Jump to content


Photo

Computer getting very laggy


  • This topic is locked This topic is locked
31 replies to this topic

#1 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 05 April 2008 - 09:41 AM

My computer is getting very slow recently. One thing I notice is that the whenever I startup, the time on my windows will be 1st January, 2002. Even though I've changed it to the current time, it will still be the same everytime I boot my computer. I suspect something is amiss. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:59 AM, on 1/1/2002
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\system32\smsc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\fixweb.exe
C:\WINNT\System32\taskmgr.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\tmnet streamyx\streamyx.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\WINNT\System32\windowsupdate.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg
O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O15 - ESC Trusted Zone: http://66ad.32666.com
O15 - ESC Trusted Zone: http://ad.32666.com
O15 - ESC Trusted Zone: http://cfad.32666.com
O15 - ESC Trusted Zone: http://www.32666.com
O15 - ESC Trusted Zone: http://3w.ycdy.com
O15 - ESC Trusted Zone: http://www.ycdy.com
O15 - ESC Trusted Zone: http://www1.ycdy.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe

--
End of file - 8964 bytes

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 05 April 2008 - 10:42 AM

Hi and welcome

Are you running more then one Antivirus?
[PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe? , AVG7? , MicroWorld Antivirus?
If this is the case, While this may seem like greater protection, it can cause problems including slowdowns and system hangs, and also hinder fixes we may try to do on this machine.
Make a decision which to keep, if you need help uninstalling one let me know.


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe
O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O15 - ESC Trusted Zone: http://66ad.32666.com
O15 - ESC Trusted Zone: http://ad.32666.com
O15 - ESC Trusted Zone: http://cfad.32666.com
O15 - ESC Trusted Zone: http://www.32666.com
O15 - ESC Trusted Zone: http://3w.ycdy.com
O15 - ESC Trusted Zone: http://www.ycdy.com
O15 - ESC Trusted Zone: http://www1.ycdy.com


NEXT**
Download: ResetProtocolDefaults.reg
http://www.mvps.org/...colDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)



NEXT**
Download SDFix or from Here and save it to your Desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log



NEXT**
Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

In your next reply, please post:
* SDFix report.txt
Malwarebytes' Anti-Malware log
*
new HijackThis log taken after the above scan has run

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#3 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 05 April 2008 - 01:25 PM

Thanks for the instruction.
However, I have problem running Malwarebytes' Anti-malware ...
Every time I want to run the program, it will appear an error message

"An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.
Error code: 718 (-2146893799)"

What should I do now?

Anyway I've run SDFix and this is the log together with HJT log file.

Please advice on what to do next.


SDFix: Version 1.166

Run by Ducky1 on Tue 01/01/2002 at 3:42a

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\SYSTEM32\SETUP_~3.EXE - Deleted
C:\n.exe - Deleted
C:\WINNT\system32\n.exe - Deleted
C:\WINNT\system32\setup_38684.exe - Deleted
C:\WINNT\system32\setup_45015.exe - Deleted
C:\WINNT\system32\setup_30520.exe - Deleted
C:\WINNT\system32\d.dll - Deleted
C:\WINNT\system32\i - Deleted
C:\WINNT\system32\msn.dll - Deleted
C:\WINNT\system32\smsc.exe - Deleted
C:\WINNT\system32\systemac.dll - Deleted
C:\WINNT\system32\WindowsUpdate.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2002-01-01 04:03:56
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 3 Jul 2007 1,152 A.SH. --- "C:\vdemvefv.sys"
Sat 2 Apr 2005 1,682 A.SH. --- "C:\WINNT\system32\KGyGaAvL.sys"
Sat 2 Apr 2005 56 ..SHR --- "C:\WINNT\system32\83B2BDE68A.sys"
Wed 11 Dec 2002 73,728 ..SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Tue 1 Jan 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 22 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0001.tmp"
Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL2051.tmp"
Sun 23 Apr 2006 44,544 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3363.tmp"
Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0053.tmp"
Sun 22 Jan 2006 36,864 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3238.tmp"
Sun 22 Jan 2006 41,472 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL2341.tmp"
Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL3041.tmp"














Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:52 AM, on 1/1/2002
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\PrevxCSI\PrevxCSI.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
C:\WINNT\Explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\fixweb.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\tmnet streamyx\streamyx.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe (file missing)

--
End of file - 8262 bytes

#4 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 05 April 2008 - 01:31 PM

BTW, I would like to keep AVG only, hence would like to uninstall PrevxCSI. Can you please guide me on how to uninstall it? Also, I have no idea on the existence of MicroWorld Antivirus on my computer, so I'd like to remove it as well.

#5 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 05 April 2008 - 09:08 PM

Welcome back

Go to your Control Panel>>Add/Remove Programs uninstall/delete if found.
PrevxCSI
MicroWorld Technologies Inc




Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe
O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE


C:\SDFix\backups <--delete this folder
C:\Program Files\PrevxCSI <--delete the folder
C:\Program Files\Common Files\MicroWorld <--delete the folder


NEXT**
Go to START > Run > then copy and paste these commands one at a time and press OK after each

sc stop CSIScanner - Prevx

sc delete CSIScanner - Prevx

sc stop MWAgent

sc delete MWAgent

EXIT


Reboot your computer



Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingc...to-use-combofix

Please ensure you install the Recovery Console.

* When the tool is finished, it will produce a report for you.
* Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#6 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 05 April 2008 - 10:24 PM

ComboFix 07-08-06.5 - "Ducky1" 01/01/2002 1:46:00.4 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.16 [GMT 8:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\csrss.dll


((((((((((((((((((((((((( Files Created from 2001-11-28 to 2001-12-31 )))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

12/30/04 10:38p --------- d-------- C:\Program Files\RM Converter
12/30/04 03:02p --------- d-------- C:\DOCUME~1\Ducky1\APPLIC~1\Azureus
12/30/04 03:01p --------- d-------- C:\Program Files\Azureus
12/29/04 03:23p --------- d-------- C:\Program Files\BitComet
12/26/03 09:32p 4096 --a------ C:\WINNT\system32\CSUNINST.EXE
12/26/03 09:32p --------- d-------- C:\Program Files\Net2Phone
12/26/03 09:30p 98304 --a------ C:\WINNT\system32\N2PUtil.dll
12/26/03 09:30p 28672 --a------ C:\WINNT\system32\N2PAuto.exe
12/26/03 09:30p --------- d-------- C:\Program Files\Real
12/26/03 09:30p --------- d-------- C:\Program Files\Common Files\Real
12/25/04 04:23p 652800 --a------ C:\WINNT\system32\wacult.exe
12/20/01 08:22p 110592 --a------ C:\WINNT\system32\pscLE118.dll
12/18/06 06:38a --------- d-------- C:\Program Files\SmartFTP Client 2.0
12/18/06 06:38a --------- d-------- C:\DOCUME~1\Ducky1\APPLIC~1\SmartFTP
12/18/06 06:37a --------- d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
12/18/06 06:00a 16007 --a------ C:\WINNT\mozver.dat
12/16/06 05:36p --------- d-------- C:\Program Files\Google
12/16/06 05:35p --------- d-------- C:\Program Files\Picasa2
12/16/04 04:32p 13304 --a------ C:\WINNT\system32\drivers\BTNetFilter.sys
12/14/04 07:04p 266240 --a------ C:\WINNT\system32\xvidvfw.dll
12/14/04 07:02p 1175552 --a------ C:\WINNT\system32\xvidcore.dll
12/14/03 04:47p 692224 --a------ C:\WINNT\system32\ciaResSvr20.dll
12/13/03 05:38a 311296 --a------ C:\WINNT\system32\winhttp.dll
12/12/06 04:59p --------- d-------- C:\DOCUME~1\Ducky1\APPLIC~1\DivX
12/12/03 05:41p 53248 --a------ C:\WINNT\system32\ciaXPRegSvr20.DLL
12/12/02 12:14a 98816 --a------ C:\WINNT\system32\dmstyle.dll
12/12/02 12:14a 98816 --a------ C:\WINNT\system32\dllcache\dmstyle.dll
12/12/02 12:14a 8192 --a------ C:\WINNT\system32\d3d8thk.dll
12/12/02 12:14a 80896 --a------ C:\WINNT\system32\dpvsetup.exe
12/12/02 12:14a 77824 --a------ C:\WINNT\system32\dpmodemx.dll
12/12/02 12:14a 77824 --a------ C:\WINNT\system32\dllcache\dpmodemx.dll
12/12/02 12:14a 76800 --a------ C:\WINNT\system32\dpwsockx.dll
12/12/02 12:14a 76800 --a------ C:\WINNT\system32\dmscript.dll
12/12/02 12:14a 76800 --a------ C:\WINNT\system32\dllcache\dpwsockx.dll
12/12/02 12:14a 7424 --a------ C:\WINNT\system32\drivers\mskssrv.sys
12/12/02 12:14a 733184 --a------ C:\WINNT\system32\qedwipes.dll
12/12/02 12:14a 723968 --a------ C:\WINNT\system32\dpnet.dll
12/12/02 12:14a 64512 --a------ C:\WINNT\system32\dllcache\amstream.dll
12/12/02 12:14a 64512 --a------ C:\WINNT\system32\amstream.dll
12/12/02 12:14a 602624 --a------ C:\WINNT\system32\dx7vb.dll
12/12/02 12:14a 602624 --a------ C:\WINNT\system32\dllcache\dx7vb.dll
12/12/02 12:14a 58368 --a------ C:\WINNT\system32\dmcompos.dll
12/12/02 12:14a 58368 --a------ C:\WINNT\system32\dllcache\dmcompos.dll
12/12/02 12:14a 5504 --a------ C:\WINNT\system32\drivers\mstee.sys
12/12/02 12:14a 5248 --a------ C:\WINNT\system32\drivers\mspclock.sys
12/12/02 12:14a 491520 --a------ C:\WINNT\system32\dsdmoprp.dll
12/12/02 12:14a 45696 --a------ C:\WINNT\system32\drivers\stream.sys
12/12/02 12:14a 44544 --a------ C:\WINNT\system32\dxdllreg.exe
12/12/02 12:14a 4096 --a------ C:\WINNT\system32\ksuser.dll
12/12/02 12:14a 4096 --a------ C:\WINNT\system32\drivers\swenum.sys
12/12/02 12:14a 381952 --a------ C:\WINNT\system32\dpvoice.dll
12/12/02 12:14a 355328 --a------ C:\WINNT\system32\dsound.dll
12/12/02 12:14a 34304 --a------ C:\WINNT\system32\mciqtz32.dll
12/12/02 12:14a 34304 --a------ C:\WINNT\system32\dllcache\mciqtz32.dll
12/12/02 12:14a 33280 --a------ C:\WINNT\system32\dmloader.dll
12/12/02 12:14a 33280 --a------ C:\WINNT\system32\dllcache\dmloader.dll
12/12/02 12:14a 324096 --a------ C:\WINNT\system32\mswebdvd.dll
12/12/02 12:14a 311808 --a------ C:\WINNT\system32\qdv.dll
12/12/02 12:14a 311808 --a------ C:\WINNT\system32\dllcache\qdv.dll
12/12/02 12:14a 3072 --a------ C:\WINNT\system32\dpnlobby.dll
12/12/02 12:14a 3072 --a------ C:\WINNT\system32\dpnaddr.dll
12/12/02 12:14a 284160 --a------ C:\WINNT\system32\ddraw.dll
12/12/02 12:14a 28160 --a------ C:\WINNT\system32\dplaysvr.exe
12/12/02 12:14a 28160 --a------ C:\WINNT\system32\dllcache\dplaysvr.exe
12/12/02 12:14a 27136 --a------ C:\WINNT\system32\dmband.dll
12/12/02 12:14a 27136 --a------ C:\WINNT\system32\dllcache\dmband.dll
12/12/02 12:14a 257024 --a------ C:\WINNT\system32\qcap.dll
12/12/02 12:14a 257024 --a------ C:\WINNT\system32\dllcache\qcap.dll
12/12/02 12:14a 24064 --a------ C:\WINNT\system32\dllcache\ddrawex.dll
12/12/02 12:14a 24064 --a------ C:\WINNT\system32\ddrawex.dll
12/12/02 12:14a 217600 --a------ C:\WINNT\system32\dplayx.dll
12/12/02 12:14a 19968 --a------ C:\WINNT\system32\dpvacm.dll
12/12/02 12:14a 18944 --a------ C:\WINNT\system32\encapi.dll
12/12/02 12:14a 186880 --a------ C:\WINNT\system32\dsdmo.dll
12/12/02 12:14a 18432 --a------ C:\WINNT\system32\dswave.dll
12/12/02 12:14a 1798144 --a------ C:\WINNT\system32\qedit.dll
12/12/02 12:14a 173056 --a------ C:\WINNT\system32\qasf.dll
12/12/02 12:14a 171520 --a------ C:\WINNT\system32\dmime.dll
12/12/02 12:14a 171520 --a------ C:\WINNT\system32\dllcache\dmime.dll
12/12/02 12:14a 16896 --a------ C:\WINNT\system32\dpnsvr.exe
12/12/02 12:14a 13312 --a------ C:\WINNT\system32\msdmo.dll
12/12/02 12:14a 130304 --a------ C:\WINNT\system32\drivers\ks.sys
12/12/02 12:14a 1294336 --a------ C:\WINNT\system32\dsound3d.dll
12/12/02 12:14a 1294336 --a------ C:\WINNT\system32\dllcache\dsound3d.dll
12/12/02 12:14a 1177600 --a------ C:\WINNT\system32\d3d8.dll
12/12/02 12:14a 116736 --a------ C:\WINNT\system32\dmusic.dll
12/12/02 12:14a 116736 --a------ C:\WINNT\system32\dllcache\dmusic.dll
12/12/02 12:14a 112128 --a------ C:\WINNT\system32\dpvvox.dll
12/12/02 12:14a 100864 --a------ C:\WINNT\system32\dmsynth.dll
12/12/02 12:14a 100864 --a------ C:\WINNT\system32\dllcache\dmsynth.dll
12/12/02 11:35p 86016 -ra------ C:\WINNT\system32\drivers\SCBaud.w9x
12/12/01 07:25a 53248 --a------ C:\WINNT\system32\PSCNE118.exe
12/11/06 05:56a 16786 --a------ C:\WINNT\winsbak.reg
12/11/06 05:56a 117022 --a------ C:\WINNT\winsbak2.reg
12/11/06 05:10a 70 --a------ C:\WINNT\taskmen.pif
12/11/02 07:12p 760968 --a------ C:\WINNT\system32\wmsdmod.dll
12/11/02 07:12p 316040 --a------ C:\WINNT\system32\mp43dmod.dll
12/11/02 07:11p 410248 --a------ C:\WINNT\system32\wmadmod.dll
12/11/02 07:10p 816264 --a------ C:\WINNT\system32\wmvdmod.dll
12/11/02 07:07p 486536 --a------ C:\WINNT\system32\wmspdmod.dll
1999-12-07 04:00:00 65,198 --sh--r C:\WINNT\system32\windowsupdate.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [05/29/01 02:02a C:\WINNT\soundman.exe]
"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/01/02 03:11a]
"windowsupdate"="C:\WINNT\System32\windowsupdate.exe" [12/07/99 12:00p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/04/07 04:40p]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/22/03 02:43p]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/06/04 03:33p]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"windowsupdate"=C:\WINNT\System32\windowsupdate.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"Windows has Layer"=fixweb.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" /background

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-20 20:54:18]
iFinger.lnk - C:\Program Files\iFinger\iFinger.exe [2004-05-24 19:49:24]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoSMHelp"=0 (0x0)
"HideClock"=1 (0x1)
"NoViewOnDrive"=0 (0x0)
"LockTaskbar"=0 (0x0)
"NoTrayItemsDisplay"=0 (0x0)
"StartmenuLogoff"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoChangeStartMenu"=1 (0x1)
"NoTrayContextMenu"=0 (0x0)
"NoStartMenuMorePrograms"=1 (0x1)
"NoSimpleStartMenu"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoMovingBands"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINNT\System32\Drivers\BTHidMgr.sys
R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys
R2 iindne;iindne;C:\WINNT\system32\rundll32.exe C:\PROGRA~1\COMMON~1\vindte\vindte.dll,Service -s
R3 BlueletAudio;Bluetooth Audio Service;C:\WINNT\System32\DRIVERS\blueletaudio.sys
R3 BT;Bluetooth PAN Network Adapter;C:\WINNT\System32\DRIVERS\btnetdrv.sys
R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINNT\System32\DRIVERS\vbtenum.sys
R3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINNT\System32\DRIVERS\FA31XND5.SYS
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\System32\DRIVERS\RMSPPPOE.SYS
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINNT\System32\Drivers\RootMdm.sys
R3 VComm;Virtual Serial port driver;C:\WINNT\System32\DRIVERS\VComm.sys
R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINNT\System32\Drivers\VcommMgr.sys
S0 xmfti;xmft;C:\WINNT\System32\DRIVERS\xmfti.sys
S1 sglfb;sglfb;C:\WINNT\System32\drivers\sglfb.sys
S2 CoolWare;CoolWare;C:\WINNT\System32\svchost.exe -k netsvcs
S2 Windows Output Browser;Windows Output Browser;"C:\WINNT\system32\smsc.exe"
S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINNT\System32\Drivers\btcusb.sys
S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINNT\system32\drivers\BTNetFilter.sys
S3 CSDriver;CSDriver;\??\C:\WINNT\system32\drivers\CSDriver.sys
S3 DM9102;CNET PRO200 PCI Fast Ethernet NT Driver ;C:\WINNT\System32\DRIVERS\DM9PCI5.SYS
S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS
S3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINNT\System32\DRIVERS\enetnt.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\System32\drivers\ichaud.sys
S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys
S3 Mtlmnt5;Mtlmnt5;C:\WINNT\System32\DRIVERS\Mtlmnt5.sys
S3 Mtlstrm;Mtlstrm;C:\WINNT\System32\DRIVERS\Mtlstrm.sys
S3 NtMtlFax;NtMtlFax;C:\WINNT\System32\DRIVERS\NtMtlFax.sys
S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS
S3 RAWESR;RAWESR;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS
S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\System32\DRIVERS\slnt7554.sys
S3 SlNtHal;SlNtHal;C:\WINNT\System32\DRIVERS\Slnthal.sys
S3 SlWdmSup;SlWdmSup;C:\WINNT\System32\DRIVERS\SlWdmSup.sys
S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS
S3 USBARW;=USB Mass Storage Disk Driver=;C:\WINNT\System32\DRIVERS\USBARW.SYS
S3 usbser;Motorola USB Modem Driver;C:\WINNT\System32\DRIVERS\usbser.sys
S3 V90drv;v90drv;C:\WINNT\System32\DRIVERS\v90drv.sys
S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINNT\System32\DRIVERS\wceusbsh.sys
Start Pending2 pydh;Windows pydh RunThem;C:\WINNT\System32\svchost.exe -k netsvcs


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2002-01-01 01:52:49
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 01/01/2002 1:54:25
C:\ComboFix-quarantined-files.txt ... 01/01/02 01:54a
C:\ComboFix3.txt ... 08/07/07 09:25p
C:\ComboFix2.txt ... 01/01/02 12:32a

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:29 AM, on 1/1/2002
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\soundman.exe
C:\WINNT\System32\windowsupdate.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\explorer.exe
C:\Program Files\tmnet streamyx\streamyx.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe (file missing)

--
End of file - 7725 bytes

#7 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 06 April 2008 - 07:04 AM

Delete the version of ComboFix you have now, it's very out dated.


Download Combofix from any of the links below, and save it to your desktop.<--Important Do NOT run this yet.

Link 1
Link 2
Link 3




Disable AVG Anti-Spyware :
Please disable AVG Anti-Spyware as it may interfere with the fix.
Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.
In the Resident Shield section, toggle the AVG Anti-Spyware active protection off by clicking Change state which will then change the protection status to 'inactive'
If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
Reply No and set it to inactive for the duration of your cleanup.



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe (file missing)


Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::
C:\WINNT\winsbak.reg
C:\WINNT\winsbak2.reg
C:\WINNT\system32\windowsupdate.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windowsupdate"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"windowsupdate"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Windows has Layer"=-

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



NEXT**
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click:Delete Files
When prompted, check:Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...



NEXT**
Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.
If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.





NEXT**
Let's run one more scan to check for any left overs.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image

Posted Image

To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.


In your next reply post:
new ComboFix.txt
Kaspersky log
New HJT


How is the computer at the moment?

You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#8 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 11 April 2008 - 10:10 AM

Sorry for the delay...was away for a few days...

Thanks for the guidance so far and it has been very helpful. I've done all the steps as instructed but I couldn't perform the final task. The main problem being my IE is not working at all. Every time I click to open my IE, it will pop up a window saying IEXPLORER.EXE has generated an error. I've tried uninstalling my IE and re-install it but to no avail. Can you advise me what to do?

Here are the combofix log and HJT log:

ComboFix 08-04-10.9 - Ducky1 04/11/2008 22:24:58.5 - FAT32x86
Running from: C:\Documents and Settings\Ducky1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ducky1\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\windowsupdate.exe
C:\WINNT\winsbak.reg
C:\WINNT\winsbak2.reg
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\ktyc\qzei.dll
C:\WINNT\system32\Cache
C:\WINNT\system32\config\SAM.SAV
C:\WINNT\system32\mstacim.sig
C:\WINNT\system32\windowsupdate.exe
C:\WINNT\Web\default.htt
C:\WINNT\winsbak.reg
C:\WINNT\winsbak2.reg

----- BITS: Possible infected sites -----

hxxp://download.microsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

2008-04-11 22:25 . 04/11/08 10:25p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_45c.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 08:12 62,158 ----a-w C:\lam.exe
2008-03-26 12:28 50,176 ----a-w C:\WINNT\uninstyler.exe
2008-03-11 01:22 23,495 ----a-w C:\WINNT\system32\syscmd.dll
2008-02-09 07:35 9,229 ----a-w C:\WINNT\system32\msconfger.dll
2007-03-09 18:48 4 ----a-w C:\Documents and Settings\Ducky1\ravver.dat
2004-05-22 04:11 4,047 ----a-w C:\Program Files\INSTALL.LOG
2004-05-05 02:36 569,350 ----a-w C:\Program Files\Pocket Mechanic.2577.CAB
2004-05-05 02:36 215 ----a-w C:\Program Files\Pocket Mechanic.INI
2003-10-17 06:54 1,078 ----a-w C:\Program Files\Pocket Mechanic.ico
2001-12-31 17:38 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\sowdp88.dat
2001-12-31 17:06 271 ---h--w C:\Program Files\desktop.ini
2001-12-31 17:06 21,952 ---h--w C:\Program Files\folder.htt
2001-09-28 09:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
1999-12-07 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-04-01 20:18 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2005-04-01 20:18 56 --sh--r C:\WINNT\system32\83B2BDE68A.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/04/07 04:40p 6856704]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/22/03 02:43p 413775]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/06/04 03:33p 2502656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [05/29/01 02:02a 124416 C:\WINNT\soundman.exe]
"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/01/02 03:11a 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" [07/12/07 11:10a 69632]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [01/01/02 03:11a 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [12/07/99 01:00p 186640]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56 65588]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-20 20:54:18 113664]
iFinger.lnk - C:\Program Files\iFinger\iFinger.exe [2004-05-24 19:49:24 912384]
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07 1183744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoChangeStartMenu"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoMovingBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [01/01/02 03:12a]
R3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINNT\System32\DRIVERS\FA31XND5.SYS [06/06/01 04:24p]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\System32\DRIVERS\RMSPPPOE.SYS [10/03/02 12:09a]
S0 xmfti;xmft;C:\WINNT\System32\DRIVERS\xmfti.sys []
S1 sglfb;sglfb;C:\WINNT\System32\drivers\sglfb.sys [12/07/99 12:00p]
S2 CoolWare;CoolWare;C:\WINNT\System32\svchost.exe [12/07/99 12:00p]
S2 iindne;iindne;C:\WINNT\system32\rundll32.exe C:\PROGRA~1\COMMON~1\vindte\vindte.dll,Service -s []
S3 ENDETECT;ENDETECT;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [11/12/02 09:55a]
S3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINNT\System32\DRIVERS\enetnt.sys [11/12/02 09:55a]
S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [11/12/02 09:56a]
S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS [11/12/02 09:55a]
S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\System32\DRIVERS\slnt7554.sys [08/08/00 11:16a]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [11/12/02 09:56a]
S3 USBARW;=USB Mass Storage Disk Driver=;C:\WINNT\System32\DRIVERS\USBARW.SYS [04/04/02 10:25a]
S3 V90drv;v90drv;C:\WINNT\System32\DRIVERS\v90drv.sys [08/08/00 11:16a]
S4 Windows Output Browser;Windows Output Browser;"C:\WINNT\system32\smsc.exe" []
Start Pending2 pydh;Windows pydh RunThem;C:\WINNT\System32\svchost.exe [12/07/99 12:00p]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 22:35:44
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 04/11/2008 22:39:56
ComboFix2.txt 2001-12-31 17:54:26
ComboFix-quarantined-files.txt 2008-04-11 14:39:42
Pre-Run: 238,886,912 bytes free
Post-Run: 185,237,504 bytes free

#9 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 11 April 2008 - 10:13 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:12 PM, on 4/11/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\soundman.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\tmnet streamyx\streamyx.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINNT\System32\drwtsn32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

--
End of file - 7962 bytes

#10 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 11 April 2008 - 11:34 AM

Welcome back


C:\SDFix\backups <--delete this folder


Go to My Computer->Tools->Folder Options->View tab:
[*]Under the Hidden files and folders heading:
[*]Select - Show hidden files and folders.
[*]Uncheck- Hide protected operating system files (recommended) option.
[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.
[*] Click OK. (Remember to Hide files and folders once done)
====

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold





Please go to: VirusTotal
  • Posted Image



  • Click the Browse button and search for the following file: C:\lam.exe


  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

Also please scan this file
C:\WINNT\uninstyler.exe



For the IE issues.....I can't say whats happened here...
Do you have all Service packs installed for Windows 2000?, which might included an update IE?


I found a few links that maybe helpful
http://forums.pcpits...php/t74560.html

http://support.microsoft.com/kb/318378
Method 3, and 4 are the same for Win 2000



Let's try a different scan

Next go Here to run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button.
Enter your State/Providence
Enter your E-mail address and click send.
Select either Home user or Company.
Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When the download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).
Post the contents of the ActiveScan report

Post back with the Panda log
New HJT log
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#11 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 12 April 2008 - 08:54 AM

Juliet....thank you very much for assisting me so far. However, I think that things have gone from bad to worse and it's getting very frustrating for me at the moment.

I couldn't fix the IE issue and it's still the same problem every time i try to open it.

Another bad news is that I've scanned the file C:\lam.exe yesterday but I forgot to save the log file. Today, I try to scan the file another time and it's gone!!! Worse is there's a window popping out saying "Installing file error C:\lam2.exe C:\lam3.exe C:\lam4.exe" ... there's about 7-8 such windows with different file name in total, with the option of Abort, Ignore and Cancel.

This is the result of another file you asked me to scan

Antivirus Version Last Update Result
AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 -
Authentium 4.93.8 2008.04.11 -
Avast 4.8.1169.0 2008.04.11 -
AVG 7.5.0.516 2008.04.11 -
BitDefender 7.2 2008.04.11 -
CAT-QuickHeal 9.50 2008.04.11 -
ClamAV 0.92.1 2008.04.11 -
DrWeb 4.44.0.09170 2008.04.11 -
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5687 2008.04.10 -
Ewido 4.0 2008.04.11 -
F-Prot 4.4.2.54 2008.04.10 -
F-Secure 6.70.13260.0 2008.04.11 -
FileAdvisor 1 2008.04.11 -
Fortinet 3.14.0.0 2008.04.10 -
Ikarus T3.1.1.26 2008.04.11 -
Kaspersky 7.0.0.125 2008.04.11 -
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.11 -
NOD32v2 3019 2008.04.11 -
Norman 5.80.02 2008.04.11 -
Panda 9.0.0.4 2008.04.11 -
Prevx1 V2 2008.04.11 -
Rising 20.39.32.00 2008.04.11 -
Sophos 4.28.0 2008.04.11 -
Sunbelt 3.0.1032.0 2008.04.08 -
Symantec 10 2008.04.11 -
TheHacker 6.2.92.273 2008.04.11 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.11 -
Webwasher-Gateway 6.6.2 2008.04.11 -
Additional information
File size: 50176 bytes
MD5...: 1bcd2e88e59a9b31c2a0fb559ef7f10d
SHA1..: 3262dd59d80fdc09eae6661036f92ecd76b64c97
SHA256: 472dce297fea0af9bd47f33d4ed0c418737e5bc6adfc5b9d780e5b14bcf536bc
SHA512: 6c77b853b14ff29d0886a3e0a171c7ac9e0756240be5cf5ecf8c72119a8bcdb0
475963ffce2471d0bef326f2d892289b0d8c2b71678a846ffa4c957434f7556f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4087a4
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 8 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x7d88 0x7e00 6.55 82a29332f1cdfc1cefe7045fc9144aef
DATA 0x9000 0x190 0x200 3.22 f853028febaf00313e3e7a259ff05552
BSS 0xa000 0x738 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xb000 0x606 0x800 3.73 e2a6b7e8b0da386579c9a02d8c0a3135
.tls 0xc000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rdata 0xd000 0x18 0x200 0.20 67c6f08ad59a25de1d0086b839500bc5
.reloc 0xe000 0x7e4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.rsrc 0xf000 0x3600 0x3600 3.54 8fefd292fb61b6daaa70a519c619a02c

( 6 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, ExitProcess, CreateFileA, CloseHandle
> user32.dll: MessageBoxA
> oleaut32.dll: VariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen
> advapi32.dll: RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteKeyA, RegCloseKey
> kernel32.dll: WriteFile, SetFilePointer, SetFileAttributesA, ReadFile, GetVersionExA, GetSystemDefaultLCID, GetModuleFileNameA, GetLocaleInfoA, GetCurrentThreadId, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, DeleteFileA, CreateFileA, CompareStringA, CloseHandle
> user32.dll: MessageBoxA, LoadStringA

( 0 exports )

I'm very sad to say that I couldn't run the Panda Scan. I've done all the required steps but it says "Oh! It seems that your computer does not meet one of the requirements needed for ActiveScan 2.0 to operate correctly." What should I do???

This is the new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:46 PM, on 4/12/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\soundman.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\windowsupdate.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\tmnet streamyx\streamyx.exe
C:\WINNT\System32\fixweb.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

--
End of file - 8326 bytes

Edited by getaran, 12 April 2008 - 08:57 AM.


#12 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 12 April 2008 - 09:45 AM

It appears it all came back....

We'll have to do a few steps over.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    C:\lam2.exe
    C:\lam3.exe
    C:\lam4.exe

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
    # Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
    # Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt2\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


NEXT**
Download: ResetProtocolDefaults.reg
http://www.mvps.org/...colDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.


O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe
O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe
O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe
O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe


NEXT**...we'll download and use this tool again

Download SDFix or from Here and save it to your Desktop
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)


< Don't miss this step Important!>

Please then reboot your computer in Safe Mode by doing the following :
  • Don't skip this step important!
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log



Do you still have ComboFix on desktop?

If so please delete that one and grab a new copy


Download Combofix from any of the links below, and save it to your desktop.<--Important(Don't miss this step)

Link 1
Link 2
Link 3



Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

If your anti-virus or firewall complains, please allow this script to run as it is not malicious.

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.
  • Double click combofix.exe and follow the prompts.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please be patient while the scan runs, at times it may appear to stall.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
After rebooting ensure your Security applications have been re-enabled.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply post:
OTMoveIt log
SDFix report.txt
ComboFix.txt
New HJT log taken after the above scan has run





NEXT....let me know if you have a firewall and if it is set to disabled....We need to get one on if you don't.

Edited by Juliet, 12 April 2008 - 09:46 AM.

Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#13 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 12 April 2008 - 10:41 AM

Also I would like to check and see if you can run this scan after following the other instructions in my previous post.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Scan with DrWeb-CureIt as follows:

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)




NEXT**
WINDOWS ME
http://support.micro...b;EN-US;q263455
Win ME
To disable, then re-enable System Restore:

1. Right-click My Computer, and then click Properties.
2. On the Performance tab, click File System, or press ALT+F.
3. On the Troubleshooting tab, click to select the Disable System Restore check box.
4. Click OK twice, and then click Yes when you are prompted to restart the computer.
5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

From the Start menu, select All Programs, Accessories, System Tools, and click Disk Cleanup.
In the Disk Cleanup dialog box, select the drive you want to clean up.
After Disk Cleanup analyzes the drive, click the More Options tab and then click the Clean Up button under the System Restore heading.

You will want to do this for
F:\Drive
D:\Drive
C:\Drive
And what ever other drive is found

Edited by Juliet, 12 April 2008 - 11:07 AM.

Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#14 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 12 April 2008 - 10:24 PM

I have checked my C: and noticed there aren't any files named lam2.exe, lam3.exe and lam4.exe ... The popup windows I mentioned to you earlier was about the error in installing the files ... so I guess the files didn't manage to copy to my C: successfully, hence the absence of these files in my C: ..

However, around 2 weeks ago, when I was about to shut down, I got many many same windows with the filename delextra.exe trying to shut down itself or something .. I wasn't really sure what it was trying to do, but the file is still in my C: ...

Hence I tried to scan it using the site you gave me, and this is the result, together with other suspicious files where I have never seen them in my computer before. I hope this will provide you with some clues on what is manifesting in my computer.

File delextra.exe received on 04.04.2008 23:28:12 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 -
Authentium 4.93.8 2008.04.13 -
Avast 4.8.1169.0 2008.04.12 -
AVG 7.5.0.516 2008.04.12 -
BitDefender 7.2 2008.04.13 -
CAT-QuickHeal 9.50 2008.04.12 -
ClamAV 0.92.1 2008.04.13 -
DrWeb 4.44.0.09170 2008.04.12 -
eTrust-Vet 31.3.5692 2008.04.11 -
Ewido 4.0 2008.04.12 -
F-Prot 4.4.2.54 2008.04.13 -
F-Secure 6.70.13260.0 2008.04.13 -
FileAdvisor 1 2008.04.13 -
Fortinet 3.14.0.0 2008.04.13 -
Ikarus T3.1.1.26 2008.04.13 -
Kaspersky 7.0.0.125 2008.04.13 -
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.13 -
NOD32v2 3021 2008.04.12 -
Norman 5.80.02 2008.04.12 -
Panda 9.0.0.4 2008.04.12 -
Prevx1 V2 2008.04.13 -
Rising 20.39.52.00 2008.04.12 -
Sophos 4.28.0 2008.04.13 -
Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious
Symantec 10 2008.04.13 -
TheHacker 6.2.92.276 2008.04.12 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.12 -
Webwasher-Gateway 6.6.2 2008.04.11 Win32.Malware.dam (suspicious)
Additional information
File size: 153646 bytes
MD5...: 5e3527f53b863be1d1f00d8c9e3205ed
SHA1..: 05e76df21687bf5a8d46d913b12933576fa0ce6f
SHA256: 9829b8519fade0286dab2ebd0667e980f2f964a7b13a1deba2221aee82791717
SHA512: 4154ddb9f3732b12ba43efce6f56f0c5465217c1d5ff532432330f2e49f1722a<br>25b44e379b1f0540624720eea5fd02dcba348be852617ac32ae94875af642127
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x437068<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x36438 0x36600 6.48 642897e4b34c00168200b0ab325c6f57<br>DATA 0x38000 0x1de4 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>BSS 0x3a000 0x2404 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x3d000 0x1c9a 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.tls 0x3f000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x40000 0x18 0x200 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.reloc 0x41000 0x33b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x45000 0x8a00 0x8a00 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 0 imports ) <br><br>( 0 exports ) <br>
packers: PE_Patch

File ddd.exe received on 04.13.2008 05:05:54 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.4.12.0 2008.04.11 -
AntiVir 7.6.0.85 2008.04.11 DR/Kelebek.g.1.B
Authentium 4.93.8 2008.04.13 -
Avast 4.8.1169.0 2008.04.12 Win32:Kelebek-C
AVG 7.5.0.516 2008.04.12 -
BitDefender 7.2 2008.04.13 Application.Irc.Flood.Tool.E
CAT-QuickHeal 9.50 2008.04.12 -
ClamAV 0.92.1 2008.04.13 Trojan.Muldrop.744
DrWeb 4.44.0.09170 2008.04.12 IRC.Flood
eSafe 7.0.15.0 2008.04.09 -
eTrust-Vet 31.3.5692 2008.04.11 -
Ewido 4.0 2008.04.12 -
F-Prot 4.4.2.54 2008.04.13 -
F-Secure 6.70.13260.0 2008.04.13 not-a-virus:NetTool.Win32.Sniffer.c
FileAdvisor 1 2008.04.13 -
Fortinet 3.14.0.0 2008.04.13 -
Ikarus T3.1.1.26.0 2008.04.13 Trojan-Dropper.Win32.Agent.amm
Kaspersky 7.0.0.125 2008.04.13 not-a-virus:NetTool.Win32.Sniffer.c
McAfee 5272 2008.04.11 -
Microsoft 1.3408 2008.04.13 -
NOD32v2 3021 2008.04.12 -
Norman 5.80.02 2008.04.12 -
Panda 9.0.0.4 2008.04.12 -
Prevx1 V2 2008.04.13 Heuristic: Suspicious Self Modifying File
Rising 20.39.52.00 2008.04.12 -
Sophos 4.28.0 2008.04.13 Troj/Flood-I
Sunbelt 3.0.1041.0 2008.04.12 -
Symantec 10 2008.04.13 -
TheHacker 6.2.92.276 2008.04.12 -
VBA32 3.12.6.4 2008.04.06 -
VirusBuster 4.3.26:9 2008.04.12 -
Webwasher-Gateway 6.6.2 2008.04.11 -
Additional information
File size: 1103600 bytes
MD5...: 8417012022258c29024b154c5b6a3a3c
SHA1..: 4f74f79db8b92e1b53c67838b52e526bbc9a2b1b
SHA256: 8d9cd572585524e92fb90a4a67e6916035e12f68d42b8005ab91bff41f1dbe0a
SHA512: 85f7a69b5805813ac2eef961592333a861e07c7ec31157841a27d54244dd39ec<br>fe6e934e13a02b85538195e00cee3aa71a5296b114e751046d59e1297289f63e
PEiD..: WARNING -&gt; TROJAN -&gt; HuiGeZi
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x437068<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x36438 0x36600 6.48 6bfde59f209ee0cf6ba7af700b54822b<br>DATA 0x38000 0x1de4 0x1e00 3.40 0d9e59e139ff8b88abe05d8225bded08<br>BSS 0x3a000 0x2404 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x3d000 0x1c9a 0x1e00 4.87 59736360bf8263e50ba1a7f88f9cf242<br>.tls 0x3f000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x40000 0x18 0x200 0.19 77087fe0db892842ed99a00f4d341d9b<br>.reloc 0x41000 0x33b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x45000 0x8a00 0x8a00 4.66 7846224ea339e9408d06d8cd2051349d<br><br>( 12 imports ) <br>&gt; kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetCommandLineA, GetCurrentDirectoryA, ExitThread, CreateThread, CreateDirectoryA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, MoveFileA, GetStdHandle, GetFileSize, GetFileType, ExitProcess, DeleteFileA, CreateFileA, CloseHandle<br>&gt; user32.dll: MessageBoxA<br>&gt; oleaut32.dll: VariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen<br>&gt; advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey<br>&gt; kernel32.dll: WriteFile, WinExec, WaitForSingleObject, VirtualAlloc, TerminateThread, SizeofResource, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, ResumeThread, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LocalFileTimeToFileTime, LoadResource, LoadLibraryA, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProcAddress, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, FreeResource, FreeLibrary, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, DosDateTimeToFileTime, DeleteFileA, CreateThread, CreateProcessA, CreateFileA, CreateDirectoryA, CompareStringA, CloseHandle<br>&gt; mpr.dll: WNetGetConnectionA<br>&gt; version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA<br>&gt; gdi32.dll: UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetEnhMetaFileBits, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExcludeClipRect, EnumFontsA, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt<br>&gt; user32.dll: WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIcon, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx<br>&gt; comctl32.dll: ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create<br>&gt; ole32.dll: CoCreateInstance, CoUninitialize, CoInitialize<br>&gt; shell32.dll: ShellExecuteA<br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.co...E933E00A7EC9066
packers (Kaspersky): UPX, PE_Patch.PECompact, PecBundle, PECompact, UPX, ASPack

Edited by getaran, 12 April 2008 - 10:33 PM.


#15 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 12 April 2008 - 10:27 PM

File mstn.exe received on 04.13.2008 05:24:38 (CET) Antivirus Version Last Update Result AhnLab-V3 2008.4.12.0 2008.04.11 - AntiVir 7.6.0.85 2008.04.11 TR/Crypt.XPACK.Gen Authentium 4.93.8 2008.04.13 - Avast 4.8.1169.0 2008.04.12 - AVG 7.5.0.516 2008.04.12 Downloader.Generic7.EXO BitDefender 7.2 2008.04.13 Packer.XComp.A CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.13 - DrWeb 4.44.0.09170 2008.04.12 - eSafe 7.0.15.0 2008.04.09 - eTrust-Vet 31.3.5692 2008.04.11 - Ewido 4.0 2008.04.12 - F-Prot 4.4.2.54 2008.04.13 W32/Downloader-Tir-based!Maximus F-Secure 6.70.13260.0 2008.04.13 W32/Downloader FileAdvisor 1 2008.04.13 - Fortinet 3.14.0.0 2008.04.13 - Ikarus T3.1.1.26.0 2008.04.13 Packer.XComp.A Kaspersky 7.0.0.125 2008.04.13 Heur.Downloader McAfee 5272 2008.04.11 - Microsoft 1.3408 2008.04.13 Trojan:Win32/Malagent NOD32v2 3021 2008.04.12 a variant of Win32/TrojanDownloader.Small.OAA Norman 5.80.02 2008.04.12 W32/Smalltroj.DUNO Panda 9.0.0.4 2008.04.12 Suspicious file Prevx1 V2 2008.04.13 - Rising 20.39.52.00 2008.04.12 Packer.Win32.Xcomp.a Sophos 4.28.0 2008.04.13 Sus/UnkPacker Sunbelt 3.0.1041.0 2008.04.12 - Symantec 10 2008.04.13 - TheHacker 6.2.92.276 2008.04.12 - VBA32 3.12.6.4 2008.04.06 - VirusBuster 4.3.26:9 2008.04.12 - Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Crypt.XPACK.Gen Additional information File size: 5064 bytes MD5...: 8abd2ea3eba231b64a5d4d126c252ea4 SHA1..: 2a69e152ae9c4b2ae562e60fbc6acf655010ca92 SHA256: 1f8ed2e42a1c93cc54371a42b52a498d46fbeb91864bc47f042c6f1349b542d4 SHA512: 550ae9256f04d4176290240e79dd05dff45d7153532fad0982c83a0b4f4bf0a4<br>0504ba25de8736c6deb658ec1c24b8080f9981a2302f2ddc3660db5c37c7b364 PEiD..: - PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x409000<br>timedatestamp.....: 0x47f61e82 (Fri Apr 04 12:26:42 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 2 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.zunty0 0x1000 0x8000 0xe00 7.55 faf9f55be217e66f527f823623c0bfd4<br>.zunty 0x9000 0x3c8 0x3c8 6.09 094cdb253356bf1f8f32672bbdd9b4cb<br><br>( 1 imports ) <br>&gt; KERNEL32.DLL: GetProcAddress, LoadLibraryA, VirtualAlloc, VirtualFree, VirtualProtect<br><br>( 0 exports ) <br> packers (F-Prot): XComp, UPX File qip.exe received on 04.13.2008 05:08:36 (CET) Antivirus Version Last Update Result AhnLab-V3 2008.4.12.0 2008.04.11 - AntiVir 7.6.0.85 2008.04.11 - Authentium 4.93.8 2008.04.13 - Avast 4.8.1169.0 2008.04.12 - AVG 7.5.0.516 2008.04.12 - BitDefender 7.2 2008.04.13 - CAT-QuickHeal 9.50 2008.04.12 - ClamAV 0.92.1 2008.04.13 - DrWeb 4.44.0.09170 2008.04.12 - eTrust-Vet 31.3.5692 2008.04.11 - Ewido 4.0 2008.04.12 - F-Prot 4.4.2.54 2008.04.13 - F-Secure 6.70.13260.0 2008.04.13 - FileAdvisor 1 2008.04.13 - Fortinet 3.14.0.0 2008.04.13 - Ikarus T3.1.1.26 2008.04.13 - Kaspersky 7.0.0.125 2008.04.13 - McAfee 5272 2008.04.11 - Microsoft 1.3408 2008.04.13 - NOD32v2 3021 2008.04.12 - Norman 5.80.02 2008.04.12 - Panda 9.0.0.4 2008.04.12 - Prevx1 V2 2008.04.13 - Rising 20.39.52.00 2008.04.12 - Sophos 4.28.0 2008.04.13 - Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious Symantec 10 2008.04.13 - TheHacker 6.2.92.276 2008.04.12 - VBA32 3.12.6.4 2008.04.06 - VirusBuster 4.3.26:9 2008.04.12 - Webwasher-Gateway 6.6.2 2008.04.11 Win32.Malware.dam (suspicious) Additional information File size: 153646 bytes MD5...: 5e3527f53b863be1d1f00d8c9e3205ed SHA1..: 05e76df21687bf5a8d46d913b12933576fa0ce6f SHA256: 9829b8519fade0286dab2ebd0667e980f2f964a7b13a1deba2221aee82791717 SHA512: 4154ddb9f3732b12ba43efce6f56f0c5465217c1d5ff532432330f2e49f1722a<br>25b44e379b1f0540624720eea5fd02dcba348be852617ac32ae94875af642127 PEiD..: - PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x437068<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x36438 0x36600 6.48 642897e4b34c00168200b0ab325c6f57<br>DATA 0x38000 0x1de4 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>BSS 0x3a000 0x2404 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x3d000 0x1c9a 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.tls 0x3f000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x40000 0x18 0x200 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.reloc 0x41000 0x33b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x45000 0x8a00 0x8a00 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 0 imports ) <br><br>( 0 exports ) <br> packers: PE_Patch

#16 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 12 April 2008 - 11:17 PM

File/Folder C:\lam2.exe not found.
File/Folder C:\lam3.exe not found.
File/Folder C:\lam4.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04132008_121151


Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2002-01-01 00:06:38
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :



Files with Hidden Attributes :

Tue 3 Jul 2007 1,152 A.SH. --- "C:\vdemvefv.sys"
Sat 2 Apr 2005 1,682 A.SH. --- "C:\WINNT\system32\KGyGaAvL.sys"
Sat 2 Apr 2005 56 ..SHR --- "C:\WINNT\system32\83B2BDE68A.sys"
Tue 1 Jan 2002 65,198 ..SHR --- "C:\WINNT\system32\windowsupdate.exe"
Wed 11 Dec 2002 73,728 ..SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
Tue 1 Jan 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 22 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0001.tmp"
Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL2051.tmp"
Sun 23 Apr 2006 44,544 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3363.tmp"
Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0053.tmp"
Sun 22 Jan 2006 36,864 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3238.tmp"
Sun 22 Jan 2006 41,472 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL2341.tmp"
Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL3041.tmp"














Finished!


ComboFix 08-04-12.5 - Ducky1 04/13/2008 11:32:33.6 - FAT32x86
Running from: C:\Documents and Settings\Ducky1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\ss.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTMGR
-------\Legacy_CCPWDSVC


((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.

2008-04-12 23:20 . 08-04-12 15:21 <DIR> d-------- C:\SDFix
2008-04-12 23:10 . 08-04-12 23:11 186,981 --a------ C:\WINNT\system32\qip.exe
2008-04-12 21:15 . 03-03-16 15:49 33,792 --a------ C:\WINNT\system32\d.dll
2008-04-12 21:15 . 08-01-02 02:40 418 --a------ C:\WINNT\system32\aliases.ini
2008-04-12 21:15 . 08-01-07 07:51 156 --a------ C:\WINNT\system32\747.reg
2008-04-12 20:51 . 08-04-12 23:11 153,646 --a------ C:\qip.exe
2008-04-12 19:34 . 08-04-12 19:34 <DIR> d-------- C:\Program Files\Panda Security

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 03:47 136 ----a-w C:\WINNT\system32\drivers\ALCICH.DAT
2008-04-12 13:27 77,975 ----a-w C:\WINNT\system32\fixweb.exe
2008-03-26 12:28 50,176 ----a-w C:\WINNT\uninstyler.exe
2008-03-11 01:22 23,495 ----a-w C:\WINNT\system32\syscmd.dll
2008-02-09 07:35 9,229 ----a-w C:\WINNT\system32\msconfger.dll
2007-03-09 18:48 4 ----a-w C:\Documents and Settings\Ducky1\ravver.dat
2001-12-31 17:38 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\sowdp88.dat
2001-12-31 17:06 271 ---h--w C:\Program Files\desktop.ini
2001-12-31 17:06 21,952 ---h--w C:\Program Files\folder.htt
2001-09-28 09:00 164,864 ------w C:\Program Files\UNWISE.EXE
1999-12-07 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-04-01 20:18 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys
2005-04-01 20:18 56 --sh--r C:\WINNT\system32\83B2BDE68A.sys
2001-12-31 17:31 65,198 --sh--r C:\WINNT\system32\windowsupdate.exe
.

((((((((((((((((((((((((((((( snapshot@Fri 04-11-2008_22.39.07.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-13 02:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE
- 2008-04-04 18:58:30 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-12 07:21:20 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE
- 2001-12-31 19:27:18 3,407,872 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2008-04-12 15:34:38 3,403,776 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2001-12-31 19:27:20 12,288 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-12 15:34:38 12,288 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2006-12-17 22:00:30 16,007 ----a-w C:\WINNT\mozver.dat
+ 2008-04-12 11:34:34 17,363 ----a-w C:\WINNT\mozver.dat
- 2001-12-31 17:13:46 77,975 ----a-w C:\WINNT\system32\lam.exe
+ 2001-12-31 20:32:32 77,975 ----a-w C:\WINNT\system32\lam.exe
+ 2001-12-31 16:54:58 41,936 ----a-w C:\WINNT\system32\setup_01208.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 16:40 6856704]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03-04-22 14:43 413775]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [04-08-06 15:33 2502656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="soundman.exe" [01-05-29 02:02 124416 C:\WINNT\soundman.exe]
"Synchronization Manager"="mobsync.exe" [99-12-07 12:00 111376 C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02-01-01 03:11 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" [07-07-12 11:10 69632]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [02-01-01 03:11 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows has Layer"="fixweb.exe" [08-04-12 21:27 77975 C:\WINNT\system32\fixweb.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07 1183744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"LockTaskbar"= 0 (0x0)
"NoChangeStartMenu"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSimpleStartMenu"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)
"NoMovingBands"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [02-01-01 03:12 ]

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 11:52:06
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

? [692]
Explorer.exe [692] 0x870F04A0
scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
SystemRoot\System32\smss.exe [140]
??\C:\WINNT\system32\csrss.exe [164]
??\C:\WINNT\system32\winlogon.exe [160]
C:\WINNT\system32\services.exe [212]
C:\WINNT\system32\lsass.exe [224]
C:\WINNT\system32\svchost.exe [400]
C:\WINNT\system32\spoolsv.exe [432]
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [460]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [488]
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [508]
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [556]
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [196]
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe [620]
C:\WINNT\system32\cisvc.exe [648]
C:\WINNT\System32\svchost.exe [684]
C:\WINNT\system32\hidserv.exe [720]
C:\WINNT\system32\rundll32.exe [736]
C:\WINNT\System32\svchost.exe [772]
C:\WINNT\system32\slserv.exe [820]
C:\WINNT\system32\stisvc.exe [848]
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe [856]
C:\WINNT\System32\WBEM\WinMgmt.exe [984]
C:\WINNT\system32\svchost.exe [1000]
C:\WINNT\system32\CF2318.exe [1132]
C:\WINNT\soundman.exe [1156]
C:\Program Files\MSN Messenger\MsnMsgr.Exe [1252]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [1188]
C:\WINNT\system32\msiexec.exe [1324]
C:\WINNT\system32\cidaemon.exe [1388]
C:\WINNT\system32\cidaemon.exe [1116]
C:\WINNT\Explorer.exe [692]
C:\ComboFix\catchme.cfexe [1332]
.
**************************************************************************
.
Completion time: 2008-04-13 12:05:31 - machine was rebooted
ComboFix3.txt 2001-12-31 17:54:26
ComboFix-quarantined-files.txt 2008-04-13 04:04:56
ComboFix2.txt 2008-04-11 14:40:00
Pre-Run: 325,050,368 bytes free
Post-Run: 261,095,424 bytes free

#17 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 12 April 2008 - 11:23 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:14:26 PM, on 4/13/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\soundman.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.exe
C:\Program Files\tmnet streamyx\streamyx.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

--
End of file - 7410 bytes

#18 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 13 April 2008 - 01:14 AM

DrWeb.csv vindte.dll;c:\program files\common files\vindte;Adware.Baidu.308;Incurable.Moved.; fixweb.exe;c:\winnt\system32;Win32.IRC.Bot.based;Deleted.; qzei.dll;c:\winnt\system32;Trojan.DownLoader.51062;Deleted.; lam.exe;C:\WINNT\System32;Win32.IRC.Bot.based;Deleted.; edih.dll;C:\WINNT\System32;IRC.Flood;Deleted.; lam1.exe;C:\WINNT\System32;Program.PrcView.3725;Incurable.Moved.; lam2.exe;C:\WINNT\System32;Program.DaSniff;Incurable.Moved.; lam3.exe;C:\WINNT\System32;Trojan.Flood.22016;Deleted.; d.dll;C:\WINNT\System32;Tool.Moo;Incurable.Moved.; lam4.exe;C:\WINNT\System32;IRC.Flood;Deleted.; wacult.exe;C:\WINNT\System32;BackDoor.IRC.based;Deleted.;

#19 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,145 posts
  • Gender:Female


Posted 13 April 2008 - 09:18 AM

It appears DrWeb has helped us out....


I would print this out or copy/paste it into notepad and save it so you can find it in safe mode.


Boot into safe mode

* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Search for and delete if found, don't be alarmed if not all can be found.

C:\WINNT\system32\windowsupdate.exe
C:\delextra.exe
C:\WINDOWS\Ddd.exe
C:\WINDOWS\mstn.exe
C:\WINNT\system32\qip.exe
C:\qip.exe
C:\WINNT\system32\aliases.ini
C:\WINNT\system32\syscmd.dll


Reboot

Please go to: VirusTotal
  • Posted Image



  • Click the Browse button and search for the following file: C:\WINNT\system32\d.dll


  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

Next please have these files scanned
C:\WINNT\system32\msconfger.dll
C:\WINNT\system32\setup_01208.exe



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')


Next, launch Notepad, (Start > Run, type in: notepad)
copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Windows has Layer"=-


Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

Again, reboot the machine after the regfix.



Please run ComboFix once again and post the log it creates.


In your next reply post:
Files requested scanned
ComboFix.txt
New HJT


How is the computer at the moment?

You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.

MS - MVP Consumer Security 2009 - 2014

#20 getaran

getaran

    Member

  • Members
  • 34 posts

Posted 19 April 2008 - 01:32 PM

File d.dll received on 03.15.2008 02:31:41 (CET) Antivirus Version Last Update Result AhnLab-V3 - - Win-Trojan/MircPack.33792 AntiVir - - - Authentium - - - Avast - - Win32:IRC-Flood AVG - - - BitDefender - - - CAT-QuickHeal - - Tool.Win32.Moo (Not a Virus) ClamAV - - - DrWeb - - Tool.Moo eSafe - - suspicious Trojan/Worm eTrust-Vet - - - Ewido - - - F-Prot - - - F-Secure - - - FileAdvisor - - High threat detected Fortinet - - Misc/Motherboardmonitor Ikarus - - Backdoor.IRC.Lambot.G Kaspersky - - - McAfee - - potentially unwanted program MotherboardMonitor Microsoft - - - NOD32v2 - - - Norman - - - Panda - - Application/MotherboardMonitor.A Prevx1 - - Generic.Malware Rising - - Trojan.Spy.Agent.aer Sophos - - - Sunbelt - - Backdoor.Irc.Lambot.G Symantec - - - TheHacker - - - VBA32 - - - VirusBuster - - Trojan.DuckIRC.F Webwasher-Gateway - - Riskware.Remotexec.A.03 Additional information MD5: 638a6f2b03c828e9b3c77c104c56f4ea SHA1: ec1d56a6530a3004aa49d748a9c8385801cf0029 SHA256: 8e2db43518297a45d664dcaaf6ee29a93e8cb9ea28e5fff96324628f74871fda SHA512: b8c943cc17ab646546ba7f6ccd9246f6e3bde665a450932d40ab418fd36421cbf00385e8e1074e4e2477a6abb2e343f4cd1bd312bd6200601a8cddf572579609




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users