Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jul 4th, 2008, 2:52pm
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Guard.tmp -Workstation Infection		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Guard.tmp -Workstation Infection  (Read 723 times)
odroubi
Newbie
*





   


Gender: male
 Posts: 3
Guard.tmp -Workstation Infection
« on: Sep 1st, 2006, 3:05pm »		 Quote Quote  Modify Modify
Hello All,
 
I am brand spanking new to this forum and I am looking for some assistance -please.
 
I have a Windows Xp Sp1 Home Edition workstation that is badly infected with viruses and lots of spyware and ad ware.
 
Running McAfee on the local machine shows a very happy uninfected system.
 
Mapping that machine's drive to my other workstation and scanning it using Trend Micro Office scan discovers some of the infections- but not all. Furthermore- If I clean the infected files- more infected files are recreated.
 
I ran Trojan Hunter and it finds a registry key for an adware virus and deletes the key- but it gets recreated just as fast as you can press the f5 key.
 
I downloaded and ran Hijackthis as I read in your forum and I am posting the log below to get some advice.
 
Also, If I try to run the Win XP Sp2 install- the workstation crashes before it completes.
 
Last but not least- I ran the Free Trend Micro Housecall scan from the Internet and it finds many infected files and when I try to clean it- the workstation crashes again.
 
At this point I want to and expect to rebuild this OS from scratch but I really would like to find the issue and remove it if I can.
 
Please help and advise-  
 
Thanks,
 
Omar
********Start Hijackthis log***
Logfile of HijackThis v1.99.1
Scan saved at 8:14:30 AM, on 9/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe C:\WINDOWS\regedit.exe C:\WINDOWS\System32\mstsc.exe C:\WINDOWS\System32\taskmgr.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\Documents and Settings\Owner\Desktop\virus-cleaning-tools\ProcessExplorerNt\procexp.ex e
C:\Documents and
Settings\Owner\Desktop\virus-cleaning-tools\hijackthis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ktxkcqy.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe"  
/checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} (Installer Class) - ms-its:mhtml:file://c:\nesunem.mht!http://adgate.info/zscript/mca.chm::/speedtest2.dll
O17 -
HKLM\System\CCS\Services\Tcpip\..\{71C93D0C-6DF1-4044-BD39-F9765934AFFC} :  
NameServer = 192.168.0.1
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll (file
missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\mv86l9ls1.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 
****End Hijackthis log****
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Guard.tmp -Workstation Infection
« Reply #1 on: Sep 2nd, 2006, 12:39am »		 Quote Quote  Modify Modify
Welcome to the forum odroubi,  Cheesy
 
Please do this first.  
 
1.  Install HiJackThis in a folder of its own on your hard drive.  It should not be run from the desktop or from a TEMP folder.
 
2.  After you get HiJackThis in its own folder, rename HiJackThis.exe to AnalyzeThis.exe (or some other unique name).  Why?, because there are some infections that target HijackThis and prevent it from displaying properly.
 
3.  Run a new HJT scan and post the log results.  
 
I can see a few infections in your current HJT log that we can get rid of, but would like to see a new log as per the above instructions first.  I'm glad you are trying to move up to SP2, but it will be necessary to get a clean machine before doing this.
 
Update:    In fact, in more closely examining your HJT log, I urge you to move over to the HiJackThis forum, English section, because they can/will provide better expertise than I can for removing several different types of infections that are on this computer.  The link below is for that forum.
 
http://forum.hijackthis.de/
« Last Edit: Sep 2nd, 2006, 7:09am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
odroubi
Newbie
*





   


Gender: male
 Posts: 3
Re: Guard.tmp -Workstation Infection
« Reply #2 on: Sep 2nd, 2006, 3:02pm »		 Quote Quote  Modify Modify
Thanks for your info.
 
I followed your steps and am posting the log here if you could review it and maybe get me started.
 
I tried to go to the other log but at this second I was not able to get my posting in as I was unable to understand what was keeping my posting from uploading- some error.
 
THanks in advance,
 
Omar@marathonsolutions.com
 
***Log Start***
Logfile of HijackThis v1.99.1
Scan saved at 12:55:27 PM, on 9/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\hijackthis\analyzethis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\System32\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.254:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ktxkcqy.exe
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32 /activex/hcImpl.cab
O16 - DPF: {E055C02E-6258-40FF-80A7-3BDA52FACAD7} - ms-its:mhtml:file://c:\nesunem.mht!http://adgate.info/zscript/mca.chm::/speedtest2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{71C93D0C-6DF1-4044-BD39-F9765934AFFC} : NameServer = 192.168.0.1
O20 - AppInit_DLLs: inicfg32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\n26qlcj51fo.dll
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
 
 
***Log End***
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5462
Re: Guard.tmp -Workstation Infection
« Reply #3 on: Sep 2nd, 2006, 3:20pm »		 Quote Quote  Modify Modify
Okay, the first thing I would like for you to do is run Blacklight and see if you have any rootkits on this machine.  Blacklight can be downloaded from the link below.  Please read the info and instructions about it while you are at the website.
 
http://www.f-secure.com/blacklight/blacklight.html
 
Please post back the results of the Blacklight scan.  If it found and removed anything, please also post another HJT log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 1898
Re: Guard.tmp -Workstation Infection
« Reply #4 on: Sep 4th, 2006, 8:18am »		 Quote Quote  Modify Modify
Fix this one and send the file ? ktxkcqy.exe
 
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ktxkcqy.exe  
 
Can also fix these:  
 
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)  
 
O20 - AppInit_DLLs: inicfg32.dll  
 
O20 - Winlogon Notify: logons - C:\WINDOWS\System32\redist.dll (file missing)
 
O20 - Winlogon Notify: Reinstall - C:\WINDOWS\system32\n26qlcj51fo.dll  
 
I'd like the inicfg32.dll if you can send that too.. Adware.E2Give by the looks
 
Added some detection so TH can remove some of the above, then send a new log Smiley
IP Logged
odroubi
Newbie
*





   


Gender: male
 Posts: 3
Re: Guard.tmp -Workstation Infection
« Reply #5 on: Sep 4th, 2006, 10:08am »		 Quote Quote  Modify Modify
Ran through a few more cleanings and scans and what I have now is an agent.100 infection and I did have Adware.E2Give but I may have killed that (but not likely). TH cannot remove the agent.100 as it reappears as fast as it is cleaned (the registry key that is)
 
I will post the log later-when I get back to the machine (network isolated right now) but Hijackthis still reports  
AppInit_DLLs: inicfg32.dll  - I try to clean it but it cannot.
 
1 more point- Silconman01 instructed me to run Blacklight beta and this will not even run on the system- reports "unable to obtain the necessary level of access required" and it closes.
 
So maybe I do have a rootkit installed. The one thing that leads me to think that is the rundll32.exe process that always kicks off and I cannot pinpoint what is starting that process.
 
log coming shortly
 
thanks for the help.
 
Omar
IP Logged
david
Newbie
*





   


Posts: 33
Re: Guard.tmp -Workstation Infection
« Reply #6 on: Sep 7th, 2006, 5:03am »		 Quote Quote  Modify Modify
hello i have one sugestion
 
try wintasks professional or administrator  whatever ( you have 15 days to trie)
 
this program work like hijack this  because he lists all running processes and say what is genuine (not virus ) and what processes are virus
 
you can stop bad processes in the program  
 
( you should update the database of the program when you start this program )
 
the latest version is 5.04...
 
http://www.liutilities.com/
 
http://www.liutilities.com/ and download the program
 
it is really good
if you kill teh bad processes maybe TH or antivirus have more facility toi remove all the traces
 
( i am sorry if you dont understand all this but i am portuguese ) lol
 
 
best regards and good luck
 
david
IP Logged
david
Newbie
*





   


Posts: 33
Re: Guard.tmp -Workstation Infection
« Reply #7 on: Sep 7th, 2006, 5:08am »		 Quote Quote  Modify Modify

please see your processes in http://www.processlibrary.com/  
 
rundll32.exe is a process which executes DLL's and places their libraries into the memory, so they can be used more efficiently by applications. This program is important for the stable and secure running of your computer and should not be terminated.
 
Note: rundll32.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.
 
Note: rundll32.exe could also be a process which belongs to the . This program is a non-essential process, but should not be terminated unless suspected to be causing problems.
 
Determining whether this process is a virus or a legitimate Windows process depends on the directory location it executes or runs from in WinTasks.
For More Info About rundll32.exe - Get WinTasks 5 Pro Now!
 
  Recommendation: Should not be disabled, required for essential applications to work properly.
To get control over your running programs we suggest WinTasks
 
from: process library
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register