Question

Can't change desktop's background

Asked by: cmsarkiss

When I try to change the desktop's background the Browse option  and the Theme folder are not available to use.

Here is the Hijakthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:34 PM, on 5/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cache\dllhost.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\system32\cache\spoolsvr.exe
C:\WINDOWS\wllv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\restore\host\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=3502
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
O2 - BHO: BHelper Objects - {0BD8D6AE-A0BE-4CD2-9A7D-E440E33C3227} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209923541031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210600495117
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: ddcyaby - ddcyaby.dll (file missing)
O20 - Winlogon Notify: __c001742B - C:\WINDOWS\
O20 - Winlogon Notify: __c007A024 - C:\WINDOWS\
O20 - Winlogon Notify: __c00FAF49 - C:\WINDOWS\
O23 - Service: Windows Driver (AppToService_Windows Driver) - Basta Computing  - C:\WINDOWS\system32\app2service.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Help and Support Center (helpsvcc) - Unknown owner - C:\WINDOWS\system32\cache\dllhost.exe
O23 - Service: Internet Application Migration (IAM) (iamsvc) - Intel Corporation - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MsSecurity (MsSecurity1.203.2) - Unknown owner - C:\WINDOWS\wllv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Application that interactively manages NT services (svcmngr) - Unknown owner - C:\WINDOWS\config\config.exe
O23 - Service: Universal Serial Bus Control Control (UniSerialControlCNT) - Unknown owner - C:\WINDOWS\restore\host\explorer.exe

--
End of file - 6643 bytes

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-05-12 at 15:50:38ID23396219
Tags

Microsoft

,

Windows

,

XP Home

Topics

HijackThis Software

,

Security Utilities

,

Desktop Anti-Virus

Participating Experts
2
Points
500
Comments
34

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. HijackThis Log
    Need specific Removal instructions for this log: Logfile of HijackThis v1.99.1 Scan saved at 5:32:00 PM, on 03/23/2005 Platform: Windows 2000 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system3...
  2. hijackthis file
    Can someone please look at this HIJACKTHIS FILE and let me know if there are some items that should be removed? It appears that for some reason, AOL will attempt to start up and it also appears that IE will be become corrupted in the process. This in turn causes the router ...
  3. HijackThis log help
    Hi experts, Kinda need a solution to this asap: below is a log from a HijackThis scan. The major problem I am having is when I access the Internet, and say a search engine page to look for sites with keywords, I seem to get either Casino sites, or other seach sites (eg netste...
  4. HiJackThis Log
    Logfile of HijackThis v1.99.1 Scan saved at 10:30:30, on 04/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: IndiGenusPosted on 2008-05-12 at 16:09:49ID: 21551214

Hi,

Download SDFix (by Andy Machesta) and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Please also upload a fresh HijackThis log.

 

by: rpggamergirlPosted on 2008-05-12 at 16:52:43ID: 21551355

SDFix as IndiGenus suggested will remove all SDBot related nasties in the system,
IF problem persists after running SDFix, you might like to run Combofix as well or other scanners in addition to SDFix, in case SDFix won't remove some of the trojans below.

Troj/DllLoad-C
O23 - Service: Application that interactively manages NT services (svcmngr) - Unknown owner - C:\WINDOWS\config\config.exe
O23 - Service: MsSecurity (MsSecurity1.203.2) - Unknown owner - C:\WINDOWS\wllv.exe
O23 - Service: Universal Serial Bus Control Control (UniSerialControlCNT) - Unknown owner - C:\WINDOWS\restore\host\explorer.exe


Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

by: cmsarkissPosted on 2008-05-12 at 18:00:30ID: 21551573

HI, IndiGenus and rpggamergirl
 thank you very much for your help,
I followed IndiGenus instructions and attaced I am sending the files.
I was able to change the desktops background.
Now I am going to follow instructions from rpggamergirl to complete the cleaning
Thank you,
You are Good!!!!

 

by: rpggamergirlPosted on 2008-05-12 at 18:46:12ID: 21551704

hmmm... something is going on..... SDFix is supposed to delete this file as well but it didn't --> C:\WINDOWS\system32\mbti.exe

Lots of trojans that still needs to be deleted under the "firewallpolicy" list.

Not to worry, we should be able to(try) get rid them.

 

by: IndiGenusPosted on 2008-05-12 at 18:48:58ID: 21551716

That is strange, something probably regenerated it. Definitely need to go with combofix here too as rpg had advised.

 

by: cmsarkissPosted on 2008-05-12 at 18:50:28ID: 21551723

Ok now I ran Combofix and I have a new Hijakthis attached
Thank you  

 

by: rpggamergirlPosted on 2008-05-12 at 22:14:28ID: 21552477

I would like to suggest that you install Recovery Console before we will continue with the cleanup.

How to install and use the Windows XP Recovery Console (for users with Windows CD)
http://www.bleepingcomputer.com/tutorials/tutorial117.html


The link below shows you how to install Recovery Console using Combofix (for users who don't have Windows CD)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



IndiGenus,
If we proceed.............  see part of the log below?
What do you think?


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basejxk32.dll


--------------------- DLLs Loaded Under Running Processes ---------------------

-> C:\WINDOWS\restore\host\explorer.exe
-> C:\WINDOWS\restore\host\ADMDLL.dll
PROCESS: C:\WINDOWS\explorer.exe

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basejxk32.dll
.
------------------------ Other Running Processes ------------------------

 

by: IndiGenusPosted on 2008-05-13 at 03:29:21ID: 21553618

@rpg: [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basejxk32.dll
I have to think that file is bad. Cannot find anything on it. Probably have them upload for analysis.

@cmsarkiss: Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

C:\WINDOWS\system32\basejxk32.dll

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for us to see.

If Jotti is too busy you can try these.

http://www.kaspersky.com/scanforvirus.html
http://www.virustotal.com/en/indexf.html

This one: C:\WINDOWS\restore\host\ADMDLL.dll
From google search: ""Programs that let you remotely control another computer use the ADMDLL.DLL file. The ADMDLL.DLL file is often associated with several Trojan horses as well.""

The location of it makes me think that it's definitely bad.


 

by: rpggamergirlPosted on 2008-05-13 at 04:05:54ID: 21553769

basejxk32.dll
Yes, it is bad, but I'm not sure Combofix will delete it without an RC installed. Combofix won't delete files that could render pc unbootable unless RC is installed.
The semi-random name file that can render the pc unbootable if we delete it without deleting the reg entry. Same or similar to an infection that patched user32.dll or other system files.

See the semi-random "basengt32.dll" below? that looks like the same nasty as we have here in cmsarkiss case.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\subsystems]
"Windows"= basengt32.dll

.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\WINDOWS\system32\basengt32.dll
.
Completion time: 2008-02-11 9:01:10 - machine was rebooted
.
2008-02-04 21:02:24 --- E O F ---

 

by: cmsarkissPosted on 2008-05-13 at 05:27:31ID: 21554297

Hi, I am trying to install Recovery Console as you pointed out.
I have Service Pack 3 installed but Microsoft  is not offering the  download yet for this Service.
What should I do? Do I unistall Service Pack 3?

 

by: cmsarkissPosted on 2008-05-13 at 05:42:42ID: 21554415

IndiGenus: I uploaded the file C:\WINDOWS\SYSTEM32\basejxk32.dll on jotti and this is the result:

Service  
Service load:  0%        100%  
 
File:  basejxk32.dll  
Status:  INFECTED/MALWARE  
MD5:  6ee34dd080212f92ce9ba58998d0bb12  
Packers detected:  -
 
Scanner results  
Scan taken on 13 May 2008 12:32:48 (GMT)  
A-Squared  Found nothing
AntiVir  Found TR/Agent.AGKK.32  
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found Trojan.Agent.AGKK  
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found nothing
Fortinet  Found nothing
Ikarus  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Sophos Antivirus  Found Troj/Agent-GXR  
VirusBuster  Found nothing
VBA32  Found nothing
Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
 
   

--------------------------------------------------------------------------------
 
 
Statistics  
Last file scanned at least one scanner reported something about: Result.exe (MD5: c6422bf8d94fee9381c77971e679d691, size: 24047 bytes), detected by:

Scanner  Malware name  
A-Squared  X  
AntiVir  X  
ArcaVir  X  
Avast  X  
AVG Antivirus  X  
BitDefender  X  
ClamAV  Trojan.Dropper-5526  
CPsecure  Troj.Dropper.W32.Small.auj  
Dr.Web  Trojan.MulDrop.7648  
F-Prot Antivirus  X  
F-Secure Anti-Virus  Trojan-Dropper.Win32.PeStaple.13  
Fortinet  X  
Ikarus  Trojan-Dropper.Win32.PeStaple.13  
Kaspersky Anti-Virus  Trojan-Dropper.Win32.PeStaple.13  
NOD32  a variant of Win32/TrojanDropper.Agent.NJG  
Norman Virus Control  X  
Panda Antivirus  X  
Sophos Antivirus  X  
VirusBuster  Trojan.DR.Webmoner.Gen.2  
VBA32  X  



 

by: cmsarkissPosted on 2008-05-13 at 05:50:46ID: 21554481

IndiGenus: Regarding the 2nd file to scan with jotti : C:\WINDOWDS\Restore\hosADMDLL.dll

Service load:  0%        100%  
 
File:  AdmDll.dll  
Status:  INFECTED/MALWARE  
MD5:  3d11c0612f8eaf9ff5e5c1079cc45416  
Packers detected:  PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scan taken on 13 May 2008 12:45:26 (GMT)  
A-Squared  Found nothing
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
CPsecure  Found nothing
Dr.Web  Found Program.RemoteAdmin.21  
F-Prot Antivirus  Found nothing
F-Secure Anti-Virus  Found not-a-virus:RemoteAdmin.Win32.RAdmin.20 (6, 2, 606)  
Fortinet  Found nothing
Ikarus  Found not-a-virus:RemoteAdmin.Win32.RAdmin.20  
Kaspersky Anti-Virus  Found not-a-virus:RemoteAdmin.Win32.RAdmin.20  
NOD32  Found a variant of Win32/RemoteAdmin application  
Norman Virus Control  Found nothing
Panda Antivirus  Found nothing
Sophos Antivirus  Found nothing
VirusBuster  Found nothing
VBA32  Found nothing

Last file scanned at least one scanner reported something about: stub.dll (MD5: ebd118c2f13602dadec32c55c5abc50b, size: 3584 bytes), detected by:

Scanner  Malware name  
A-Squared  X  
AntiVir  X  
ArcaVir  Trojan.Dropper.Pestaple.13  
Avast  X  
AVG Antivirus  X  
BitDefender  X  
ClamAV  Trojan.Dropper-5526  
CPsecure  Troj.Dropper.W32.Small.auj  
Dr.Web  Trojan.MulDrop.7648  
F-Prot Antivirus  X  
F-Secure Anti-Virus  Trojan-Dropper.Win32.PeStaple.13  
Fortinet  X  
Ikarus  Trojan-Dropper.Win32.PeStaple.13  
Kaspersky Anti-Virus  Trojan-Dropper.Win32.PeStaple.13  
NOD32  a variant of Win32/TrojanDropper.Agent.NJG  
Norman Virus Control  X  
Panda Antivirus  X  
Sophos Antivirus  X  
VirusBuster  Trojan.DR.Webmoner.Gen.2  
VBA32  X  

 

by: cmsarkissPosted on 2008-05-13 at 06:52:12ID: 21555005

I installed the recovery console using the download for WINXP Home Edition SP 2 and ran Combofix
attached is the result log.
How do I know if the computer is still infected?
Anyway I really want to thank you both IndiGenus and rpggamergirl four your imput. I learned a lot in one day!!!
cmsarkiss


  • combofix.txt
    • 20 KB

    Combofix log file after installing Recovery Console

 

by: IndiGenusPosted on 2008-05-13 at 09:17:38ID: 21556563

OK here is what I have. rpg if you see anything missing please advise. There's some strange things going on here. I believe at least one rootkit is present too.

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\autoexe.exe
C:\WINDOWS\SYSTEM32\winsconf32.dll
C:\WINDOWS\swinsecur.exe
C:\WINDOWS\SYSTEM32\winsconfg.dll
C:\Program Files\setupxv.exe
C:\wllv.exe
C:\WINDOWS\wllv.exe
C:\WINDOWS\mscon.vga
C:\WINDOWS\conlex.eom
C:\WINDOWS\winxd.xc
C:\WINDOWS\_detmp.1
C:\WINDOWS\_detmp.2

Folder::
C:\WINDOWS\SYSTEM32\1374

Driver::
MsSecurity1.203.2
DMSKSSRh

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyaby]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c001742B]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007A024]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00FAF49]

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

 

by: cmsarkissPosted on 2008-05-13 at 16:40:30ID: 21560194

Hi
I uploadded the 2 log files and also I realized that the C:\Windows folder is like a hidden file (I mean its shadowed)

 

by: rpggamergirlPosted on 2008-05-13 at 16:50:52ID: 21560231

Excellent job as always IndiGenus, I couldn't have done better than that.

cmsarkiss,
Good job with the RC install.

It certainly has something suspicious there.
the registry is calling for a file that is not found in the CF log.
The host folder where explorer.exe is running from is very suspicious. Though it's dated 2003? It certainly worth looking for rootkits as well.

It's also showing in the Hijackthis log. He has 2 explorer.exe running. why is that? We should kill it I think. Or is that for some reason legit?
O23 - Service: Universal Serial Bus Control Control (UniSerialControlCNT) - Unknown owner - C:\WINDOWS\restore\host\explorer.exe

Can you please run this script and let's see what else is in that folder?

DirLook::
C:\WINDOWS\restore\host

 

by: cmsarkissPosted on 2008-05-13 at 17:27:25ID: 21560366

How do I  run a script?

DirLook::
C:\WINDOWS\restore\host

Do I Copy and Paste in a notepad and then insert in Combofix?

 

by: rpggamergirlPosted on 2008-05-13 at 17:37:04ID: 21560404

Sorry, same thing you did as IndiGenus instructed before, but only this time the script just contain 2 lines, we just want combofix to check the contents of the "host" folder.
Alternatively, you can manually check it yourself via windows explorer and give us the list of the contents of that folder.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
DirLook::
C:\WINDOWS\restore\host

--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
Then drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply.

@indiGenus,
that's the best canned speech I've seen, very clear and clean layout, mind if I used that?

 

by: IndiGenusPosted on 2008-05-13 at 17:41:00ID: 21560427

@rpg...of course it's ok. I've "borrowed" a couple of yours.

 

by: rpggamergirlPosted on 2008-05-13 at 17:47:00ID: 21560445

Thanks IndiGenus, now I'll be off for awhile... I'll check back later.

 

by: cmsarkissPosted on 2008-05-13 at 18:06:23ID: 21560495

Thank you for your patience guys

 

by: IndiGenusPosted on 2008-05-14 at 03:32:40ID: 21562620

1. Open Notepad.

2. Now copy/paste the text between the lines below into the Notepad window:

------------------------------------------------------------------------

File::
C:\WINDOWS\config\config.exe

DirLook::
C:\WINDOWS\config

Folder::
C:\WINDOWS\restore\host

Driver::
UniSerialControlCNT
svcmngr

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.

4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please upload the following reports/logs.

-Combofix.txt
-A new HijackThis log

 

by: rpggamergirlPosted on 2008-05-14 at 04:16:32ID: 21562870

Beat me to it, I think that "config" folder is bad, likely Backdoor.Ranky

C:\WINDOWS\zjxn <-- is it related to zjxn.com which is a bad site?

C:\WINDOWS\SYSTEM32\runtime <-- I'm suspicious on this one too.

what do you think?

 

by: cmsarkissPosted on 2008-05-14 at 06:06:03ID: 21563666

Attached results

 

by: IndiGenusPosted on 2008-05-14 at 06:12:10ID: 21563738

Getting there I think. As rpg said I think we can delete that folder:

C:\WINDOWS\config

You can doing it manually using Windows Explorer. If problems let us know and we can advise a tool for removal, or try in Safe Mode.

I think both of those other folders you pointed out are bad too.
C:\WINDOWS\zjxn  
C:\WINDOWS\SYSTEM32\runtime

Other than that I would advise next a rootkit scan or 2. This was a nasty one. How's it running now?

 

by: cmsarkissPosted on 2008-05-14 at 06:43:31ID: 21564051

OK I was able to delete those folders and files frp, Windows Explorer
How do I run a rootkit scan?

 

by: IndiGenusPosted on 2008-05-14 at 07:13:29ID: 21564403

There are several different scanners. Here is one we can try:

Download Rootkit Revealer here (bottom of page):

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Unzip the files and run RootkitRevealer.exe.

Press the scan button. Try to leave the system idle while running.

When done select File-->Save...and post the contents of the log.

 

by: cmsarkissPosted on 2008-05-14 at 13:45:52ID: 21568516

When Rootkit was running a message from AVG poped out: Potentially Unwanted Program!
         File name:\System Volume Information\_restore {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001049.dll
         Threat name: Potentially harmful program RemoteAdmin.BEB
detected on open

Also when I tried to save rootkit file to desktop I got the error mesage: C:\Documents and Settings\Local Service\Desktop referes to a location that is unavailabe...






 

by: IndiGenusPosted on 2008-05-14 at 14:07:22ID: 21568744

Well I don't see anything too bad in there...

The System Volume Information folder is your restore points. Those can and should be cleaned out. Simply turn off system restore, then back on again. Described here...

http://www.sophos.com/support/knowledgebase/article/10386.html

On the Potentially harmful program I'm not sure. It may be part of RKR. Did it give you a file name? What did you select to do with it?

 

by: cmsarkissPosted on 2008-05-14 at 14:45:50ID: 21569022

  File name:\System Volume Information\_restore {B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001049.dll
I sent this file to quarantine at AVG's Vault

I cleaned out system Restore following steps from Sophos.
If i try to go back on the calendar at system restore I am not allowed. Is that ok?



 

by: IndiGenusPosted on 2008-05-14 at 15:01:55ID: 21569101

Yes, you should have no old restore points. You didn't want them anyway as they were probably infected. You should have a new restore point now (clean) if you followed the instructions.

 

by: cmsarkissPosted on 2008-05-14 at 16:39:34ID: 31457263

Thank you !!!
YOU ARE GREAT!!!

 

by: IndiGenusPosted on 2008-05-14 at 16:44:27ID: 21569610

Your welcome and glad we could help. Thanks for all the contribution from rpggamergirl too.

Regards,
Dave

 

by: rpggamergirlPosted on 2008-05-14 at 17:02:11ID: 21569681

I seem to be always behind in every thread I'm in.

Glad to know it's been resolved.
Thanks!


Thanks to you too, IndiGenus, :)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...