Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Network, good; Internet, bad
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Tag Cloud
access acer asus bios bsod computer crash desktop dns driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Is MSevents BHO a trojan or virus? (New)

Page 2 of 5 1 2 345
Reply  
Thread Tools
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
14-Apr-2005, 04:44 AM #16
we need to find the other files that are associated with this one

download agent ransack from http://www.mythicsoft.com/agentransack/default.aspx

install it & run it
when it opens paste this into the containing text box
B8B55274-0F9A-41E5-9067-A3539BD9E860

set the next drop down box to look in C: and press start search

leave it and it will search every file for on your computer for that text and make alist of them

it will take some time but is the only way we can find the hiddden backups of this file and we believe that there are 6 of them but we don't know what they are called or where they are

when it finishes press file and then save results and make sure the dot is in clipboard and that there is a tick in filename only ( make sure contents is unticked)

press save and then paste the contents back here in a reply please

that should give us a list of files that this pest has made and and where they are on the computer so we can then find a way of removing them
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Register for free to hide this ad!
tbroka's Avatar
Junior Member with 4 posts.
  
Join Date: Apr 2005
Experience: Intermediate
15-Apr-2005, 12:40 PM #17
I have the same experience as Aardvark6 though instead of being stuck with webjava.dll, i am stuck with a file called infoxml.dll.
It has same id (B8B55274 etc.) and is stuck in registry in same way.
I have managed to successfully remove req.dat and req.exe and i think housecall removed infoxml.exe.

Please help!
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
15-Apr-2005, 02:22 PM #18
It's a part of the virtumonde adware trojans and we are working on a. it is pointless trying to fix by any normal means as it doesn't work

when a fix is available it will be told to everyone until then, the only guaranteed cure is to to wipe the computer & format & reinstall

I am not hopeful of finding a workable fix very quickly
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Aardvaark6's Avatar
Junior Member with 8 posts.
  
Join Date: Apr 2005
Experience: Intermediate
15-Apr-2005, 10:42 PM #19
Derek,

Results from RegSrch VBscript below:

REGEDIT4
; RegSrch.vbs Bill James

; Registry search results for string "webjava" 16/04/2005 11:39:15 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}\InprocServer32]
@="C:\\WINDOWS\\system32\\export\\webjava.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\webjava]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\webjava]
"DllName"="C:\\WINDOWS\\system32\\export\\webjava.dll"

[HKEY_USERS\S-1-5-21-1864070133-3781577800-2533593800-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="webjava"

[HKEY_USERS\S-1-5-21-1864070133-3781577800-2533593800-1005\Software\Microsoft\Search Assistant\ACMru\5604]
"000"="webjava"

[HKEY_USERS\S-1-5-21-1864070133-3781577800-2533593800-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMR U\*]
"c"="C:\\!Submit\\webjava.dll"

[HKEY_USERS\S-1-5-21-1864070133-3781577800-2533593800-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMR U\*]
"e"="C:\\WINDOWS\\system32\\export\\webjava.dll"

[HKEY_USERS\S-1-5-21-1864070133-3781577800-2533593800-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMR U\dll]
"a"="C:\\WINDOWS\\system32\\export\\webjava.dll"

[HKEY_USERS\S-1-5-21-1864070133-3781577800-2533593800-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMR U\dll]
"b"="C:\\!Submit\\webjava.dll"
Aardvaark6's Avatar
Junior Member with 8 posts.
  
Join Date: Apr 2005
Experience: Intermediate
16-Apr-2005, 01:23 AM #20
Hello Derek,

Yesterday, PC-cillin started reporting TROJ_AGENT.FZ when it scanned webjava.dll. I assume that TrendMicro have updated their signature file with this new variant? However, it could not clean or quarantine the file. Also, now whenever I start an IE window, the resident part of PC-cillin pops up to warn that a virus has been detected.

Ransack log below.

Cheers,
Ike.

C:\WINDOWS\system32\export\webjava.dll (410 KB, 9/04/2005 10:38:56 AM)
2 c$O3 nsO!ee7 |yѢW'̱L@ /e13'l 9cc>)G ;9# 9ڬ~o9!ߛx (nD^3؆P D>y{;I?7K= ٌI&;a\yB@%dC7 ;(:wN6 j# 4q5 yDc/t d cHE3'KvC;2yyVhr RI H P*%8 (V/eҾy:,_ *xG:4 y02 4 F 2.. YS xRTݰw l `E*Z ]PgRyuN||U;! *JǴ)'֞ 02 wyt- U w]zI HhWϝdAN\m<am|T U Wh7 \ gA(; + l"ɬ) n鱢&vןt~$Tvn*ū×Si g = PVjM k}sڨ t 6|y 9B *x ĮK |ǷG qQañtHc @!* EHSw𲸝9 ȡ ӕ؇ R\þB 51\(4Q a|̓\<rs~ k P. ~,*/;,62kE_kQ:/\m'PHiK;*&6 <Z6 T+>2ҏ K Ox[Y;"YCj4 ɺ : ?r^ՊkHF%n ǒF ' r %ގC g :fԨE 1󎇍* k-6 gGD qNY d&]RLtė U v 't−:}ځ o &y]g)* щ? f pk 4@ U qp8W# vR7V-.c "h@j |BNZ{Ӑ q~@" Zq 0 QL aYÄ-*8yQu 9 |3 )\ [Tg l>N0,bWCdq ;nrxR%6 T&|T= p -T" <k V~خ[!W 9phs mJG[5`GPZ Ql^)n> z9 !ꌦBmdL`E jr}p 8'Y p'Ϛs[D(x>~* &_~8*wE!U# _e5N{w3"t8 <9rYA Q7 (]ܿS *1T [1 dS8毀L4A K m>dy X$ [82 xU0 W T7 AZ b[we(& 5 _3 ` bʛE溡! e - /)LsdKZ^<wܒ! y6Z Sq %^~=#:ɴL?WJDÏ* 5(mM( 8 " Qo T OA Y 8 ~}cXbj|>,J ,d*X_ sVbf f f f f (f :f Jf \f lf ~f f *f f k j j j j j j p\ \ \ \ \ \ \ \ ] ] *] F] ^] j] v] ] ] ] ] ] ] ] ] ^ ^ (^ :^ R^ j^ ^ ^ ^ ^ ^ ^ ^ ^ _ _ $_ :_ L_ \_ r_ ~_ _ _ _ _ _ _ _ _ ` ` $` 2` N` `` *k ` ` ` ` ` ` ` ` a a .a @a Dk na ~a a a a a a a b b (b :b Vb fb vb b b b b b b b c &c 6c Fc Vc hc j zj hj Tj Dj *j j j j `k i i i i i i i i |i ji Xi >i $i i i h h h h h h h h vk k k k k k t` Pa Ȁ g "g [ fh \h Jh rh c c c e e e e e c c c c c ^d e pe ^e Pe <e ,e e e d d d d d d xd Dd 6d (d d d c D\ H[ ^[ p[ [ [ [ [ [ [ \ \ .\ .[ t3s h h g >g g g ~g jg `g Ng g *U U U U U U xU pU Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\* pR12SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}\InprocServer32tR AgS`TypeLibSYSTEMCLSIDAppIDDeleteNoRemoveForceRemoveValBDMS# F%08x_c:\ComboBoxReBarWindow32WorkerAWorkerW%MODULEGUID%%APPID%apartmentTh readingModel%MODULE%%MODULETYPE%ProgrammableVersionIndependentProgIDProgIDC urVerMSEvents.MSEvents{B8B55274-0F9A-41E5-9067-A3539BD9E860}%FriendlyName%MSEvents.MSEvents.1MSEvents Object) = LocalServer32MODULETYPEInprocServer32MODULEGUIDModule_RawModule P ! !3 ]CB@U0544 P6FW 7*77`9 766*6@7 4 H+ )=sR X X 88*8`9P808@8*6`8FriendlyNameF FBPB`BC*U U U U U U xU pU Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\* pR12g_Version: %ig_SetIDg_AffiliateIDg_ResourceIDg_BConnectg_URLg_Clientg_CrashHistoryg_Cl ientGUIDg_GZipSupportedg_UIDg_Upgradeg_ServerIPsg_PopupPerDayg_ConnectionPe rDayg_StatisticsUploadDelayg_InstalledUID%08x%02Xdjyntl;00-00-00%s: %sTOU0UgWW WWX*XPYY*W `*^^^^0_ _p_`_Cgeb bWX*XPcd*W bad cast p@@*PzpP*truefalsevector<T> too longCannotFindUIDPOSTHTTP/1.1ldluLdLu _* B z8|=MraB3GeE%p;!Kbd:Loc:%s/TZ:%i/IE:%s/Win:%i.%i.%i(%s)//] [%i.%i.%i.%i,IPs:none, HotFixes: ;Ini size: File: %i;ConnNum:invalid value;Conn:neverinvalid timeSuccConn:Tinvalid map/set<T> iteratorwbHTTP://httpLocation

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log (4 KB, 14/04/2005 11:34:38 AM)
25 10/04/2005 11:42:28 AM Allowed value "{B8B55274-0F9A-41E5-9067-A3539BD9E860}" (new data: "") deleted in Browser Helper Object!
26 10/04/2005 11:42:30 AM Allowed value "{B8B55274-0F9A-41E5-9067-A3539BD9E860}" (new data: "") added in Browser Helper Object!
29 11/04/2005 6:51:08 PM Allowed value "{B8B55274-0F9A-41E5-9067-A3539BD9E860}" (new data: "") deleted in Browser Helper Object!

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Excludes\RegKeyWhite.sbe (1 KB, 11/04/2005 6:51:10 PM)
1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}=

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots\Browser helper objects.csv (1 KB, 9/04/2005 12:08:30 PM)
6 {B8B55274-0F9A-41E5-9067-A3539BD9E860},"MSEvents Object"

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots\RegBHO-Global.reg (1 KB, 13/04/2005 11:10:14 PM)
12 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\NSJGX2T9\default5[2].asp (52 KB, 14/04/2005 11:36:00 PM)
536 <b>{B8B55274-0F9A-41E5-9067-A3539BD9E860}</b>

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\newthread[2].php (55 KB, 13/04/2005 10:50:20 AM)
374 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
724 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\t352315&highlight=msevents[1].html (53 KB, 13/04/2005 9:41:42 AM)
525 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Web\PRINTERS\wavereg.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\showthread[6].php (135 KB, 14/04/2005 10:26:04 AM)
507 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
711 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
922 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1771 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1833 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\showthread[2].php (66 KB, 13/04/2005 4:32:22 PM)
507 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
711 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
922 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\showthread[1].php (82 KB, 13/04/2005 10:02:36 AM)
1470 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\abrinet.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\t351228&highlight=msevents[1].html (142 KB, 13/04/2005 10:03:42 AM)
498 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\mfcras.dll<br />
814 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\mfcras.dll<br />
1308 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\mfcras.dll<br />
1666 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\mfcras.dll<br />
1957 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\mfcras.dll<br />
2232 CLSID: <b>{B8B55274-0F9A-41E5-9067-A3539BD9E860}</b><br />
2287 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Microsoft.NET\mfcras.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\showthread[3].php (81 KB, 13/04/2005 11:13:48 PM)
506 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
710 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
921 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\showthread[4].php (98 KB, 13/04/2005 11:37:16 PM)
506 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
710 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
921 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1770 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1832 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\SZSHEPOL\showthread[5].php (108 KB, 14/04/2005 10:01:32 AM)
506 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
710 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
921 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1770 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1832 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\7QK9QBLJ\t351714&highlight=msevents[1].html (77 KB, 13/04/2005 9:44:24 AM)
1472 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\abrinet.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\7QK9QBLJ\showthread[1].php (140 KB, 16/04/2005 11:55:10 AM)
521 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
723 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
934 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1783 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1845 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\7QK9QBLJ\t351654&highlight=msevents[1].html (49 KB, 13/04/2005 10:11:32 AM)
512 O2 - BHO: <span class="highlight">MSEvents</span> Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\msvcacc.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\WL6FKPQV\showthread[5].php (132 KB, 14/04/2005 10:24:52 AM)
503 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
707 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
918 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1767 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1829 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\WL6FKPQV\showthread[1].php (46 KB, 13/04/2005 10:51:52 AM)
506 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\WL6FKPQV\showthread[2].php (81 KB, 13/04/2005 11:22:06 PM)
506 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
710 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
921 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\WL6FKPQV\showthread[3].php (128 KB, 14/04/2005 10:15:12 AM)
501 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
705 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
916 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1764 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1826 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\JE9I4RV3\showthread[1].php (55 KB, 16/04/2005 11:43:28 AM)
462 B8B55274-0F9A-41E5-9067-A3539BD9E860<br />
923 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}\InprocServer32]<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\JE9I4RV3\showthread[3].php (55 KB, 16/04/2005 11:55:26 AM)
463 B8B55274-0F9A-41E5-9067-A3539BD9E860<br />
924 [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}\InprocServer32]<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\JE9I4RV3\newreply[1].php (58 KB, 13/04/2005 11:21:46 PM)
866 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
938 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1042 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Temporary Internet Files\Content.IE5\JE9I4RV3\showthread[2].php (108 KB, 14/04/2005 10:10:04 AM)
506 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
710 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
921 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1770 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />
1832 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll<br />

C:\Documents and Settings\Ike\Local Settings\Application Data\Identities\{E1717AEC-B553-4DA0-8B97-1AA06D0EB3AE}\Microsoft\Outlook Express\Inbox.dbx (4701 KB, 16/04/2005 11:55:24 AM)
60085 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll
60497 O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Web\printers\diskhard.dll

C:\Program Files\SpywareGuard\sglog.txt (19 KB, 9/04/2005 2:29:16 PM)
357 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
365 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
373 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
381 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
389 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
397 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
405 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
413 BHO: {B8B55274-0F9A-41E5-9067-A3539BD9E860}
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
16-Apr-2005, 03:59 AM #21
Many antiviruses can find the file now & stop it being installed in the first place but nothing can clean it yet

The logs show exactly what I thought that there is only one copy of the file actually on the computer

I'm soory we haven't got better news yet but as soon as a cure is found we will let you know and many people are working on it
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
iteminspace's Avatar
Junior Member with 1 posts.
  
Join Date: Apr 2005
Experience: Advanced
16-Apr-2005, 04:17 AM #22
Managed to remove wmscom.dll
I faced the same issue with WMSCOM.DLL. As it is attached to winlogon, I could not get rid of it. It also installed multiple copies of it (5).

I finaly got the better of it, I think.

1. In a command prompt window check the file size in bytes.
2. do: cd\
3. dir /s >x
4. notepad x and find files with the same byte size and you may then decide to delete them.
5. To insure that you did not miss hidden files also do: dir /s /a:h >y
6. edit y and do the same.

Now to the tough part to get rid of WMSCOM.DLL. I first tried to use Killbox but the process is smart and deletes the registry entry immediately after it detects that killbox entered it for deletion.

I therefore finally decided to boot to the secue command prompt from the XP install CD. I did cd\windows\web\printers and attrib -h WMSCOM.DLL and then issued the delete.

I hope this helps some people.
chewb's Avatar
Junior Member with 1 posts.
  
Join Date: Apr 2005
16-Apr-2005, 06:56 AM #23
Me too..
I've the same infection.. : B8B55274-0F9A-41E5-9067-A3539BD9E860 (file found by hijackthis is nutmain.dll...)

I've found a lot of file with AgentRankSack... but I've problem with one....
The NTUSER.DAT file of one user account was find by AgentRankSack...
Can I delete this file ??
tbroka's Avatar
Junior Member with 4 posts.
  
Join Date: Apr 2005
Experience: Intermediate
16-Apr-2005, 02:45 PM #24
Thank you very much for all your great advice dvk01 and iteminspace.

I think i've nailed it....
I have successfully removed infoxml.dll, lmxofni.ini and lmxofni.ini2 from c:\windows\web\ by using the secure won xp consol off a winxp install disc.
I have also removed all references to those files and {B8B55....} in my registry.
(This is following the successful removal of req.dat etc...)

Only thing is.....
I was unable to find any duplicates of the evil dll or anything like it (file size, date or containing B8B55...). So not sure if done complete job.
PC bit slow on startup aswell, not sure if registry is a bit messed up now.

Can you suggest any free registry cleaning tools?

@dvk01: unfortunately we dont see many hedgehogs in central london.
dvk01's Avatar
Moderator & Malware Removal Specialist with 37,223 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
16-Apr-2005, 02:55 PM #25
If you hava afull xp install disc and can install and use the repair console then that is the way to do it

delet the dodgy file and it appears that there is only one and then reboot normally and post a HJT log sop we can hopefully attempt to clear up the left over registry entries

wer are trying to find a way for users that only have a recovery disc and no RC avaialbale
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | Security & Privacy
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
tbroka's Avatar
Junior Member with 4 posts.
  
Join Date: Apr 2005
Experience: Intermediate
16-Apr-2005, 03:15 PM #26
I only have recovery discs from sony, so i borrowed a copy of winxp.
Having tried installing RC so that it would load on reboot as directed by microsoft support website it failed as said operating system was more recent.
However, RC loaded fine when booted from CD.

Here is copy of latest HJK log:
Logfile of HijackThis v1.99.1
Scan saved at 19:14:04, on 16/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe
C:\Program Files\sony\vaio update 2\VAIOUpdt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\ICO.EXE
C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\sony\vaio entertainment\VzTrayIcon.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\sony\VAIO Launcher\Launcher.exe
C:\Program Files\sony\vaio entertainment\VzTaskScheduler.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.vaio-link.com/vu.asp?l=en&u=m&h=0809
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VZRemoteCommander] C:\Program Files\Sony\VAIO Zone Remote Commander\AvRmtCtr.exe
O4 - HKLM\..\Run: [VMConsole.exe] "C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe" /windowmin
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Switcher.exe] C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PP8 SE Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"
O4 - HKLM\..\Run: [PDService.exe] C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ISBMgr.exe] C:\Program Files\Sony\ISB Utility\ISBMgr.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BlueSpace NE.lnk = C:\Program Files\sony\BlueSpace\BlueSpaceNE.exe
O4 - Startup: VAIO Launcher.lnk = C:\Program Files\sony\VAIO Launcher\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Audio Filter.lnk = C:\Program Files\sony\sonicstage mastering studio\audio filter\SSMSFilter.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O4 - Global Startup: Recording Status.lnk = C:\Program Files\sony\vaio entertainment\VzTrayIcon.exe
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: tvtvforPC.lnk = C:\Program Files\tvtvforPC\tvtvforPC.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2321beb60134717db322/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {AEF76437-F960-4EBC-97EA-7BBB4230CF38} (OcarptMain Class) - https://oca.microsoft.com/en/secure/ocarpt.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Integrated Multimedia Server - Unknown owner - C:\PROGRA~1\NETGEAR\MEDIAS~1\ImmsService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment Task Scheduler - Sony Corporation - C:\Program Files\sony\vaio entertainment\VzTaskScheduler.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Unknown owner - C:\Program Files\sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-IntegratedServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\IntegratedServer\HTTP (file missing)
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Unknown owner - C:\Program Files\sony\VAIO Media Integrated Server\Platform\VmGateway.exe" /Service=VAIOMediaPlatform-Mobile-Gateway /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Addons\Packages\Mobile\Gateway" /DisplayName="VAIO Media Gateway Server (file missing)
O23 - Service: VAIO Cooporated Initialisation (VCI) - Sony Corporation - C:\Program Files\Sony\VAIO Cooperated Initialisation\VCI_SVC.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe

Thanks
BrianGon's Avatar
Junior Member with 1 posts.
  
Join Date: Apr 2005
16-Apr-2005, 08:39 PM #27
Talking trojan agent u
Yup, this is the exact same virus that's been hounding me for this past week, boy am i glad i found this thread. The first symtoms i saw were freezing in IE while opening a new window, so i scanned my computer with avg and tried to delete the detected files. I restarted my computer and req.dat and mfcjava.dll were gone, but the other dll you guys were trying to delete was still there, vbmc.dll in my case. I found a temporary fix by disabling MSevents in the manage-addons box in IE, and i tried deleting the registry keys with BHOcaptor. But they just kept coming back, that's when i came here and tried the recovery console. Just went in, used attrib -h on the suspected files and deleted all of em. There was about five of em in my microsoft.net folder with .bak1 .bak2 and ini ini2 extentions. After restarting I just went back into BHO captor to delete the key and it's gone. But I'm pretty sure theres more reg keys that were created by the troj. thanks
HeeelMooi's Avatar
Junior Member with 1 posts.
  
Join Date: Apr 2005
Experience: Intermediate
17-Apr-2005, 03:50 PM #28
Same prob
I have encoutered the same problem, except my DLL is called svccab.dll. This thread seems to be the only thing on the net that seems to understand that normal tactics don't work on this trojan.

What do you guys mean by 'attrib -h' exactly?
The_Egg's Avatar
Senior Member with 1,157 posts.
  
Join Date: Sep 2002
17-Apr-2005, 06:11 PM #29
Basically, you can't delete hidden files from a command prompt.
The attrib -h command is used to remove the hidden attribute of a file.

http://support.microsoft.com/default...307654&sd=tech

eg.

attrib -h filename.dll
del filename.dll
tbroka's Avatar
Junior Member with 4 posts.
  
Join Date: Apr 2005
Experience: Intermediate
17-Apr-2005, 07:01 PM #30
When i deleted my ugly dll and its ini and ini2 files using the recovery consol, the hidden files where shown when typing 'dir' and i seemed to successfully delete them without putting attrib -h?
I hope i did delete them successfully!

Quote:
Basically, you can't delete hidden files from a command prompt.
The attrib -h command is used to remove the hidden attribute of a file.
I have never found .bak or .bak2 files for my dll.

I also still havent found out how my PC got infected. It seems strange that this trojan is supposedly self inflicted (by user downloading etc.) when everybody seems to have been affected by req and the MSO dll on the same dates?
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 5 1 2 345

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 09:56 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.