Author Topic: trojan.rootkit.h (Read 2311 times)

trj · « **on:** June 09, 2005, 04:17:03 AM »

I am really hopeless...I don't know how I can explain...I used many antivirus programs such as norton, mcafee, kapersky, ad aware, avast...and they couldn't be able to remove the file msdirekx.sys.there are some serious problems which I think this trojan causes...I can't run regedit and task manager...there are messages popping up and warning about system...I cannot open my e-mails...and when I am connected to internet after a while my computer freezes and I had to restart it...

I did what I've told.I downloaded and saved hijacthis to a folder.I scanned and saved the log. here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 11:47:33 AM, on 6/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Babylon\Babylon.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cenkerdem.com/
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:\WINDOWS\System32\LightFrame3IECOM.dll
O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: LightFrame 3.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I didn't try to fix anything...and if it is not enough I scanned with ewido too...the log is...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:10:42 PM, 6/9/2005
+ Report-Checksum:      38295C0F

+ Date of database:      6/9/2005
+ Version of scan engine:   v3.0

+ Duration:            8 min
+ Scanned Files:         19558
+ Speed:            40.56 Files/Second
+ Infected files:         1
+ Removed files:         0
+ Files put in quarantine:      0
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\configure32.exe/ss.exe -> Trojan.LowZones.d -> Ignored

::Report End

I don't understand why it is shorter than hijacthis'
there is nothing I can do...hope I could explain my situation...I'm saying again; it is really hard for me to tell my problem in english...please help me...

ps: sorry about the complication yesterday...It was the same problem and I thought I should post there...

thanks...

guestolo · « **Reply #1 on:** June 12, 2005, 12:55:38 AM »

Can you do the following please

You have no Windows updates so your computer is very vulnerable
We'll try some cleaning, but you must get some protection on your computer

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Alternate Download link
We'll need this later

==Open Ewido security suite
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and UNZIP to desktop Remove1.zip
So you now have remove1.reg on the desktop, we'll need this later
[attachment=259:attachment]

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before windows loads, or use the link
I supplied for a more detailed explanation

In safe mode, do the following
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Hardware Clock Driver

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
If you see an entry for Msdirectx
Do the same thing, let me know if you see it

Open Hijackthis>>Open Misc tools section>>Open "Delete an NT Service"
In the new box, copy and paste or type the bold entry directly below into the open field and then hit OK
hwclock
Do the same for this entry
Hardware Clock Driver
Exit out

Find and delete these files or folders if found
Exact file names, don't delete something because it looks similiar
FILES
C:\WINDOWS\system32\msdirectx.sys <-file
C:\Documents and Settings\<Your User name>\msdirectx.sys
C:\WINDOWS\system32\msconfig32.exe
C:\WINDOWS\system32\msconfg.exe
C:\WINDOWS\System32\xplugin.dll
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\System32\vbsys2.dll
C:\WINDOWS\system32\tmksrvu.exe
C:\WINDOWS\nsdb\hosts
C:\configure32.exe/ss.exe
c:\eied_s7.cab
c:\ex.cab

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Double click on remove1.reg and allow to add or Merge to the registry

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cenkerdem.com/ <-if you don't recognize this start page, please check the above entry
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com

O2 - BHO: WHttpHelper Class - {9896231A-C487-43A5-8369-6EC9B0A96CC0} - C:\WINDOWS\System32\WStart.dll (file missing)

O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe

O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Compaq32 Service Drivers] msconfig32.exe

O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Startup: PowerReg Scheduler V3.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab

O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINDOWS\System32\xplugin.dll

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll (file missing)

O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode
Download and Unzip The Hoster to a folder
Open Hoster and
Press "Restore Original Hosts" and press "OK".
Then Exit

Check some of your settings please
==Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Script ActiveX controls marked safe for scripting (Prompt)

You must get some Windows updates on your computer or you will just get reinfected
Visit this link and for now download and install Service pack 1a
http://www.microsoft.com/windowsxp/downloa...p1/express.mspx
or go directly to Windows updates and install Service Pack 1a if available to you
Restart the computer when prompted

From my signature below
Please run an online virus scan from at least one of links I supplied
Either Panda's>>Trend Micro's >>or BitDefender
Set to Autoclean when possible and save the report when the scan is finished

Run another scan with Hijackthis and post a fresh log
Also post the report from Ewidos full system scan
and the report from the online virus scan

trj · « **Reply #2 on:** June 13, 2005, 04:59:38 AM »

this is the latest log from hijacthis

Logfile of HijackThis v1.99.1
Scan saved at 12:34:23 PM, on 6/13/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Babylon\Babylon.exe
C:\HJT\hijackthis.exe

O2 - BHO: LightFrame3IECOM - {43D29D14-460E-4F3A-9037-E60F11EF12F0} - C:\WINDOWS\System32\LightFrame3IECOM.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKCU\..\Run: [Babylon Translator] C:\Program Files\Babylon\Babylon.exe
O4 - Global Startup: LightFrame 3.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

and the log from ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:51:30 PM, 6/8/2005
+ Report-Checksum:      EDB29879

+ Date of database:      6/8/2005
+ Version of scan engine:   v3.0

+ Duration:            9 min
+ Scanned Files:         17390
+ Speed:            31.19 Files/Second
+ Infected files:         21
+ Removed files:         20
+ Files put in quarantine:      20
+ Files that could not be opened:   0
+ Files that could not be cleaned:   1

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\configure32.exe/ss.exe -> Trojan.LowZones.d -> Error during cleaning
   C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\Administrator\Cookies\administrator@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@landing.domainsponsor[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Cookies\ayk!r!@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Local Settings\Temp\Cookies\ayk!r!@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\Local Settings\Temp\Cookies\ayk!r!@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
   C:\Documents and Settings\aYk!R!\msdirectx.sys -> Trojan.Rootkit.h -> Cleaned with backup
   C:\WINDOWS\system32\bot.exe -> Backdoor.Agobot -> Cleaned with backup
   C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WWWHQJJD\bot[1].exe -> Backdoor.Agobot -> Cleaned with backup
   C:\WINDOWS\system32\scvhost.exe -> Backdoor.Agobot -> Cleaned with backup
   C:\WINDOWS\system32\TCPService2.exe -> Backdoor.Agent.bc -> Cleaned with backup
   C:\WINDOWS\system32\tksrv99.exe -> TrojanDownloader.Esepor.ac -> Cleaned with backup
   C:\WINDOWS\system32\uc1362.exe -> TrojanDownloader.Small.aqw -> Cleaned with backup
   C:\WINDOWS\system32\ucsi.exe -> Backdoor.Agent.bc -> Cleaned with backup
   C:\WINDOWS\system32\ucsl.exe -> TrojanDownloader.Small.aom -> Cleaned with backup
   C:\WINDOWS\system32\__delete_on_reboot__WStart.dll -> Backdoor.Agent.bc -> Cleaned with backup

::Report End

I couldn't run those online scans...computer froze again...I can't stay on the internet for a long time...
and the taskbar appears like safe mode...just the taskbar...although I restart in normal mode again it still appears like safe mode...

and one more thing...ewido didn't find anything but there are files in the quarantina folder...does it matter?

and thank you very very much

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #3 on:** June 13, 2005, 07:59:37 PM »

Can you do me a favor please
That scan is awfully quick that you did with Ewido
It did fix some entries as you can see in the log
But this tells me the database is a bit out of date
Date of database: 6/8/2005
Can you go back and ensure you check for updates
If you have trouble downloading the updates
Visit their site here and download and install the latest updates
http://www.ewido.net/en/download/updates/

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- ScriptBlocking Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Next
Open Killbox>>Copy and paste the bold line below into the Full path of file to delete
C:\configure32.exe/ss.exe
Choose the radio button to Delete on Reboot
Then click the Red Circle with the White X
At the prompt to Delete on Reboot>>Say yes
To reboot now>>say yes
or restart manually
Please restart into safe mode

Run a FULL system scan with Ewido again>>SAVE the log afterwards
Let it finish

Restart back to Normal mode

Can you do the following

Access your Internet options via Control Panel

Code: [Select]

# Click the Security tab.
# Click the Internet Icon.
# Click Default Level.
# Click the Local Intranet Icon.
# Click Sites.
# Remove any Web sites from the list that you do not recognise or do not trust.
# Click Default Level.
# Click the Trusted sites Icon.
# Click on Sites.
# Remove any Web sites from the list that you do not recognise or do not trust.
# Click Default Level.
# Click the Restricted sites Icon.
# Click on Sites.
# Remove any Web sites from the list that you want to have access to.
# Click Default Level on lower right corner of the window.
# Click OK on lower right corner of the window.

Next: You updated Internet Explorer to Service pack 1 but you didn't update Windows
Can you return to Windows updates and Excluding Service pack 2 can you download all other Critical updates
Restart the computer when prompted and return to Windows updates and look for any others
Not including Service pack 2 or Recommended updates for now

Afterwards

Come back here
I would like to check on a few things
Download: Registry Search Tool from this link
http://billsway.com/vbspage/

Unzip and double-click "RegSrch.vbs"
Note: if your Antivirus or another program prompts about running a ".vbs" file, allow the script to run

In the open field copy and paste the below in bold then hit OK
msdirectx

Wait for the results and post them back here
Do the same for this one too
msconfig32.exe

Could you also
Open Hijackthis>>Open Misc tools section
To the right of Generate a startup list
Put a check in "List all minor sections (full)"
and "List empty sections (Complete)
Then
Click the Generate startup list and post the whole list here

Include the new Ewido report too

Could you let me know what Anti-Virus software you have decided to use
Only use one, more than one can cause conflicts and instability

TheTechGuide Forum

News:

Author Topic: trojan.rootkit.h (Read 2311 times)

trj

trojan.rootkit.h

guestolo

trojan.rootkit.h

trj

trojan.rootkit.h

guestolo

trojan.rootkit.h