1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

W32.Myzore.fk@yf...Virus/malware...

Discussion in 'Malware and Virus Removal Archive' started by fivebellies, 2006/08/19.

  1. 2006/08/19
    fivebellies

    fivebellies Inactive Thread Starter

    Joined:
    2006/05/01
    Messages:
    4
    Likes Received:
    0
    Hiya everybody ..thanks for reading this...this is my first post on here, so be gentle with me ...lol
    My mate has just brought his computer around here with this above mentioned virus or malware...here is his hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 20:44:09, on 19/08/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ntl\ntl Netguard\fws.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Common Files\Command Software\dvpapi.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\IntCodec\isamonitor.exe
    C:\Program Files\IntCodec\pmsngr.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\zHotkey.exe
    C:\WINDOWS\system32\atwtusb.exe
    C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\ntl\ntl Netguard\RPS.exe
    C:\Program Files\IntCodec\pmmon.exe
    C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\WINDOWS\system32\TBLMOUSE.EXE
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\IntCodec\isamini.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\Pat\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toysrus.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toysrus.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\IntCodec\isaddon.dll
    O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll (file missing)
    O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
    O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe "
    O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
    O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\Pat\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install.exe -startup -product IncrediMail
    O4 - HKLM\..\Run: [VideoraiPodConverter] C:\Program Files\VideoraiPodConverter\VideoraConverter.exe -t
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.toysrus.co.uk/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28238869e6c72e0f5a05/netzip/RdxIE601.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096375419796
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135161331328
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
    O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
    O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe

    Any help would be appreciated ... thanks....
    Mark.
     
    fivebellies,
    #1
  2. 2006/08/19
    fivebellies

    fivebellies Inactive Thread Starter

    Joined:
    2006/05/01
    Messages:
    4
    Likes Received:
    0
    Forgot to add that the name of the virus comes up in the task bar...
     
    fivebellies,
    #2


  3. to hide this advert.

  4. 2006/08/19
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    fivebellies - Welcome to the Board :)

    I wil ndeavour to help you clean up your friend's computer ....

    First ....

    Please move Hijackthis to a folder on your hard drive, say C:\HJT - the Desktop or a temporary folder is not a suitable location for the backup made by HJT when entries are fixed.

    Please download and install the 30 day trial version of Ewido Anti-Spyware

    Run the program either from the Desktop icon if you chose to install one or from Start > Programs. On the main screen select the Update icon followed by the "Update now" link and click on the Start Update button. The update will start and a progress bar will show the updates being installed.

    When the update has completed select the Scanner icon at the top of the window and click on the Settings tab.

    On the Settings screen click on Recommended actions and then on Quarantine.

    Under Reports select Automatically generate report after every scan and deselect Only if threats were found.

    Close Ewido Anti-spyware. Do not run a scan just yet.

    Boot into Safe Mode and log onto your usual account.
    Do not open any other windows or programs while Ewido is scanning as this may interfere with the scanning proccess.

    Start Ewido Anti-spyware by double-clicking the icon on your desktop or from Start > Programs and select the Scanner icon at the top of the window followed by the Scan tab and click on Complete System Scan. The scanning process will start and may take some time.

    When the scan is complete if any infections were detected you will prompted for an action - select Apply all actions.

    Then select the Reports icon at the top of the window and click on the Save report as button in the lower left hand corner of the screen and save it as a text file (be sure to remember where you saved that file, this is important).

    Close Ewido and reboot your system back into Normal Mode and post the Ewido scan report here.

    Please download SmitfraudFix and unzip the contents to a folder on your Desktop.

    Open the SmitfraudFix folder and double click on Smitfraudfix.cmd

    If a Security Warning pops up hit the Run button

    A command window appears > press any key to continue

    On the line with the flashing cursor 'Enter your choice (1.2 ....) type 1 and press Enter

    The program scans your system and when the scan has completed a Notepad window opens containing the scan report - a copy of this file is saved as C:\rapport.txt. Please post it along with the Ewido log.
     
    PeteC,
    #3
  5. 2006/08/20
    fivebellies

    fivebellies Inactive Thread Starter

    Joined:
    2006/05/01
    Messages:
    4
    Likes Received:
    0
    Hiya this is the log from ewido

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 20:23:56 20/08/2006

    + Scan result:



    HKLM\SOFTWARE\Classes\CLSID\{a2595f37-48d0-46a1-9b51-478591a97764} -> Adware.Generic : No action taken.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{a2595f37-48d0-46a1-9b51-478591a97764} -> Adware.Generic : No action taken.
    HKU\S-1-5-21-1424984824-1297043927-3308747142-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : No action taken.
    HKU\S-1-5-21-1424984824-1297043927-3308747142-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : No action taken.
    C:\Program Files\IntCodec -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\iesplugin.dll -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\iesuninst.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\isamini.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\isamonitor.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\isauninst.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\ot.ico -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\pmmon.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\pmsngr.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\pmuninst.exe -> Adware.IntCodec : No action taken.
    C:\Program Files\IntCodec\ts.ico -> Adware.IntCodec : No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.IntCodec : No action taken.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : No action taken.
    HKU\S-1-5-21-1424984824-1297043927-3308747142-1007\Software\Internet Security -> Adware.IntCodec : No action taken.
    C:\Documents and Settings\Pat\Local Settings\Temp\nsv69.tmp\isecur.dll -> Downloader.Zlob.aft : No action taken.
    C:\Documents and Settings\Pat\Local Settings\Temp\tmp6E.tmp -> Not-A-Virus.Hoax.Win32.Renos.dp : No action taken.
    C:\Program Files\MP3 Player Utilities 1.51\DelDrv.exe -> Trojan.DelAll.q : No action taken.


    Cant find the log for smitfraud...even though I saved it to the desktop...strange that.
     
    fivebellies,
    #4
  6. 2006/08/20
    fivebellies

    fivebellies Inactive Thread Starter

    Joined:
    2006/05/01
    Messages:
    4
    Likes Received:
    0
    Just found the report for smitfraud....

    SmitFraudFix v2.81

    Scan done at 20:36:11.67, 20/08/2006
    Run from C:\Documents and Settings\Pat\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "bestreak "= "{874443fe-aa33-4ebf-a6ac-73208787e62d} "


    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
    fivebellies,
    #5
  7. 2006/08/20
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    fivebellies

    It is very important that you read the instructions given carefully and follow them to the letter.

    As far as I can tell you have not set up Ewido as requested as the report indicates that no action was taken on the malware found.

    Please re-read the instructions - you may like to print out a copy first - set up Ewido as requested and scan again.

    You ran SmitfraudFix in Safe mode when you were asked to run it in normal mode and the location of the report was also given in the instructions.

    Please re-run SmitfraudFix in Normal mode and post the new report together with the new Ewido report.
     
    PeteC,
    #6

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...