TheTechGuide Forum
General Category => Tech Clinic => Topic started by: physicsforfun on March 26, 2005, 01:39:11 PM
-
I have the Daosearch problem. it takes ofer the IE home page and generates popups, etc.
Here is the Hijack This log file:
Logfile of HijackThis v1.99.1
Scan saved at 12:32:57 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\Services\{5B82D30B-2BC0-40A2-91CF-A0410FFE30B3}\SVCHOST.EXE
C:\windows\system32\taskmg.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\software stuff\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp (http://\"http://channels.aimtoday.com/search/aimtoolbar.jsp\")
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MoreResults] C:\Program Files\MoreResults\MoreResults.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{5B82D30B-2BC0-40A2-91CF-A0410FFE30B3}\SVCHOST.EXE
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\System32\mshelp32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029 (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029\")
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c11.cab (http://\"http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c11.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab\")
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab (http://\"http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319\")
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab (http://\"http://216.249.24.60/code/iPIX-ImageWell-ipix.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: Netbcrypt - {6AB59A18-C872-47AB-AEC0-6B99ECDF8CE5} - C:\WINDOWS\System32\biosipx.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
I think the culprits are:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
and
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{5B82D30B-2BC0-40A2-91CF-A0410FFE30B3}\SVCHOST.EXE
but there may be other problems too. "(file missing)", etc.
please advise on course of action and any tips on how to flag the stuff that needs to be "fixed" would be useful.
Thanks
-
Before we attemp any fixes
Can you do me a favor
Can you also go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file on your hard drive
C:\WINDOWS\System32\biosipx.dll<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
You may have to
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
-
here are the results of the scan:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
-
Did you try searching for the file on your hard drive???
You have to use the BROWSE button and manually navigate to the file
C:\WINDOWS\System32\biosipx.dll
Right click on it and select it and then use the SUBMIT button
You can't just copy and paste the info, you must look for the file on your hard drive
I believe it's bad, I just want a double check
-
I can find the file on my hard drive in the location you specify. If I right click and go to properties I find that it has the following size:
1.01 MB (1,064,960 bytes)
When I go to the Jotti online malware scan, I use the browse method for uploading and I get the message I returned to you in the previous post.
I am not sure what you are asking me to do. It looks like something is blocking it from uploading??
-
For the record, I also disabled my Zonealarm Pro firewall and tried again following the Browse, select, submit prtocol you specified. I got the same result, so something is prventing the upload process to Jotti's site.
-
Let's try this
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://daosearch.com/index.php?id=585&said=nicket_a (http://\"http://daosearch.com/index.php?id=585&said=nicket_a\")
O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [MoreResults] C:\Program Files\MoreResults\MoreResults.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{5B82D30B-2BC0-40A2-91CF-A0410FFE30B3}\SVCHOST.EXE
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [mshelp32] C:\WINDOWS\System32\mshelp32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029 (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZSzeb029\")
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971C.../bridge-c11.cab (http://\"http://static.windupdates.com/cab/6247971C.../bridge-c11.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab\")
O21 - SSODL: Netbcrypt - {6AB59A18-C872-47AB-AEC0-6B99ECDF8CE5} - C:\WINDOWS\System32\biosipx.dll
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Access your Add/Remove Programs and remove if found
MoreResults
Media Access
Security iGuard
Restart your computer
Back in Windows
Find and delete these files or folders if found
c:\windows\system32\taskmg.exe <--file, CAREFUL, there is a legit taskmgr.exe<<Don't delete this file
C:\WINDOWS\System32\mshelp32.exe <-file
C:\Program Files\Common files\updmgr <-folder
C:\WINDOWS\System32\Services\{5B82D30B-2BC0-40A2-91CF-A0410FFE30B3} <-folder
C:\Program Files\Media Access <-folder
C:\Program Files\Security iGuard <-folder
C:\Program Files\MoreResults <-folder
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back in Windows
Do another scan with Hijackthis and post back a fresh log
Could you also let me know what else you see in this folder
C:\WINDOWS\System32\Services <--this folder
Just to ensure you did that Online Malware scan properly
Go back to Jotti's Online Malware scan
Use the BROWSE button
From the top Drop down Bar select MY COMPUTER
Double click your C: drive
Double click WINDOWS
Double click SYSTEM32 folder
Look for biosipx.dll
Right click on it and SELECT it
Then at Jotti's use the SUBMIT button
Wait for the scanner results and post them back here
-
Did what you asked.
REQUEST #1 Here is new logfile from HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:45:40 PM, on 3/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\software stuff\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway (http://\"http://www.dell4me.com/myway\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp (http://\"http://channels.aimtoday.com/search/aimtoolbar.jsp\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab (http://\"http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319 (http://\"http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319\")
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab (http://\"http://216.249.24.60/code/iPIX-ImageWell-ipix.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
REQUEST#2
In the C:\windows\system32\services folder I found one folder called:
{114F0B72-5C3C-4226-A821-FFB86ADA3410}
within this folder were the files:
SVCHOST32.DLL SVCHOST.EXE SVCHOST.DLL Update.exe
REQUEST#3
Here are the new results from Jotti's Online malware scan:
Jotti's malware scan 2.42
File to upload & scan:
Service load: 0% 100%
File: biosipx.dll
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: -
AntiVir No viruses found
Avast No viruses found
AVG Antivirus No viruses found
BitDefender No viruses found
ClamAV No viruses found
Dr.Web No viruses found
F-Prot Antivirus No viruses found
Fortinet No viruses found
Kaspersky Anti-Virus No viruses found
mks_vir No viruses found
NOD32 No viruses found
Norman Virus Control No viruses found
Statistics
Last piece of malware found was Win32/Prorat.19 in server.exe, detected by:
Scanner Malware name
AntiVir X
Avast X
AVG Antivirus BackDoor.Prorat.2.BC
BitDefender Backdoor.Prorat.19
ClamAV X
Dr.Web BackDoor.ProRat
F-Prot Antivirus W32/Prorat.AK@bd
Fortinet W32/Prorat.I-tr
Kaspersky Anti-Virus Backdoor.Win32.Prorat.19.i
mks_vir Trojan.Prorat.19.I
NOD32 Win32/Prorat.19
Norman Virus Control X
Service statistics:
2762 files (2293 of those unique) have been uploaded & scanned since 24/03/2005, the day of the last database purge.
715 of those 2293 files contained a virus or any other form of malware.
This page has been visited 6063 times in this time period.
This service managed to spot 70 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 1297 suspicious files without any help from scanner results.
However, 4 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 99.83% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
No I am not sitting still! A new, better version of this service is being developed.
If you have suggestions and/or comments, please send me them!
Most popular malware:
Rank Malware name Uploaded Last known filename
1 trojan.spy.agent.y 19 times TradeScam2.rar
2 win32.mydoom.1.gen@mm 16 times readme.pi_
3 worm/procil.a.1 15 times Runescape Autoseller.exe
4 tr/sckeylog.h 12 times Aimbot.zip
5 trojan.muldrop.1679 9 times server.exe
6 behaveslike:trojan.lowzones 9 times IELower.exe
7 backdoor.rbot.7c6c7cdc 9 times drxBot.exe
8 trojan-downloader.win32.qoologic.i 8 times ssippib.dll
9 w32/mewpacked.gen 8 times Copy of Project1.exe
10 win32:trojan-gen. {other} 8 times Sphack.zip
11 behaveslike:trojan.downloader 7 times inst.rar
12 modification of win32.radix.24576 7 times Gunbound AimBot.exe
13 trojan.downloader.kaos_webdl.1.0 7 times kaos_srv.exe
14 worm/zusha.a 7 times Zusha.A.rar
15 worm/rbot.316497 7 times FastStop.exe
Virus definitions are updated every hour. Please do not upload tons of megabytes to this online scanner and download a decent anti virus package yourself. There is a 5Mb limit per file. Use this if you need to be sure a file is uninfected and you don't trust your own environment. Really abusive people will get a nice iptables -j DROP rule on this machine, which is not available in your local store.
ABUSE OF THIS SERVICE (INCLUDING UPLOADING DELIBERATELY MODIFIED -PACKED/ENCRYPTED/BYTESWAPPED- VERSIONS OF THE SAME SAMPLE) WILL RESULT IN AN IP BAN.
Please do not ask for any of these viruses, unless you work for an anti-virus vendor. They are not for trade.
Changelog - Frequently Asked Questions
Feedback/comments/questions/false positive reports
Copyright © Jordi Bosveld 2004-2005
WHAT NEXT?
-
Go ahead and delete this folder, it's part of the infections
{114F0B72-5C3C-4226-A821-FFB86ADA3410}
Also, could you navigate to this file
C:\WINDOWS\System32\biosipx.dll
Right click on biosipx.dll and Rename it too biosipx.dl_
Afterwards, go back and Hide Hidden files and folders
If you find no problems after renaming the file, in about a week, go ahead and delete it
Make sure you clean your Temp folders
START>>RUN>>Type in cleanmgr
Hit OK
Ensure Temp and Temp Internet files are checked
Let this finish, even if it appears to freeze for a minute
If everything is running better
You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection