PDA

View Full Version : Post malware removal remnants



tulley
2006-07-29, 23:12
(Edited, please do not use my name in your posts) in this forum I believe I have cleaned everything (see logs below). I have remnants that surface on reboot
however:
wc84edf9.dll
wc84ca73.dll
Not sure how to remove/terminate this "failure to execute" error messages ?

Any insight would be very helpful.

Following are scan reports:

1. ewido anti-spyware
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:35:43 PM 7/29/2006

+ Scan result:
Nothing found.
::Report end



2. E2TakeOut v1.01
E2TakeOut v1.01 [http://www.malwarebytes.org]

Removed orphaned leftovers
AppInit key reset


3. HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 12:43:08 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qqtxq.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,blbbbjn.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2EB12B27-2CCF-41FD-9B70-22385120683F} - C:\Program Files\Common Files\mezor.dll (file missing)
O2 - BHO: (no name) - {3D5CA3B2-4339-F1D0-5DBE-8A23ABB3E02A} - C:\WINDOWS\wvsffbr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hp9686.tmp (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINDOWS\system32\xeymi.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINDOWS\system32\redistributor.exe
O4 - HKLM\..\Run: [zam2b8db] RUNDLL32.EXE wc84ca73.dll,n 0022b8d900000003c84ca73
O4 - HKLM\..\Run: [yxhlqc] C:\WINDOWS\system32\ahdtqe.exe reg_run
O4 - HKLM\..\Run: [wc84edf9.dll] RUNDLL32.EXE wc84edf9.dll,I2 0022b8d90c84edf9
O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Computer Alarm Clock] C:\Program Files\Computer Alarm Clock\cac.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [vuomr] C:\WINDOWS\system32\ahdtqe.exe reg_run
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145682080003
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146941058468
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll (file missing)
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mlcndmgr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software - c:\program files\panda software\panda platinum 2006 internet security\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\psimsvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2006 Internet Security\TPSrv.exe

tulley
2006-07-30, 02:32
Hello,
Need help with following:

Problem started with the full array of pop ups, desk top short cuts, favorites, start up program entries etc so I searched the forums on this site and followed a Step-by-Step from this site which seemed appropriate to my problem which in brief involved steps A - E :

A.
E2TakeOut (scan/remove) -> Reboot -> Reboot in Safe Mode ->Ewido Anti-Malware (scan/remove) -> Brute Force-alcanshorty.bfu-execute and exit->

B.
Open HijackThis and system scan only" then check the box in front of these line items and run "Fix Checked":

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\cfgge.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,nankokp.exe
(next two, if you do not know why they are delete, check and remove them)
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 66.208.106.116 l2authd.lineage2.com
O4 - HKLM\..\Run: [lmttdd] C:\WINDOWS\System32\lvpcef.exe reg_run
O4 - HKCU\..\Run: [hjbuf] C:\WINDOWS\System32\lvpcef.exe reg_run
O16 - DPF: {CAFEEFAC-0014-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/def...ploader_v6.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\System32\xeymi.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: gebaawx - gebaawx.dll (file missing)
O20 - Winlogon Notify: gebyy - C:\WINDOWS\System32\gebyy.dll (file missing)
O20 - Winlogon Notify: winghy32 - C:\WINDOWS\SYSTEM32\winghy32.dll
O21 - SSODL: mDkfDWfNpO - {D4EEE18D-7E44-4B27-E756-1FAAB40D7398} - C:\WINDOWS\System32\nte.dll (file missing)

C.
RIGHT Click on Start then click on Explore. Locate and delete these files if they are there, do not miss any!!

C:\WINDOWS\System32\cfgge.exe

C:\WINDOWS\System32\gebyy.dll

C:\WINDOWS\System32\gebaawx.dll

C:\WINDOWS\System32\lvpcef.exe

C:\WINDOWS\System32\nankokp.exe

C:\WINDOWS\System32\nte.dll

C:\WINDOWS\SYSTEM32\winghy32.dll

C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll

D.
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

E.
1. Reboot in SafeMode.
2. Lauch ewido-anti-spyware.
3. Perform "Complete System Scan" - Apply all actions.
4. Close ewido and reboot in Normal Mode.
________________________________________________________________
Sooo.
Definitely, have malware/viral infection still.
Noticable signs are:
Win AntiVirus 2006 Pro pop up comes up continually
aswell as other Internet explorer messages such as
the Information bar message denoting blocked pop ups.
Its worth mentioning that I dont have IE6 open but use
Firefox.

When I reboot I get 2 error messages:
can not load missing wc84edf9.dll
can not load missing wc84ca73.dll

Also performed Symantec online scan twice but it stopped each time after only 55,422 files scanned.report is below

Online Symantec scan
55422 files scanned, 7 file(s) infected on your disk drives.

Warning! The scan detected a virus that is active in your computer's memory.
The scan ended to prevent further infection.

You should shut down your computer immediately and restart it with an antivirus rescue disk or similar tool.
Your computer is infected with at least one known virus or Trojan horse.

Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.
Note: The scan was cancelled before finishing. There may be more infected files on this computer.

C:\WINDOWS\pf78.exe is infected with Adware.WinBo
C:\WINDOWS\srvuqcwxvc.exe is infected with Trojan.Popper
C:\WINDOWS\system32\VSL05.exe is infected with Adware.ZQuest
C:\Program Files\MSN Gaming Zone\mefec.html is infected with Adware.ZQuest
C:\Program Files\Movie Maker\pohofyzyt.html is infected with Adware.ZQuest
C:\Program Files\Batty\Batty.dll is infected with Adware.FCHelp
C:\Documents and Settings\tulley\Application Data\Microsoft\Internet Explorer\Desktop.htt is infected with Adware.ZQuest

LonnyRJones
2006-08-02, 09:52
Hi
Although the l2m infection doesnt look active
Please download Look2Me-Destroyer.exe to your to the root drive, eg: Local Disk C: or partition where your operating system is installed.
http://www.atribune.org/content/view/28/
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 to five minute's. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Wait about Four minutes, Turn your computer back on.
Please post the contents of Look2Me-Destroyer.txt and a new HiJackThis log.

tashi
2006-08-07, 09:37
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread.

Applies only to the original topic starter.