Small.ct : Cleaned with backup
C:\WINDOWS\Temp\$_3472452.EXE -> Trojan.Sinowal.n : Cleaned with backup
C:\xrsj.exe -> Trojan.Sinowal.k : Cleaned with backup
::Report End
moinmoin
2006-05-07, 18:23
last but not least the fresh HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 17:17:12, on 07.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CherryKeyMan] C:\Program Files\Cherry\KeyMan\KeyMan.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [orderShell] C:\Documents and Settings\el_puornogott\orderixim.exe
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
i think thats it...
LonnyRJones
2006-05-08, 01:15
Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\Run: [orderShell] C:\Documents and Settings\el_puornogott\orderixim.exe
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now Install atleast a free anti virus and firewall program
Dont make the common mistake of installing more than one anti virus or firewall
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html
Understanding and Using Firewalls:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=60
ZoneAlarm provide's a paid for and free version http://www.zonelabs.com/
http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za
Kerio Personal Firewall
For home users, Kerio Personal Firewall 4 is available in two flavors -
the full edition and the limited free edition.
http://www.kerio.com/us/kpf_download.html
Sygate free for personal/home http://soho.sygate.com/products/spf_standard.htm
Outpost http://www.outpost.uk.com/download/outpost1.html
Let me know of any problems
moinmoin
2006-05-08, 20:49
... Okay!! there is no problem anymore!! free-av is the way to go for me...
wonderful, nice job! :bigthumb:
i'll be back... (should there be any problems in the future...)
thank you very much!!
LonnyRJones
2006-05-09, 00:29
Id love to see a log after an av and firewall programs are installed :bigthumb:
moinmoin
2006-05-11, 20:44
Greetings LonnyR!!
wish i could come back just to post the log...
I experience weird behaviour (no its not win itself :) ) on startup...
wish i had all favourite and essential software in a linux version :(
the init speed is the same as always, but sometimes - as has happened two times in the last few hours - there is either the LAN-Icon showing a "low or no connectivity" message or shortly after all the icons in the system tray appear as they always do, the system goes zapp! and spontaneously performs a restart....
two restarts later everything is working, just the way it is supposed to.
i have no idea how to solve it......
however, here's the HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 19:09:06, on 11.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CherryKeyMan] C:\Program Files\Cherry\KeyMan\KeyMan.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir
PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir
PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony
Shared\AVLib\SPTISRV.exe
moinmoin
2006-05-12, 00:22
addition,
another strange thing: after an idle time (few apps opened, no browsers) of appr. 1.5 hrs firefox and iexplorer cant resolve sites anymore (they could before)
ping 127.0.0.1 -> reply
ping google.com -> reply
but the browsers do NOTHING...
any ideas?
LonnyRJones
2006-05-12, 02:58
Run the updated antivirus, Ewido, spybot while the PC is in safe mode
One at a time ofcource
Also ensure these two files stay deleted
C:\WINDOWS\system32\biasfardihuy.dll
C:\WINDOWS\system32\birdasfihuy32.dll
moinmoin
2006-05-14, 12:55
Moin!
the sys32 files are deleted, i check it every now and then...
i performed your advised scans.
the unvoluntary reboot at the startup has not occured since...
but the browser-hangup still is an issue...
on yesterdays evening and todays morning, after 45 mins idle time it would need a reboot to use the browser again... thats really annoying
so i went and uninstalled the freeav antivir, because the browser thing occured ever since i installed freeav.
so now im going to install another av from your list...
thats for now
btw: Do you need any logs?! :)
LonnyRJones
2006-05-14, 15:28
A log and description of any problems when you have found an antivirus your satisfied with.
moinmoin
2006-05-14, 22:54
installed avast! av and zonelabs firewall
browser defunction has not yet occured
it seems to be ok... or at least think so
Logfile of HijackThis v1.99.1
Scan saved at 21:51:40, on 14.05.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Cherry\KeyMan\KeyMan.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\ALWILS~1\Avast4\ashDisp.exe
C:\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Alwil Software\Avast4\aswUpdSv.exe
C:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [CherryKeyMan] C:\Program Files\Cherry\KeyMan\KeyMan.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avast!] C:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
LonnyRJones
2006-05-15, 08:56
Fantastic :bigthumb:
We will leave the thread open for a few days. post back and let use know if that PC is still ok.
moinmoin
2006-05-21, 21:00
Moin!
PC is running like a smooth little mouse in a wheel...
Big up and thanks all over again!! :D
LonnyRJones
2006-05-22, 00:07
Good
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
Stay safe