[Resolved] maybe masterparadise trojan

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tonsafun

Thread Starter
Joined
Jan 16, 2003
Messages
9
I just started my computer up today and everything was fine until I opened "my documents" file and nothing at all showed up. I didn't have a virus scan installed on my computer and downloaded Norton and tried the panda online scan and neither of them will work. I also can't control alt del, or open regedit. I found some tips from one past posting and nothing worked, except I downloaded the "startuplist" applcation and got this... which means nothing to me. I hope someone can help me get my files back, thanks.

StartupList report, 1/16/2003, 7:58:43 PM
StartupList version: 1.51
Started from : C:\DOCUME~1\Sam\Desktop\NEWFOL~1\STARTU~1.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WinServices.exe
C:\WINDOWS\System32\tcpsvs32.exe
C:\PROGRA~1\COMMON~1\CMEII\CMESys.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\Services32.exe
C:\PROGRA~1\COMMON~1\GMT\GMT.exe
C:\PROGRA~1\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Sam\Desktop\NEWFOL~1\STARTU~1.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
CMESys = "C:\PROGRA~1\COMMON~1\CMEII\CMESys.exe"
WinampAgent = "C:\Program Files\Winamp\Winampa.exe"
QuickTime Task = "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
Immcheck = immcheck.exe -1
WinStart001.EXE = C:\WINDOWS\System\WinStart001.EXE -b
WinServices = C:\WINDOWS\System32\WinServices.exe
WINSTA~1.EXE = C:\WINDOWS\System\WINSTA~1.EXE -b
NAV CfgWiz = C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mozilla Quick Launch = "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -aim
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
System32 = C:\WINDOWS\Services32.exe NORMAL

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "C:\WINDOWS\System32\nav32_loader.exe""%1"%*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\FOne.dll - {000000F1-34E3-4633-87C6-1AA7A44296DA}
(no name) - C:\WINDOWS\System32\lwz.dll - {00000EF1-34E3-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\netpal.dll - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F}
Natural Language Navigation - C:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
(no name) - c:\Program Files\Flt\Flt.dll - {665ACD90-4541-4836-9FE4-062386BB8F05}
(no name) - C:\WINDOWS\System32\veg32.dlltmp - {7DD896A9-7AEB-430F-955B-CD125604FDCB}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37582.5317708333

--------------------------------------------------
End of report, 5,325 bytes
Report generated in 0.200 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Dec 9, 2000
Messages
45,855
You have a number of major problems there, the most immediate and serious of which is a Yaha infection. I'm not sure which version it is, it may even be a new one.

You are going to have to jump through hoops to get rid of it.

Start by reading this Symantec article and using the removal tool.

I'm going to suggest some additonal regedits, as I don't think the Tool will remove everything. But your first task is to get regedit working. You can do that by following their instructions to create reg.com

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

You must remove the following entries from

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

1 -- WinStart001.EXE = C:\WINDOWS\System\WinStart001.EXE -b (this is actually associated with some other nasty, but kill it)

2 --WinServices = C:\WINDOWS\System32\WinServices.exe

from:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

1 -- System32 = C:\WINDOWS\Services32.exe NORMAL

>> To repair the registries "shell open" entries have this downloaded and run it after the Symantec Removal tool:

http://www.diamondcs.com.au/cleanrun.reg

You also have some spy and ad ware cleaning to do, but we'll tackle that after you post a yaha clean startup log.
 

tonsafun

Thread Starter
Joined
Jan 16, 2003
Messages
9
Thanks for the help, I'll start reading that stuff. I just took care of the spyware with the search and destroy program.
 

tonsafun

Thread Starter
Joined
Jan 16, 2003
Messages
9
I ran the checks and it found and said it deleted the yaha worm. Then I ran the live update and it found "hanta" w32.hllp.handy and I quarantined it. I found "winservices.exe-06a34fe0.pf in c\windows\prefetch", but not the "WinServices = C:\WINDOWS\System32\WinServices.exe". Here is my new start up log, thanks. sam

StartupList report, 1/17/2003, 10:20:14 AM
StartupList version: 1.51
Started from : C:\Documents and Settings\Sam\Desktop\New Folder\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapsvc.exe
C:\PROGRA~1\NORTON~1\Cfgwiz.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Services32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Norton AntiVirus\NAVW32.EXE
C:\Program Files\AIM95\aim.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sam\Desktop\New Folder\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
WinampAgent = "C:\Program Files\Winamp\Winampa.exe"
QuickTime Task = "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
Immcheck = immcheck.exe -1
WinStart001.EXE = C:\WINDOWS\System\WinStart001.EXE -b
WINSTA~1.EXE = C:\WINDOWS\System\WINSTA~1.EXE -b
NAV CfgWiz = C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mozilla Quick Launch = "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -aim
STYLEXP = C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
System32 = C:\WINDOWS\Services32.exe NORMAL

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\FOne.dll - {000000F1-34E3-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\netpal.dll (file missing) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F}
Natural Language Navigation - C:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
(no name) - (no file) - {7DD896A9-7AEB-430F-955B-CD125604FDCB}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37582.5317708333

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 4,954 bytes
Report generated in 0.260 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Oct 9, 2001
Messages
9,396
ok tonsafun.........now lets get rid of all the spyware.

you have "gohip","netpal".......and possibly more.

go here: http://beam.to/spybotsd
download "spybot search and destroy" update it,then run it making sure all scanning options are checked.
delete anything and everything it finds and marks in RED

then come back and post another startuplist.

sorry if this is all tedious,but its neccessary.
good luck;)
 
Joined
Oct 9, 2001
Messages
9,396
ROG or TONY.......one i dont know is "F0ne.dll" located in the browser helper objects.

anyone?
 
Joined
Dec 9, 2000
Messages
45,855
Ok, it looks like yaha is gone, the AV removed winservices.exe but other problems remain.

Did you do the regedits recommended? -- if so they've come back.

This one's a mystery, but I know it doesn't belong:

System32 = C:\WINDOWS\Services32.exe NORMAL

This one is associated with a bad plugin:

WinStart001.EXE = C:\WINDOWS\System\WinStart001.EXE -b

http://www.doxdesk.com/parasite/IGetNet.html

You can try the manual removal instructions there, but I'd also recommend installing, updating and running Spybot. When updating
accept all the updates except for the PGP and Language tools.

http://tomcoyote.com/SPYBOT/
 
Joined
Oct 9, 2001
Messages
9,396
System32 = C:\WINDOWS\Services32.exe NORMAL

???


that was in the 1st list.:rolleyes:

:D
 

tonsafun

Thread Starter
Joined
Jan 16, 2003
Messages
9
I upgraded Spybot but didn't see "gohip" or "netpal", but I did get rid of all of the red that it found. I just did the regedits that were suggested but didn't find --WinServices = C:\WINDOWS\System32\WinServices.exe in HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Here it is again, hopefully its clean, thanks a bunch. Also, should I worry about the W32.hllp.handy that Norton detected?




StartupList report, 1/17/2003, 4:05:23 PM
StartupList version: 1.51
Started from : C:\Documents and Settings\Sam\Desktop\New Folder\StartupList.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\Services32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sam\Desktop\New Folder\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = C:\Program Files\PCI Audio Applications\Bin\AudioRack.exe /MixerStartup
WinampAgent = "C:\Program Files\Winamp\Winampa.exe"
QuickTime Task = "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
Immcheck = immcheck.exe -1
WINSTA~1.EXE = C:\WINDOWS\System\WINSTA~1.EXE -b
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Mozilla Quick Launch = "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -aim

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\System32\FOne.dll - {000000F1-34E3-4633-87C6-1AA7A44296DA}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\netpal.dll (file missing) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F}
Natural Language Navigation - C:\WINDOWS\System\BHO001.DLL - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF}
(no name) - (no file) - {7DD896A9-7AEB-430F-955B-CD125604FDCB}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37582.5317708333

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 4,662 bytes
Report generated in 0.100 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Oct 9, 2001
Messages
9,396
find your way to:
c:\windows\system32\netpal.dll and delete it.
also:c:\windows\system\WINSTA.~1.EXE-b
if you find these,delete em.
(In MSCONFIG it may show up as c:\windows\winsta~1.exe)
uncheck it if its in there.
as forW32.hllp.handy ....low level threat.....if norton see` it....you should allow it to nuke it.
let us know how you do.
;)
 
Joined
Oct 9, 2001
Messages
9,396
balzac...........this one is new to me..............i sort of though it was dodgy but couldnt find anything about it.
thanx for the heads up.
;)
 

tonsafun

Thread Starter
Joined
Jan 16, 2003
Messages
9
Thanks a bunch. I have my files back and Norton or Spybot didn't pick anything up. Thanks again.
Sam
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top