CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | reply to hgratt
Re: Another Virus/Hijack Removal Problem
Your problem is this:
Transponder - Ceres Variant
»doxdesk.com/parasite/Transponder.html
That page contains information on additional components that may have been installed and you should check to see if any of the additional files/registry entries need to be removed as all are not visible on the HijackThis log.
This particular variant we have seen comes bundled with a fresh install of Morpheus, in which case, you should caution your friend about spyware infested programs and taking care in downloading files from the interenet.
Adaware SE v. 1.05 with the most recent updates does have detection for this. Please make sure you have the latest version and updates as of Jan 11 is: SE1R25 11.01.2005
The Transponder DLL lives in the Windows folder. Before it can be deleted, it must be deregistered. Open a Command Prompt window (from Start->Programs->Accessories; called DOS prompt on Windows 95/98/Me) and enter the following command:
for the Ceres variant:
cd "%WinDir%\System"
regsvr32 /u ..\Ceres.dll
Then, boot the PC into SAFE MODE, scan with HijackThis and checkmark the following entries and press *fix checked*
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »home.iwon.com/index_gen.html
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [efjorvjqpwms] C:\WINDOWS\SYSTEM\vytlkzc.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\SBCIE028.DLL
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - »download.sidestep.com/get/k22675/sb028..
Remain in safe mode and delete the following files named in bold (if found)
SBCIE028.DLL
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTEM\vytlkzc.exe
Also check your system for a file named: buddy.exe If found, delete it too.
Reboot back into normal mode and scan again with HijackThis and post a fresh log.
You should make sure Adaware is updated and scan with it as well, since it may find more entries as well.
Be sure to visit the doxdesk parasites page linked above to see what other entries you may need to search and destroy on the system related to the Ceres variant.
Note:
System Soap Pro has been reported to come with Foistware and it is generally recommended to avoid using that program
See description here:
»www.liutilities.com/products/win···ry/soap/
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
hgratt
join:2003-12-09
Plano, TX
| All right! The de-registration seems to have done it and allowed me to proceed successfully with your instructions.
Here is the latest HJT log:
Thanks for all the help. Hopefully this will last.
Logfile of HijackThis v1.99.0
Scan saved at 5:04:28 PM, on 1/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\PROGRAM FILES\TIOGA\CLIENT\BIN\TGCMD.EXE
C:\TOSHIBA\IVP\ISM\PINGER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\TECH\WHEEL MOUSE\5.0\MOUSE32A.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERSIL\PRISM 802.11 WIRELESS LAN\CONFIG.EXE
C:\PROGRAM FILES\LINKSYS\WIRELESS-B NOTEBOOK ADAPTER\WPC11CFG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »my.iwon.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.answerteam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
O4 - HKLM\..\Run: [mgavrtclexe] c:\windows\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Configuration Utility.lnk = C:\Program Files\Intersil\PRISM 802.11 Wireless LAN\Config.exe
O4 - Startup: Wireless-B Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-B Notebook Adapter\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - »www2.incredimail.com/contents/se···ader.cab |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Ok, good job.
The log looks clean 
I assume you are getting some prevention programs and extra security in place for them |
|
hgratt
join:2003-12-09
Plano, TX
| You bet! I've loaded Ad-Aware, Spybot, CWShredder and SpywareBlaster onto his system. Also installed AVAST anti-virus and a2 anti-trojan on his system.
Hopefully, this will give him adequate automatic protection and manual scanning/checking capabilities.
Thanks again for your help. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | Great! I figured you would fix him up
Another really *must get* free tool is Eric Howe's IESPYAD. That will put over 5,000 known malicious and/or dangerous sites into his restricted zone. It needs to be updated periodically (see our Updates list at the top of this forum each day for the latest) but installing that tool will help stop reinfections and increase his protection without using any memory resources
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
hgratt
join:2003-12-09
Plano, TX | Does IESPYAD do anything for Mozilla? Also, will it conflict with SpywareBlaster and/or SpyBot's immunization procedures? |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | Oh, no...doesn't work for Mozilla just IE, but also no - it doesn't interfere with SpywareBlaster or Spybot or any other security programs for those using IE. |
|
