14 replies to this topic

[Momoka]

Hi Guys,

I have a problem, and a very hiding one as well.

Everytime when my clock changes from 11:59pm to 12:00am(so midnight), my InternetExplorer will go up, and try to open up something, a page or a file. The IE will not open a full window; the only thing visible(at least bevore)is a minimized window. I could only read part of the address it was try to reach(since it was minimized), it started with "Res://mshtml.dll ". The IE tries that only for a brief second, and closes right away ... too fast as you could open that window and read the full address bar(it even closes bevore you can klick it). It trys this for a few times, then stopping.
Now, after i installed a new IE(i changed my registry, so that windows thinks i not have a IE installed)i will not even see the minimized window, all i hear is like there wants a window be opened but blocked or closed right away.
I did serval McAfee scans, a DOS McAfee scan, Spybot checks and so on ... without any success. I cann't seem to make out what is on my system.

Here my Hijackthis log:
-----------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:17:42 AM, on 4/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\DiskeeperLite\DKService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\oobe\csrss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D80D988-4459-4B9A-B4F2-4B10384ADE79}: NameServer = 195.50.140.252 195.50.140.114
O21 - SSODL: Windows Update - {459FA2B2-E4C2-13D4-CA84-03501F45B839} - C:\WINDOWS\System32\oobe\csrss.exe
O21 - SSODL: Battery Monitor - {459352B2-D4CE-13D4-2D78-03501003EF20} - shlapiw32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperLite\DKService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
-----------------------------------------------------------------------------------------------------------------------------

I hope that someone can tell me what this thing is, that bothers me. I not want to reinstall everything anew(i did install my system completely new, since i got a new motherboard, graphic card and soundcard 2 weeks ago, and last week this problem started), and find out that i get that little bugger again ASAP once i go online.

[Susan528]

Hello and welcome Momoka to Tom Coyote,

Please do the following:

Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.


This files look suspicious to me so let’s check them out.
C:\WINDOWS\System32\oobe\csrss.exe
Please do a search on shlapiw32.dll and see if it is really missing. If it is not, take note where it is located.

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\System32\oobe\csrss.exe
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

STEP 2.<==if the file was found.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
shlapiw32.dll
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.


STEP 3
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)
You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.


STEP 4
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.

[Momoka]

Here is the Jotti of the File C:\WINDOWS\System32\oobe\csrss.exe File: csrss.exe Status: INFECTED/MALWARE MD5 920bcc2992f53841eeb5c07b44d94a91 Packers detected: UPX Scanner results AntiVir Found Heuristic/Trojan.Downloader (probable variant) ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found Trojan.DownLoader.7828 F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found Trojan.Delf.22 (probable variant) The propertys say, that this file is version 5.1.2600.0, and that its something from Microsoft Corporation. ----------------------------------------------------------------------------------------------------------------------------- The file shlapiw32.dll was in C:\WINDOWS\system32\shlapiw32.dll File: shlapiw32.dll Status: INFECTED/MALWARE MD5 16cedb0e1352dd9afb06aa31190eac6d Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found Trojan.DownLoader.7828 F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found nothing The propertys also tell me that this file is from Microsoft Corporation, version 6.0.2800.1106.

[Momoka]

Here is the Spysweeper Log

********
10:21 PM: | Start of Session, Wednesday, April 05, 2006 |
10:21 PM: Spy Sweeper started
10:21 PM: Sweep initiated using definitions version 649
10:21 PM: Starting Memory Sweep
10:23 PM: Memory Sweep Complete, Elapsed Time: 00:01:58
10:23 PM: Starting Registry Sweep
10:23 PM: Registry Sweep Complete, Elapsed Time:00:00:11
10:23 PM: Starting Cookie Sweep
10:23 PM: Found Spy Cookie: yieldmanager cookie
10:23 PM: momoka@ad.yieldmanager[1].txt (ID = 3751)
10:23 PM: Found Spy Cookie: pointroll cookie
10:23 PM: momoka@ads.pointroll[2].txt (ID = 3148)
10:23 PM: Found Spy Cookie: falkag cookie
10:23 PM: momoka@as-eu.falkag[2].txt (ID = 2650)
10:23 PM: Found Spy Cookie: burstnet cookie
10:23 PM: momoka@burstnet[2].txt (ID = 2336)
10:23 PM: Found Spy Cookie: wtlive.com cookie
10:23 PM: momoka@dcstest.wtlive[2].txt (ID = 3700)
10:23 PM: Found Spy Cookie: maxserving cookie
10:23 PM: momoka@maxserving[1].txt (ID = 2966)
10:23 PM: Found Spy Cookie: questionmarket cookie
10:23 PM: momoka@questionmarket[2].txt (ID = 3217)
10:23 PM: momoka@sel.as-eu.falkag[1].txt (ID = 2650)
10:23 PM: Found Spy Cookie: tradedoubler cookie
10:23 PM: momoka@tradedoubler[1].txt (ID = 3575)
10:23 PM: Found Spy Cookie: tribalfusion cookie
10:23 PM: momoka@tribalfusion[1].txt (ID = 3589)
10:23 PM: Found Spy Cookie: adshooter cookie
10:23 PM: momoka@www.adshooter[1].txt (ID = 2150)
10:23 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:23 PM: Starting File Sweep
10:30 PM: File Sweep Complete, Elapsed Time: 00:07:02
10:30 PM: Full Sweep has completed. Elapsed time 00:09:14
10:30 PM: Traces Found: 11
10:31 PM: Removal process initiated
10:31 PM: Quarantining All Traces: adshooter cookie
10:31 PM: Quarantining All Traces: burstnet cookie
10:31 PM: Quarantining All Traces: falkag cookie
10:31 PM: Quarantining All Traces: maxserving cookie
10:31 PM: Quarantining All Traces: pointroll cookie
10:31 PM: Quarantining All Traces: questionmarket cookie
10:31 PM: Quarantining All Traces: tradedoubler cookie
10:31 PM: Quarantining All Traces: tribalfusion cookie
10:31 PM: Quarantining All Traces: wtlive.com cookie
10:31 PM: Quarantining All Traces: yieldmanager cookie
10:31 PM: Removal process completed. Elapsed time 00:00:01
********
10:18 PM: | Start of Session, Wednesday, April 05, 2006 |
10:18 PM: Spy Sweeper started
10:19 PM: Your spyware definitions have been updated.
10:21 PM: | End of Session, Wednesday, April 05, 2006 |
-----------------------------------------------------------------------------------------------------------------------------
Here is the Ewido Log

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:18:57 PM, 4/5/2006
+ Report-Checksum: C4691730

+ Scan result:

C:\Documents and Settings\Momoka\Cookies\momoka@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Momoka\Cookies\momoka@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Momoka\Cookies\momoka@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Momoka\Local Settings\Temp\Cookies\momoka@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Momoka\Local Settings\Temp\Cookies\momoka@ivwbox[2].txt -> TrackingCookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Momoka\Local Settings\Temp\Cookies\momoka@sento.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup


::Report End
-----------------------------------------------------------------------------------------------------------------------------
And here is a new Highjackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:26:16 PM, on 4/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\DiskeeperLite\DKService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\oobe\csrss.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D80D988-4459-4B9A-B4F2-4B10384ADE79}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: Windows Update - {459FA2B2-E4C2-13D4-CA84-03501F45B839} - C:\WINDOWS\System32\oobe\csrss.exe
O21 - SSODL: Battery Monitor - {459352B2-D4CE-13D4-2D78-03501003EF20} - shlapiw32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperLite\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

I hope i get rid of this thing soon, how did it get onto my system anyway ...

[Susan528]

Hello Momoka

http://www.bleepingc...mit-malware.php

I am very suspicious about these files although properties have Microsoft company name.
Please submit these files at the above link.

C:\WINDOWS\System32\oobe\csrss.exe
C:\WINDOWS\system32\shlapiw32.dll

Please use this link for the Link to topic where this file was requested:
http://forums.tomcoy...=0

Browse to the file you want to submit:
C:\WINDOWS\System32\oobe\csrss.exe
C:\WINDOWS\system32\shlapiw32.dll

Leave any comments, further information about this file, or contact information:
For Bobbi Flekman at TomCoyote

Click "Send File" tab.

Please let me know if you sent the above two files.

Edited by Susan528, 05 April 2006 - 07:53 AM.

[Momoka]

Hi Susan, I just uploaded these two files @ bleepingcomputer.com It did say that the file was sent, i hope i did it the right way.

[Momoka]

I hope Bobbi Flekman got the files i send, i even see him watch this thread ^^. It would be nice to know, if he got the files thought, since i am not that sure that did i do send the files right(the upload time was so short).

[Susan528]

Hello Momoka,

Thank you very much for sending the files. Bobbi received the files and has determined that they are definitely bad. So let's get rid of them.

Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.

• Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
• Over to the left click "shields" and uncheck all there.
• Uncheck" home page shield".
• Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

Disable Ewido:
Please disable Ewido, as it may interfere with the fix.
To disable Ewido:
From the system tray:

• Right-click the system tray icon and uncheck real time protection.
  or From within Ewido -
• Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'.

Once your log is clean you can re-enable Ewido.

Please set your system to show all files; please see here if you're unsure how to do this.

Scan with HijackThis. Place a check against each of the following:
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O21 - SSODL: Windows Update - {459FA2B2-E4C2-13D4-CA84-03501F45B839} - C:\WINDOWS\System32\oobe\csrss.exe
O21 - SSODL: Battery Monitor - {459352B2-D4CE-13D4-2D78-03501003EF20} - shlapiw32.dll (file missing)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

Don't delete good csrss.exe located C:\Windows\System32\csrss.exe
Don't delete similar spelled good file shlwapi.dll in C:Windows\System32\shlwapi.dll.
C:\WINDOWS\System32\oobe\csrss.exe<==file
C:\WINDOWS\web\related.htm<==file
C:\WINDOWS\system32\shlapiw32.dll<==file
Exit Explorer, and reboot as normal afterwards.

Now run this online scan using Internet Explorer:
Kaspersky WebScanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.

Copy and paste that information from Kapersky in your next post.


Post back a fresh HijackThis log along with the Kapersky scan and we will take another look.

[Momoka]

Hi I have a quick question. Do you know what Trojan my PC is infected with? Or is it a unknown one? Will i be able to make my system imune against that Trojan, or at least make it harder for it to get onto my system once more? What would happen if i just would reinstall my WindowsXP? Would i get that Trojan right away again, or not? I hope i not bother you with my questions...

[Susan528]

Hello Momoka,

Bobbi and others are probably dissecting the files. I do not know anything except they were bad. I think formatting and reinstalling Windows would be a cautious thing when you do not know what has occurred.

When should I re-format? How should I reinstall?

You might want to read the above.

[Momoka]

Hi again, took me about 2 hours to do all that.
I deleted the 3 files, in save mode, and they where still gone after restart in the normal mode.
Here is the Kaspersky scan, i did copy the window of Kaspersky becouse it didn't want to print a log(due to lack of findings ^^).

The scan is complete.
No malware has been detected. The sections that have been scanned are CLEAN.

Report is empty.
Please note: The free Kaspersky On-line Scanner does not provide comprehensive protection and cannot prevent future infections. It only detects malware that has already penetrated your storage devices. We strongly recommend that you use a fully-functional antivirus solution to protect your computer at all times.

Please wait, this process may take a long time depending on the selected target. If you want to continue browsing, open a new window.

Total number of scanned files: 69161
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:00:07
New Scan

Then i did do a HJT, and here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 2:00:04 AM, on 4/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\DiskeeperLite\DKService.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D80D988-4459-4B9A-B4F2-4B10384ADE79}: NameServer = 195.50.140.252 195.50.140.114
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\DiskeeperLite\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

After i started my PC in the normal mode, it didn't do that InternetExplorer minimized window pop-up, as it did do until now. Seems like the Hijacker is gone for good ... for now.
The reason i asked for the reinstall was, that i am aware this would be useless as long as i not know for sure WHAT the source of my problem was.
I did have once a Virus, was that WormBlaster ... the one that shut down the RemotheProcedureCall(RPC)from windows ... so that it wants to restart after 1 minute. Back then(what a incident)i got new ram(upgraded from 384sdram to 1024 ddr one)and thought this is maybe becouse of a ram failure(aww ... how unknown i was with PC stuff back then ^^). After Reinstall, and connect to the internet, i had that right away again. So i called the store, and they said the ram should be ok(if the ram would not be ok, my PC should not start), and the guy known right away that it was a virus. After killing that little brat, i had no problem.
So becouse of that i not want to reinstall all the stuff over ... at least as long as i not know what the problem is. Now i got a new GFXcard, Soundcard and Motherboard ... same "game" again ... but this time no Vurus, this time a Trojan. Nice.

Anyway, i am very very gratefull for your help, Thank You so much.

[Susan528]

Hello Momoka,

You need to install the latest Microsoft Updates now that you appear to be clean. From your log, you only appear to have the SP1 (Service Pack 1) installed.

I hope to find out some information about those two files and let you know more. But meanwhile you can do the following:

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose:Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• Turn off System Restore.
• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

Reboot.

Turn ON System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check *Turn off System Restore*.
• Click Apply, and then click OK.

STEP 2.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Test your Firewall - Please test your firewall and make sure it is working properly.
  Test Firewall
  
  
• Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  A tutorial on installing & using this product can be found here:
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  A tutorial on installing & using this product can be found here:
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  A tutorial on installing & using this product can be found here:
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  
• More info on how to prevent malware you can also find here (By Tony Klein)
  and here: http://wiki.castleco...nt_Re-infection

Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan

[Susan528]

Hello Momoka, I have been told that files were identified as very generic trojans. Your system appears to be clean now. But be sure to do the Microsoft updates!

[Momoka]

Hi Susan, First of all ... these programs are nice, but i cann't afford to buy them all . Sadly they not have a version that you not need to pay for. Spybot Search and Destroy is on my PC long time, thats a good proggy ^^. For the Windows updates, i not like the SP2, becouse it eats up my system performance like candy. I had it once on my system, and all of a sudden it ran 30% slower(maybe even 40%). For the two files, what does it mean that theyre "very generic trojans"? I know that a Trojan is a software that spys and sends information out into the web, somethimes downloading things to the infected PC. But what does "generic" mean? Would you please explain that to me? Again, thanks for all you've done for me ^^

[Susan528]

Hello Momoka,

We use trial programs like ewido, SpySweeper, online virus scans to help clean-up a system.

SpySweeper is a good tool for us to use. They have changed it that one must purchase to remove what it finds . It was not always like that. But it is still useful to give us indications about what is found. We never say that you must purchase these programs. Of course that is what the companies are hoping people will do and therefore will provide free-trials.

Ad-aware and Spybot, certain anti-virus programs and firewalls are free for personal use. I rarely buy any programs myself.

I must rely upon the experts for the information about certain files when I do not know. I was informed that you had a "very generic trojan downloader". Since I have not heard anymore information and I asked, you are okay. I thank you for submitting the files.

I am sorry about the SP2 problem but since it provides security patches for Windows, you are more at risk without these installed.

I want you to be aware that there are free anti-virus and firewall applications for personal use.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Regards,
Susan