Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Test After A Troublesome Adaware And Zonealarm Install


  • Please log in to reply
24 replies to this topic

#16 bobberles

bobberles

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 23 July 2007 - 04:23 AM

Hi shelf life, Sorry about the delay; I've been out of town a few days. Everything looks good except for this item: In your 16 July post, last item: >open hjt, click on --open misc tools section >click on-- delete a file on reboot >in the --file name window: copy/paste: C:\WINNT\System32\FC4ABA24.DLL >click--open button. at the prompt to reboot select yes. I could not delete that item 'FC4ABA24.DLL' because it was not in the location specified. It used to be there (see previous posts) but now it is in Services as follows: Name: 6FODOC5E Description: FC4ABA24 Startup Type: Disabled Log on as: LocalSystem I disabled it but I can't find a way to delete the entire entry. Can you educate me? Bob

    Advertisements

Register to Remove


#17 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 23 July 2007 - 08:27 PM

hi bobberles, i thought the f-secure scan took care of that thing. are you trying to delete it out of the system32 dir by using hjt delete a file on reboot? i think its gone, can you post another hjt log please. shelf life
How Can I Reduce My Risk?

#18 bobberles

bobberles

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 24 July 2007 - 07:14 AM

Hi shelf life,

No, I'm NOT trying to delete it out of system32, because it is not there. As I said in my last post, it is in Services and it is disabled. What concerns me is that it's 'path to executable' there is C:\WINNT\system32\1639E8CD.EXE -a; even though there is no 1639E8CD.EXE anywhere in the system. I believe that 1639E8CD.EXE was the bad guy, right? Well, he's gone; but it seems to me that FC4ABA24 is still lurking there waiting for another call to do it's dirty work and I can't see any reason to have it around. So I would like to delete it but I can't find how to do it.

So, rather than risk screwing up something I know nothing about, I called on you again. I hate to be a pest but my knowledge of this part of computers is very thin.

Here's the HJT log:
--------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:44:16 AM, on 7/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\RunDll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\StartupMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Hijackthis\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....c1c79145c02da20
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170259838203
O16 - DPF: {E735FF6D-53C6-4C4D-BDC0-26CB90EE6C88} (setup_assistant.SetupAssistant) - https://oracle.anc.n...p_assistant.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

#19 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 24 July 2007 - 05:10 PM

hi bobberles,

your not being a pest, thats what we are here for.

So I would like to delete it

FC4ABA24


i think f-secure took care of that. as long as the service is stopped and startup is disabled it should be ok. if you cant find it thats good. that services.msc panel may point to a service thats gone and the entry is aleft over

SDfix is good for "bad" services. lets try running it: (about a 1MB file size)

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
shelf life
How Can I Reduce My Risk?

#20 bobberles

bobberles

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 24 July 2007 - 08:50 PM

Hi shelf life,

Here is the SDFix Report.txt, followed by the HJT log:

=============================
SDFix: Version 1.93

Run by Bob Berles on Tue 07/24/2007 at 9:27p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINNT\system32\TFTP684 - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINNT\system32\config\SECURITY.tmp.LOG
C:\WINNT\system32\config\SOFTWARE.tmp.LOG
C:\WINNT\system32\config\SYSTEM.tmp.LOG
C:\WINNT\system32\config\DEFAULT.tmp.LOG
C:\WINNT\system32\config\SAM.tmp.LOG

Finished
=============================
Logfile of HijackThis v1.99.1
Scan saved at 9:35:27 PM, on 7/24/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINNT\StartupMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arkansas....c1c79145c02da20
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170259838203
O16 - DPF: {E735FF6D-53C6-4C4D-BDC0-26CB90EE6C88} (setup_assistant.SetupAssistant) - https://oracle.anc.n...p_assistant.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84CD0A23-BEC1-48DE-8976-26C6102AB5C9}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: avgwlntf - C:\WINNT\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
=============================

The Services entry now shows 为系统提供加速启动功能(d-sp1)。 in the 'Description' column, replacing the 'FC4ABA24' that used to be there. I suppose that about wraps it up, eh?

Bob

#21 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 25 July 2007 - 04:57 PM

hi bobberles,

shows 为系统提供加速启动功能(d-sp1)。 in the 'Description' column,

not sure what to make of that. whats it say in the name column? service is stopped and startup type is disabled right? avg flagging anything? what happened to your zone alarm firewall.

shelf life
How Can I Reduce My Risk?

#22 bobberles

bobberles

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 25 July 2007 - 08:06 PM

Hi shelf life, Name column: 6F0D0C5E Service: Stopped Startup: Disabled Do you want me to try SDFix again? I don't know what you mean by AVG "flagging" something. I can't find anything that says that. I made two complete scans today; neither found any threats. Zone Alarm installation has been on hold until I get this Trojan stuff cleaned up. That may sound like a stupid thing to do, but I had a very frustrating time trying to get it installed because the License Key would not be accepted. In correspondence with ZA they said to download the software again. But that was at a time when we were having almost constant intermittent thunderstorms and I would have to shut down and unplug whenever one was near. When a download takes 4-1/2 hours, and the storms come every 2 or 3 hours, that's a waste of time. So I waited until the CD that I ordered arrived, and that was late. So I'm eager to get this job finished; then I'll get on the Zone Alarm. It is SO MUCH fun to work with dialup! Bob

#23 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 26 July 2007 - 04:51 PM

hi bobberles,

AVG "flagging" something

i meant if it was finding anything during a scan like it was earlier, but you already answered the question:" I made two complete scans today; neither found any threats."

yes you could run SDfix again, wouldnt hurt. could try this:

find the service name like this:

type services.msc in Run on the Start Menu and then double click the Display Name of the service.( 6F0D0C5E) at the top you should see Service name:
write down the name. close the window

go back to run>start> and type in cmd then click enter at the shell prompt type in:

sc delete service name that you wrote down, then enter--- for example;

under name column in the service.msc panel if you double click on Help and Support you see the service name is: helpsvc
at the prompt you would type: sc delete helpsvc

------------------------------------------
i was wondering about zone alarm to see if it was asking for any new or weird processes that might be asking for a internet connection.
i really think your free of malware now.

shelf life
How Can I Reduce My Risk?

#24 bobberles

bobberles

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 26 July 2007 - 06:58 PM

Hi shelf life, Well, first of all, I reinstalled ZoneAlarm Pro today. I guess their load balancer problem has been resolved because I had no install problems at all. It even went a lot faster. Then I ran a check with Steve Gibson's ShieldsUp. Everything was in Full Stealth Mode. In Services.msc, Service Name is same as Display Name: 6F0D0C5E And "sc delete 6F0D0C5E" worked perfectly; it is now gone! I know I said this once before, too early, but I also think all is well now. I thank you very much for your help, for the education you gave me, and especially for your patience. And I will be digging into your "A Guide to Malware Removal." Best regards to you, Bob

#25 shelf life

shelf life

    SuperMember

  • Visiting Fellow
  • PipPipPipPipPip
  • 3,191 posts

Posted 29 July 2007 - 02:12 PM

hi bobberles, good, glad to help out. happy safe surfing out there. shelf life
How Can I Reduce My Risk?

    Advertisements

Register to Remove

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users