Jump to content
Sign in to follow this  
getaran

Computer getting very laggy

Recommended Posts

getaran   

My computer is getting very slow recently. One thing I notice is that the whenever I startup, the time on my windows will be 1st January, 2002. Even though I've changed it to the current time, it will still be the same everytime I boot my computer. I suspect something is amiss. Please help.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:51:59 AM, on 1/1/2002

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\system32\smsc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\fixweb.exe

C:\WINNT\System32\taskmgr.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\Program Files\PrevxCSI\PrevxCSI.exe

C:\WINNT\System32\windowsupdate.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe

O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" /bootupreg

O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe

O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O15 - ESC Trusted Zone: http://66ad.32666.com

O15 - ESC Trusted Zone: http://ad.32666.com

O15 - ESC Trusted Zone: http://cfad.32666.com

O15 - ESC Trusted Zone: http://www.32666.com

O15 - ESC Trusted Zone: http://3w.ycdy.com

O15 - ESC Trusted Zone: http://www.ycdy.com

O15 - ESC Trusted Zone: http://www1.ycdy.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe

 

--

End of file - 8964 bytes

Share this post


Link to post
Share on other sites
Juliet   

Hi and welcome

 

Are you running more then one Antivirus?

[PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe? , AVG7? , MicroWorld Antivirus?

If this is the case, While this may seem like greater protection, it can cause problems including slowdowns and system hangs, and also hinder fixes we may try to do on this machine.

Make a decision which to keep, if you need help uninstalling one let me know.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe

O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe

O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')

O15 - ESC Trusted Zone: http://66ad.32666.com

O15 - ESC Trusted Zone: http://ad.32666.com

O15 - ESC Trusted Zone: http://cfad.32666.com

O15 - ESC Trusted Zone: http://www.32666.com

O15 - ESC Trusted Zone: http://3w.ycdy.com

O15 - ESC Trusted Zone: http://www.ycdy.com

O15 - ESC Trusted Zone: http://www1.ycdy.com

 

 

NEXT**

Download: ResetProtocolDefaults.reg

http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

 

Locate "ResetProtocolDefaults.reg"

Right-click and select: Merge (Ok the prompt)

 

 

 

NEXT**

Download SDFix or from Here and save it to your Desktop

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

 

 

NEXT**

Please download Malwarebytes' Anti-Malware to your desktop

 

Additional Link

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.

* You can also access the log by doing the following:

 

o Click on the Malwarebytes' Anti-Malware icon to launch the program.

o Click on the Logs tab.

o Click on the log at the bottom of those listed to highlight it.

o Click Open.

 

In your next reply, please post:

* SDFix report.txt

Malwarebytes' Anti-Malware log

* new HijackThis log taken after the above scan has run

 

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Share this post


Link to post
Share on other sites
getaran   

Thanks for the instruction.

However, I have problem running Malwarebytes' Anti-malware ...

Every time I want to run the program, it will appear an error message

 

"An error occurred. Please report the following error code to the Malwarebytes' Anti-Malware support team.

Error code: 718 (-2146893799)"

 

What should I do now?

 

Anyway I've run SDFix and this is the log together with HJT log file.

 

Please advice on what to do next.

 

 

SDFix: Version 1.166

 

Run by Ducky1 on Tue 01/01/2002 at 3:42a

 

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\WINNT\SYSTEM32\SETUP_~3.EXE - Deleted

C:\n.exe - Deleted

C:\WINNT\system32\n.exe - Deleted

C:\WINNT\system32\setup_38684.exe - Deleted

C:\WINNT\system32\setup_45015.exe - Deleted

C:\WINNT\system32\setup_30520.exe - Deleted

C:\WINNT\system32\d.dll - Deleted

C:\WINNT\system32\i - Deleted

C:\WINNT\system32\msn.dll - Deleted

C:\WINNT\system32\smsc.exe - Deleted

C:\WINNT\system32\systemac.dll - Deleted

C:\WINNT\system32\WindowsUpdate.exe - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2002-01-01 04:03:56

Windows 5.0.2195 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Tue 3 Jul 2007 1,152 A.SH. --- "C:\vdemvefv.sys"

Sat 2 Apr 2005 1,682 A.SH. --- "C:\WINNT\system32\KGyGaAvL.sys"

Sat 2 Apr 2005 56 ..SHR --- "C:\WINNT\system32\83B2BDE68A.sys"

Wed 11 Dec 2002 73,728 ..SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"

Tue 1 Jan 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Sat 22 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0001.tmp"

Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL2051.tmp"

Sun 23 Apr 2006 44,544 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3363.tmp"

Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0053.tmp"

Sun 22 Jan 2006 36,864 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3238.tmp"

Sun 22 Jan 2006 41,472 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL0004.tmp"

Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL2341.tmp"

Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL3041.tmp"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Finished!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:33:52 AM, on 1/1/2002

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\Program Files\PrevxCSI\PrevxCSI.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\rundll32.exe

C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

C:\WINNT\Explorer.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\fixweb.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\System32\taskmgr.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe

O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe (file missing)

 

--

End of file - 8262 bytes

Share this post


Link to post
Share on other sites
getaran   

BTW, I would like to keep AVG only, hence would like to uninstall PrevxCSI. Can you please guide me on how to uninstall it? Also, I have no idea on the existence of MicroWorld Antivirus on my computer, so I'd like to remove it as well.

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

Go to your Control Panel>>Add/Remove Programs uninstall/delete if found.

PrevxCSI

MicroWorld Technologies Inc

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe

O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')

O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\\PrevxCSI.exe

O23 - Service: MWAgent - MicroWorld Technologies Inc. - C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE

 

 

C:\SDFix\backups <--delete this folder

C:\Program Files\PrevxCSI <--delete the folder

C:\Program Files\Common Files\MicroWorld <--delete the folder

 

 

NEXT**

Go to START > Run > then copy and paste these commands one at a time and press OK after each

 

sc stop CSIScanner - Prevx

 

sc delete CSIScanner - Prevx

 

sc stop MWAgent

 

sc delete MWAgent

 

EXIT

 

Reboot your computer

 

 

 

Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you install the Recovery Console.

 

* When the tool is finished, it will produce a report for you.

* Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

Share this post


Link to post
Share on other sites
getaran   

ComboFix 07-08-06.5 - "Ducky1" 01/01/2002 1:46:00.4 - FAT32x86

Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.16 [GMT 8:00]

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINNT\system32\csrss.dll

 

 

((((((((((((((((((((((((( Files Created from 2001-11-28 to 2001-12-31 )))))))))))))))))))))))))))))))

 

 

No new files created in this timespan

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

12/30/04 10:38p --------- d-------- C:\Program Files\RM Converter

12/30/04 03:02p --------- d-------- C:\DOCUME~1\Ducky1\APPLIC~1\Azureus

12/30/04 03:01p --------- d-------- C:\Program Files\Azureus

12/29/04 03:23p --------- d-------- C:\Program Files\BitComet

12/26/03 09:32p 4096 --a------ C:\WINNT\system32\CSUNINST.EXE

12/26/03 09:32p --------- d-------- C:\Program Files\Net2Phone

12/26/03 09:30p 98304 --a------ C:\WINNT\system32\N2PUtil.dll

12/26/03 09:30p 28672 --a------ C:\WINNT\system32\N2PAuto.exe

12/26/03 09:30p --------- d-------- C:\Program Files\Real

12/26/03 09:30p --------- d-------- C:\Program Files\Common Files\Real

12/25/04 04:23p 652800 --a------ C:\WINNT\system32\wacult.exe

12/20/01 08:22p 110592 --a------ C:\WINNT\system32\pscLE118.dll

12/18/06 06:38a --------- d-------- C:\Program Files\SmartFTP Client 2.0

12/18/06 06:38a --------- d-------- C:\DOCUME~1\Ducky1\APPLIC~1\SmartFTP

12/18/06 06:37a --------- d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files

12/18/06 06:00a 16007 --a------ C:\WINNT\mozver.dat

12/16/06 05:36p --------- d-------- C:\Program Files\Google

12/16/06 05:35p --------- d-------- C:\Program Files\Picasa2

12/16/04 04:32p 13304 --a------ C:\WINNT\system32\drivers\BTNetFilter.sys

12/14/04 07:04p 266240 --a------ C:\WINNT\system32\xvidvfw.dll

12/14/04 07:02p 1175552 --a------ C:\WINNT\system32\xvidcore.dll

12/14/03 04:47p 692224 --a------ C:\WINNT\system32\ciaResSvr20.dll

12/13/03 05:38a 311296 --a------ C:\WINNT\system32\winhttp.dll

12/12/06 04:59p --------- d-------- C:\DOCUME~1\Ducky1\APPLIC~1\DivX

12/12/03 05:41p 53248 --a------ C:\WINNT\system32\ciaXPRegSvr20.DLL

12/12/02 12:14a 98816 --a------ C:\WINNT\system32\dmstyle.dll

12/12/02 12:14a 98816 --a------ C:\WINNT\system32\dllcache\dmstyle.dll

12/12/02 12:14a 8192 --a------ C:\WINNT\system32\d3d8thk.dll

12/12/02 12:14a 80896 --a------ C:\WINNT\system32\dpvsetup.exe

12/12/02 12:14a 77824 --a------ C:\WINNT\system32\dpmodemx.dll

12/12/02 12:14a 77824 --a------ C:\WINNT\system32\dllcache\dpmodemx.dll

12/12/02 12:14a 76800 --a------ C:\WINNT\system32\dpwsockx.dll

12/12/02 12:14a 76800 --a------ C:\WINNT\system32\dmscript.dll

12/12/02 12:14a 76800 --a------ C:\WINNT\system32\dllcache\dpwsockx.dll

12/12/02 12:14a 7424 --a------ C:\WINNT\system32\drivers\mskssrv.sys

12/12/02 12:14a 733184 --a------ C:\WINNT\system32\qedwipes.dll

12/12/02 12:14a 723968 --a------ C:\WINNT\system32\dpnet.dll

12/12/02 12:14a 64512 --a------ C:\WINNT\system32\dllcache\amstream.dll

12/12/02 12:14a 64512 --a------ C:\WINNT\system32\amstream.dll

12/12/02 12:14a 602624 --a------ C:\WINNT\system32\dx7vb.dll

12/12/02 12:14a 602624 --a------ C:\WINNT\system32\dllcache\dx7vb.dll

12/12/02 12:14a 58368 --a------ C:\WINNT\system32\dmcompos.dll

12/12/02 12:14a 58368 --a------ C:\WINNT\system32\dllcache\dmcompos.dll

12/12/02 12:14a 5504 --a------ C:\WINNT\system32\drivers\mstee.sys

12/12/02 12:14a 5248 --a------ C:\WINNT\system32\drivers\mspclock.sys

12/12/02 12:14a 491520 --a------ C:\WINNT\system32\dsdmoprp.dll

12/12/02 12:14a 45696 --a------ C:\WINNT\system32\drivers\stream.sys

12/12/02 12:14a 44544 --a------ C:\WINNT\system32\dxdllreg.exe

12/12/02 12:14a 4096 --a------ C:\WINNT\system32\ksuser.dll

12/12/02 12:14a 4096 --a------ C:\WINNT\system32\drivers\swenum.sys

12/12/02 12:14a 381952 --a------ C:\WINNT\system32\dpvoice.dll

12/12/02 12:14a 355328 --a------ C:\WINNT\system32\dsound.dll

12/12/02 12:14a 34304 --a------ C:\WINNT\system32\mciqtz32.dll

12/12/02 12:14a 34304 --a------ C:\WINNT\system32\dllcache\mciqtz32.dll

12/12/02 12:14a 33280 --a------ C:\WINNT\system32\dmloader.dll

12/12/02 12:14a 33280 --a------ C:\WINNT\system32\dllcache\dmloader.dll

12/12/02 12:14a 324096 --a------ C:\WINNT\system32\mswebdvd.dll

12/12/02 12:14a 311808 --a------ C:\WINNT\system32\qdv.dll

12/12/02 12:14a 311808 --a------ C:\WINNT\system32\dllcache\qdv.dll

12/12/02 12:14a 3072 --a------ C:\WINNT\system32\dpnlobby.dll

12/12/02 12:14a 3072 --a------ C:\WINNT\system32\dpnaddr.dll

12/12/02 12:14a 284160 --a------ C:\WINNT\system32\ddraw.dll

12/12/02 12:14a 28160 --a------ C:\WINNT\system32\dplaysvr.exe

12/12/02 12:14a 28160 --a------ C:\WINNT\system32\dllcache\dplaysvr.exe

12/12/02 12:14a 27136 --a------ C:\WINNT\system32\dmband.dll

12/12/02 12:14a 27136 --a------ C:\WINNT\system32\dllcache\dmband.dll

12/12/02 12:14a 257024 --a------ C:\WINNT\system32\qcap.dll

12/12/02 12:14a 257024 --a------ C:\WINNT\system32\dllcache\qcap.dll

12/12/02 12:14a 24064 --a------ C:\WINNT\system32\dllcache\ddrawex.dll

12/12/02 12:14a 24064 --a------ C:\WINNT\system32\ddrawex.dll

12/12/02 12:14a 217600 --a------ C:\WINNT\system32\dplayx.dll

12/12/02 12:14a 19968 --a------ C:\WINNT\system32\dpvacm.dll

12/12/02 12:14a 18944 --a------ C:\WINNT\system32\encapi.dll

12/12/02 12:14a 186880 --a------ C:\WINNT\system32\dsdmo.dll

12/12/02 12:14a 18432 --a------ C:\WINNT\system32\dswave.dll

12/12/02 12:14a 1798144 --a------ C:\WINNT\system32\qedit.dll

12/12/02 12:14a 173056 --a------ C:\WINNT\system32\qasf.dll

12/12/02 12:14a 171520 --a------ C:\WINNT\system32\dmime.dll

12/12/02 12:14a 171520 --a------ C:\WINNT\system32\dllcache\dmime.dll

12/12/02 12:14a 16896 --a------ C:\WINNT\system32\dpnsvr.exe

12/12/02 12:14a 13312 --a------ C:\WINNT\system32\msdmo.dll

12/12/02 12:14a 130304 --a------ C:\WINNT\system32\drivers\ks.sys

12/12/02 12:14a 1294336 --a------ C:\WINNT\system32\dsound3d.dll

12/12/02 12:14a 1294336 --a------ C:\WINNT\system32\dllcache\dsound3d.dll

12/12/02 12:14a 1177600 --a------ C:\WINNT\system32\d3d8.dll

12/12/02 12:14a 116736 --a------ C:\WINNT\system32\dmusic.dll

12/12/02 12:14a 116736 --a------ C:\WINNT\system32\dllcache\dmusic.dll

12/12/02 12:14a 112128 --a------ C:\WINNT\system32\dpvvox.dll

12/12/02 12:14a 100864 --a------ C:\WINNT\system32\dmsynth.dll

12/12/02 12:14a 100864 --a------ C:\WINNT\system32\dllcache\dmsynth.dll

12/12/02 11:35p 86016 -ra------ C:\WINNT\system32\drivers\SCBaud.w9x

12/12/01 07:25a 53248 --a------ C:\WINNT\system32\PSCNE118.exe

12/11/06 05:56a 16786 --a------ C:\WINNT\winsbak.reg

12/11/06 05:56a 117022 --a------ C:\WINNT\winsbak2.reg

12/11/06 05:10a 70 --a------ C:\WINNT\taskmen.pif

12/11/02 07:12p 760968 --a------ C:\WINNT\system32\wmsdmod.dll

12/11/02 07:12p 316040 --a------ C:\WINNT\system32\mp43dmod.dll

12/11/02 07:11p 410248 --a------ C:\WINNT\system32\wmadmod.dll

12/11/02 07:10p 816264 --a------ C:\WINNT\system32\wmvdmod.dll

12/11/02 07:07p 486536 --a------ C:\WINNT\system32\wmspdmod.dll

1999-12-07 04:00:00 65,198 --sh--r C:\WINNT\system32\windowsupdate.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="soundman.exe" [05/29/01 02:02a C:\WINNT\soundman.exe]

"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p C:\WINNT\system32\mobsync.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/01/02 03:11a]

"windowsupdate"="C:\WINNT\System32\windowsupdate.exe" [12/07/99 12:00p]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/04/07 04:40p]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/22/03 02:43p]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/06/04 03:33p]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"windowsupdate"=C:\WINNT\System32\windowsupdate.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

"Windows has Layer"=fixweb.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" /background

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56]

Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-20 20:54:18]

iFinger.lnk - C:\Program Files\iFinger\iFinger.exe [2004-05-24 19:49:24]

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"=0 (0x0)

"SynchronousUserGroupPolicy"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableCMD"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoFileMenu"=0 (0x0)

"NoShellSearchButton"=0 (0x0)

"NoManageMyComputerVerb"=0 (0x0)

"NoToolbarCustomize"=0 (0x0)

"NoSMHelp"=0 (0x0)

"HideClock"=1 (0x1)

"NoViewOnDrive"=0 (0x0)

"LockTaskbar"=0 (0x0)

"NoTrayItemsDisplay"=0 (0x0)

"StartmenuLogoff"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"ClearRecentDocsOnExit"=0 (0x0)

"NoChangeStartMenu"=1 (0x1)

"NoTrayContextMenu"=0 (0x0)

"NoStartMenuMorePrograms"=1 (0x1)

"NoSimpleStartMenu"=0 (0x0)

"NoCloseDragDropBands"=0 (0x0)

"NoMovingBands"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

@="Driver"

 

R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINNT\System32\Drivers\BTHidMgr.sys

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys

R2 iindne;iindne;C:\WINNT\system32\rundll32.exe C:\PROGRA~1\COMMON~1\vindte\vindte.dll,Service -s

R3 BlueletAudio;Bluetooth Audio Service;C:\WINNT\System32\DRIVERS\blueletaudio.sys

R3 BT;Bluetooth PAN Network Adapter;C:\WINNT\System32\DRIVERS\btnetdrv.sys

R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINNT\System32\DRIVERS\vbtenum.sys

R3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINNT\System32\DRIVERS\FA31XND5.SYS

R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINNT\System32\drivers\msmpu401.sys

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\System32\DRIVERS\RMSPPPOE.SYS

R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINNT\System32\Drivers\RootMdm.sys

R3 VComm;Virtual Serial port driver;C:\WINNT\System32\DRIVERS\VComm.sys

R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINNT\System32\Drivers\VcommMgr.sys

S0 xmfti;xmft;C:\WINNT\System32\DRIVERS\xmfti.sys

S1 sglfb;sglfb;C:\WINNT\System32\drivers\sglfb.sys

S2 CoolWare;CoolWare;C:\WINNT\System32\svchost.exe -k netsvcs

S2 Windows Output Browser;Windows Output Browser;"C:\WINNT\system32\smsc.exe"

S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINNT\System32\Drivers\btcusb.sys

S3 BTNetFilter;Bluetooth Network Filter;\??\C:\WINNT\system32\drivers\BTNetFilter.sys

S3 CSDriver;CSDriver;\??\C:\WINNT\system32\drivers\CSDriver.sys

S3 DM9102;CNET PRO200 PCI Fast Ethernet NT Driver ;C:\WINNT\System32\DRIVERS\DM9PCI5.SYS

S3 ENDETECT;ENDETECT;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS

S3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINNT\System32\DRIVERS\enetnt.sys

S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\System32\drivers\ichaud.sys

S3 MPE;BDA MPE Filter;C:\WINNT\System32\DRIVERS\MPE.sys

S3 Mtlmnt5;Mtlmnt5;C:\WINNT\System32\DRIVERS\Mtlmnt5.sys

S3 Mtlstrm;Mtlstrm;C:\WINNT\System32\DRIVERS\Mtlstrm.sys

S3 NtMtlFax;NtMtlFax;C:\WINNT\System32\DRIVERS\NtMtlFax.sys

S3 NTSTPL1;NTSTPL1;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS

S3 RAWESR;RAWESR;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS

S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\System32\DRIVERS\slnt7554.sys

S3 SlNtHal;SlNtHal;C:\WINNT\System32\DRIVERS\Slnthal.sys

S3 SlWdmSup;SlWdmSup;C:\WINNT\System32\DRIVERS\SlWdmSup.sys

S3 TAPBIND;TAPBIND;\??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS

S3 USBARW;=USB Mass Storage Disk Driver=;C:\WINNT\System32\DRIVERS\USBARW.SYS

S3 usbser;Motorola USB Modem Driver;C:\WINNT\System32\DRIVERS\usbser.sys

S3 V90drv;v90drv;C:\WINNT\System32\DRIVERS\v90drv.sys

S3 wceusbsh;Windows CE USB Serial Host Driver;C:\WINNT\System32\DRIVERS\wceusbsh.sys

Start Pending2 pydh;Windows pydh RunThem;C:\WINNT\System32\svchost.exe -k netsvcs

 

 

**************************************************************************

 

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2002-01-01 01:52:49

Windows 5.0.2195 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 01/01/2002 1:54:25

C:\ComboFix-quarantined-files.txt ... 01/01/02 01:54a

C:\ComboFix3.txt ... 08/07/07 09:25p

C:\ComboFix2.txt ... 01/01/02 12:32a

 

--- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:06:29 AM, on 1/1/2002

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\soundman.exe

C:\WINNT\System32\windowsupdate.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\explorer.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe (file missing)

 

--

End of file - 7725 bytes

Share this post


Link to post
Share on other sites
Juliet   

Delete the version of ComboFix you have now, it's very out dated.

 

 

Download Combofix from any of the links below, and save it to your desktop.<--Important Do NOT run this yet.

 

Link 1

Link 2

Link 3

 

 

 

 

Disable AVG Anti-Spyware :

Please disable AVG Anti-Spyware as it may interfere with the fix.

Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an 'S' in the system tray.

In the Resident Shield section, toggle the AVG Anti-Spyware active protection off by clicking Change state which will then change the protection status to 'inactive'

If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.

Reply No and set it to inactive for the duration of your cleanup.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O23 - Service: Windows Output Browser - Unknown owner - C:\WINNT\system32\smsc.exe (file missing)

 

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::

C:\WINNT\winsbak.reg

C:\WINNT\winsbak2.reg

C:\WINNT\system32\windowsupdate.exe

 

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"windowsupdate"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]

"windowsupdate"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"Windows has Layer"=-

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

 

 

NEXT**

Go to Start > Control Panel > Internet Options

In the General tab, Temporary Internet Files, click:Delete Files

When prompted, check:Delete all offline content

You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)

Click OK

 

Then, go to Start >Run and enter: cleanmgr

Select the drive to clean: C:\

Check the following boxes and then press OK to remove:

Temporary Files

Temporary Internet Files

RecycleBin

Agree to the prompt to perform the action...

 

 

 

NEXT**

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.

Follow the instructions for the browser you use.

Read the instructions about the cookies. Delete what you do not need.

 

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

 

 

 

 

 

NEXT**

Let's run one more scan to check for any left overs.

*Note

It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.

Please don't go surfing while your resident protection is disabled!

Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

 

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

Or use Firefox with IE-Tab plugin

https://addons.mozilla.org/en-US/firefox/addon/1419

The program launches and downloads the latest definition files.

  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives

      Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

 

Posted Image

 

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

 

 

In your next reply post:

new ComboFix.txt

Kaspersky log

New HJT

 

How is the computer at the moment?

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites
getaran   

Sorry for the delay...was away for a few days...

 

Thanks for the guidance so far and it has been very helpful. I've done all the steps as instructed but I couldn't perform the final task. The main problem being my IE is not working at all. Every time I click to open my IE, it will pop up a window saying IEXPLORER.EXE has generated an error. I've tried uninstalling my IE and re-install it but to no avail. Can you advise me what to do?

 

Here are the combofix log and HJT log:

 

ComboFix 08-04-10.9 - Ducky1 04/11/2008 22:24:58.5 - FAT32x86

Running from: C:\Documents and Settings\Ducky1\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Ducky1\Desktop\CFScript.txt

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINNT\system32\windowsupdate.exe

C:\WINNT\winsbak.reg

C:\WINNT\winsbak2.reg

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

C:\Program Files\ktyc\qzei.dll

C:\WINNT\system32\Cache

C:\WINNT\system32\config\SAM.SAV

C:\WINNT\system32\mstacim.sig

C:\WINNT\system32\windowsupdate.exe

C:\WINNT\Web\default.htt

C:\WINNT\winsbak.reg

C:\WINNT\winsbak2.reg

 

----- BITS: Possible infected sites -----

 

hxxp://download.microsoft.com

.

((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))

.

 

2008-04-11 22:25 . 04/11/08 10:25p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_45c.dat

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-06 08:12 62,158 ----a-w C:\lam.exe

2008-03-26 12:28 50,176 ----a-w C:\WINNT\uninstyler.exe

2008-03-11 01:22 23,495 ----a-w C:\WINNT\system32\syscmd.dll

2008-02-09 07:35 9,229 ----a-w C:\WINNT\system32\msconfger.dll

2007-03-09 18:48 4 ----a-w C:\Documents and Settings\Ducky1\ravver.dat

2004-05-22 04:11 4,047 ----a-w C:\Program Files\INSTALL.LOG

2004-05-05 02:36 569,350 ----a-w C:\Program Files\Pocket Mechanic.2577.CAB

2004-05-05 02:36 215 ----a-w C:\Program Files\Pocket Mechanic.INI

2003-10-17 06:54 1,078 ----a-w C:\Program Files\Pocket Mechanic.ico

2001-12-31 17:38 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\sowdp88.dat

2001-12-31 17:06 271 ---h--w C:\Program Files\desktop.ini

2001-12-31 17:06 21,952 ---h--w C:\Program Files\folder.htt

2001-09-28 09:00 164,864 ----a-w C:\Program Files\UNWISE.EXE

1999-12-07 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys

2005-04-01 20:18 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys

2005-04-01 20:18 56 --sh--r C:\WINNT\system32\83B2BDE68A.sys

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/04/07 04:40p 6856704]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/22/03 02:43p 413775]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/06/04 03:33p 2502656]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="soundman.exe" [05/29/01 02:02a 124416 C:\WINNT\soundman.exe]

"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/01/02 03:11a 579072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" [07/12/07 11:10a 69632]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [01/01/02 03:11a 219136]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [12/07/99 01:00p 186640]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 05:05:56 65588]

Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-10-20 20:54:18 113664]

iFinger.lnk - C:\Program Files\iFinger\iFinger.exe [2004-05-24 19:49:24 912384]

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07 1183744]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

"LockTaskbar"= 0 (0x0)

"NoChangeStartMenu"= 1 (0x1)

"NoStartMenuMorePrograms"= 1 (0x1)

"NoSimpleStartMenu"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [01/01/02 03:12a]

R3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINNT\System32\DRIVERS\FA31XND5.SYS [06/06/01 04:24p]

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\System32\DRIVERS\RMSPPPOE.SYS [10/03/02 12:09a]

S0 xmfti;xmft;C:\WINNT\System32\DRIVERS\xmfti.sys []

S1 sglfb;sglfb;C:\WINNT\System32\drivers\sglfb.sys [12/07/99 12:00p]

S2 CoolWare;CoolWare;C:\WINNT\System32\svchost.exe [12/07/99 12:00p]

S2 iindne;iindne;C:\WINNT\system32\rundll32.exe C:\PROGRA~1\COMMON~1\vindte\vindte.dll,Service -s []

S3 ENDETECT;ENDETECT;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [11/12/02 09:55a]

S3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINNT\System32\DRIVERS\enetnt.sys [11/12/02 09:55a]

S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [11/12/02 09:56a]

S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS [11/12/02 09:55a]

S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\System32\DRIVERS\slnt7554.sys [08/08/00 11:16a]

S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [11/12/02 09:56a]

S3 USBARW;=USB Mass Storage Disk Driver=;C:\WINNT\System32\DRIVERS\USBARW.SYS [04/04/02 10:25a]

S3 V90drv;v90drv;C:\WINNT\System32\DRIVERS\v90drv.sys [08/08/00 11:16a]

S4 Windows Output Browser;Windows Output Browser;"C:\WINNT\system32\smsc.exe" []

Start Pending2 pydh;Windows pydh RunThem;C:\WINNT\System32\svchost.exe [12/07/99 12:00p]

 

.

**************************************************************************

 

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-11 22:35:44

Windows 5.0.2195 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 04/11/2008 22:39:56

ComboFix2.txt 2001-12-31 17:54:26

ComboFix-quarantined-files.txt 2008-04-11 14:39:42

Pre-Run: 238,886,912 bytes free

Post-Run: 185,237,504 bytes free

Share this post


Link to post
Share on other sites
getaran   

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:15:12 PM, on 4/11/2008

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\Explorer.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\soundman.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

C:\WINNT\System32\drwtsn32.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.100

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

 

--

End of file - 7962 bytes

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

 

C:\SDFix\backups <--delete this folder

 

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

====

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

 

 

 

 

Please go to: VirusTotal

  • Posted Image

     

     

     

  • Click the Browse button and search for the following file: C:\lam.exe

     

     

  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

Also please scan this file

C:\WINNT\uninstyler.exe

 

 

 

For the IE issues.....I can't say whats happened here...

Do you have all Service packs installed for Windows 2000?, which might included an update IE?

 

 

I found a few links that maybe helpful

http://forums.pcpitstop.com/lofiversion/in...php/t74560.html

 

http://support.microsoft.com/kb/318378

Method 3, and 4 are the same for Win 2000

 

 

 

Let's try a different scan

 

Next go Here to run Panda's ActiveScan.

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button.

Enter your State/Providence

Enter your E-mail address and click send.

Select either Home user or Company.

Click the big Scan Now button

  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When the download is complete, click on My Computer to start the scan.

When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).

Post the contents of the ActiveScan report

 

Post back with the Panda log

New HJT log

Share this post


Link to post
Share on other sites
getaran   

Juliet....thank you very much for assisting me so far. However, I think that things have gone from bad to worse and it's getting very frustrating for me at the moment.

 

I couldn't fix the IE issue and it's still the same problem every time i try to open it.

 

Another bad news is that I've scanned the file C:\lam.exe yesterday but I forgot to save the log file. Today, I try to scan the file another time and it's gone!!! Worse is there's a window popping out saying "Installing file error C:\lam2.exe C:\lam3.exe C:\lam4.exe" ... there's about 7-8 such windows with different file name in total, with the option of Abort, Ignore and Cancel.

 

This is the result of another file you asked me to scan

 

Antivirus Version Last Update Result

AhnLab-V3 2008.4.12.0 2008.04.11 -

AntiVir 7.6.0.85 2008.04.11 -

Authentium 4.93.8 2008.04.11 -

Avast 4.8.1169.0 2008.04.11 -

AVG 7.5.0.516 2008.04.11 -

BitDefender 7.2 2008.04.11 -

CAT-QuickHeal 9.50 2008.04.11 -

ClamAV 0.92.1 2008.04.11 -

DrWeb 4.44.0.09170 2008.04.11 -

eSafe 7.0.15.0 2008.04.09 -

eTrust-Vet 31.3.5687 2008.04.10 -

Ewido 4.0 2008.04.11 -

F-Prot 4.4.2.54 2008.04.10 -

F-Secure 6.70.13260.0 2008.04.11 -

FileAdvisor 1 2008.04.11 -

Fortinet 3.14.0.0 2008.04.10 -

Ikarus T3.1.1.26 2008.04.11 -

Kaspersky 7.0.0.125 2008.04.11 -

McAfee 5272 2008.04.11 -

Microsoft 1.3408 2008.04.11 -

NOD32v2 3019 2008.04.11 -

Norman 5.80.02 2008.04.11 -

Panda 9.0.0.4 2008.04.11 -

Prevx1 V2 2008.04.11 -

Rising 20.39.32.00 2008.04.11 -

Sophos 4.28.0 2008.04.11 -

Sunbelt 3.0.1032.0 2008.04.08 -

Symantec 10 2008.04.11 -

TheHacker 6.2.92.273 2008.04.11 -

VBA32 3.12.6.4 2008.04.06 -

VirusBuster 4.3.26:9 2008.04.11 -

Webwasher-Gateway 6.6.2 2008.04.11 -

Additional information

File size: 50176 bytes

MD5...: 1bcd2e88e59a9b31c2a0fb559ef7f10d

SHA1..: 3262dd59d80fdc09eae6661036f92ecd76b64c97

SHA256: 472dce297fea0af9bd47f33d4ed0c418737e5bc6adfc5b9d780e5b14bcf536bc

SHA512: 6c77b853b14ff29d0886a3e0a171c7ac9e0756240be5cf5ecf8c72119a8bcdb0

475963ffce2471d0bef326f2d892289b0d8c2b71678a846ffa4c957434f7556f

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x4087a4

timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)

machinetype.......: 0x14c (I386)

 

( 8 sections )

name viradd virsiz rawdsiz ntrpy md5

CODE 0x1000 0x7d88 0x7e00 6.55 82a29332f1cdfc1cefe7045fc9144aef

DATA 0x9000 0x190 0x200 3.22 f853028febaf00313e3e7a259ff05552

BSS 0xa000 0x738 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.idata 0xb000 0x606 0x800 3.73 e2a6b7e8b0da386579c9a02d8c0a3135

.tls 0xc000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rdata 0xd000 0x18 0x200 0.20 67c6f08ad59a25de1d0086b839500bc5

.reloc 0xe000 0x7e4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e

.rsrc 0xf000 0x3600 0x3600 3.54 8fefd292fb61b6daaa70a519c619a02c

 

( 6 imports )

> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, ExitProcess, CreateFileA, CloseHandle

> user32.dll: MessageBoxA

> oleaut32.dll: VariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen

> advapi32.dll: RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteKeyA, RegCloseKey

> kernel32.dll: WriteFile, SetFilePointer, SetFileAttributesA, ReadFile, GetVersionExA, GetSystemDefaultLCID, GetModuleFileNameA, GetLocaleInfoA, GetCurrentThreadId, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, DeleteFileA, CreateFileA, CompareStringA, CloseHandle

> user32.dll: MessageBoxA, LoadStringA

 

( 0 exports )

 

I'm very sad to say that I couldn't run the Panda Scan. I've done all the required steps but it says "Oh! It seems that your computer does not meet one of the requirements needed for ActiveScan 2.0 to operate correctly." What should I do???

 

This is the new HJT log

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:45:46 PM, on 4/12/2008

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\soundman.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\windowsupdate.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\WINNT\System32\fixweb.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe

O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

 

--

End of file - 8326 bytes

Edited by getaran

Share this post


Link to post
Share on other sites
Juliet   

It appears it all came back....

 

We'll have to do a few steps over.

 

 

 

Please download the OTMoveIt2 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

     

    C:\lam2.exe

    C:\lam3.exe

    C:\lam4.exe

  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.

    # Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

    # Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :

    C:\_OTMoveIt2\MovedFiles\********_******.log

    (where "********_******" is the "date_time")

  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

NEXT**

Download: ResetProtocolDefaults.reg

http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

 

Locate "ResetProtocolDefaults.reg"

Right-click and select: Merge (Ok the prompt)

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

 

O4 - HKLM\..\Run: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\Run: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunServices: [windowsupdate] C:\WINNT\System32\windowsupdate.exe

O4 - HKLM\..\RunServices: [Windows has Layer] fixweb.exe

O4 - HKLM\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKCU\..\Run: [Windows has Layer] fixweb.exe

O4 - HKCU\..\RunOnce: [Windows has Layer] fixweb.exe

O4 - HKUS\.DEFAULT\..\Run: [Windows has Layer] fixweb.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: iFinger.lnk = C:\Program Files\iFinger\iFinger.exe

 

 

NEXT**...we'll download and use this tool again

 

Download SDFix or from Here and save it to your Desktop

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

 

< Don't miss this step Important!>

 

Please then reboot your computer in Safe Mode by doing the following :

  • Don't skip this step important!

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.cmd to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

 

 

Do you still have ComboFix on desktop?

 

If so please delete that one and grab a new copy

 

 

Download Combofix from any of the links below, and save it to your desktop.<--Important(Don't miss this step)

 

Link 1

Link 2

Link 3

 

 

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

If your anti-virus or firewall complains, please allow this script to run as it is not malicious.

 

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

  • Double click combofix.exe and follow the prompts.
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Please be patient while the scan runs, at times it may appear to stall.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

After rebooting ensure your Security applications have been re-enabled.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

In your next reply post:

OTMoveIt log

SDFix report.txt

ComboFix.txt

New HJT log taken after the above scan has run

 

 

 

 

NEXT....let me know if you have a firewall and if it is set to disabled....We need to get one on if you don't.

Edited by Juliet

Share this post


Link to post
Share on other sites
Juliet   

Also I would like to check and see if you can run this scan after following the other instructions in my previous post.

 

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

 

 

Scan with DrWeb-CureIt as follows:

 

* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.

* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.

* Once the short scan has finished, Click Options > Change settings

* Choose the "Scan tab" and UNcheck "Heuristic analysis"

* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)

* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.

* When done, a message will be displayed at the bottom advising if any viruses were found.

* Click "Yes to all" if it asks if you want to cure/move the file.

* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".

(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.

* Save the DrWeb.csv report to your desktop.

* Exit Dr.Web Cureit when done.

* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

 

 

 

 

NEXT**

WINDOWS ME

http://support.microsoft.com/default.aspx?...b;EN-US;q263455

Win ME

To disable, then re-enable System Restore:

 

1. Right-click My Computer, and then click Properties.

2. On the Performance tab, click File System, or press ALT+F.

3. On the Troubleshooting tab, click to select the Disable System Restore check box.

4. Click OK twice, and then click Yes when you are prompted to restart the computer.

5. To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.

 

From the Start menu, select All Programs, Accessories, System Tools, and click Disk Cleanup.

In the Disk Cleanup dialog box, select the drive you want to clean up.

After Disk Cleanup analyzes the drive, click the More Options tab and then click the Clean Up button under the System Restore heading.

 

You will want to do this for

F:\Drive

D:\Drive

C:\Drive

And what ever other drive is found

Edited by Juliet

Share this post


Link to post
Share on other sites
getaran   

I have checked my C: and noticed there aren't any files named lam2.exe, lam3.exe and lam4.exe ... The popup windows I mentioned to you earlier was about the error in installing the files ... so I guess the files didn't manage to copy to my C: successfully, hence the absence of these files in my C: ..

 

However, around 2 weeks ago, when I was about to shut down, I got many many same windows with the filename delextra.exe trying to shut down itself or something .. I wasn't really sure what it was trying to do, but the file is still in my C: ...

 

Hence I tried to scan it using the site you gave me, and this is the result, together with other suspicious files where I have never seen them in my computer before. I hope this will provide you with some clues on what is manifesting in my computer.

 

File delextra.exe received on 04.04.2008 23:28:12 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2008.4.12.0 2008.04.11 -

AntiVir 7.6.0.85 2008.04.11 -

Authentium 4.93.8 2008.04.13 -

Avast 4.8.1169.0 2008.04.12 -

AVG 7.5.0.516 2008.04.12 -

BitDefender 7.2 2008.04.13 -

CAT-QuickHeal 9.50 2008.04.12 -

ClamAV 0.92.1 2008.04.13 -

DrWeb 4.44.0.09170 2008.04.12 -

eTrust-Vet 31.3.5692 2008.04.11 -

Ewido 4.0 2008.04.12 -

F-Prot 4.4.2.54 2008.04.13 -

F-Secure 6.70.13260.0 2008.04.13 -

FileAdvisor 1 2008.04.13 -

Fortinet 3.14.0.0 2008.04.13 -

Ikarus T3.1.1.26 2008.04.13 -

Kaspersky 7.0.0.125 2008.04.13 -

McAfee 5272 2008.04.11 -

Microsoft 1.3408 2008.04.13 -

NOD32v2 3021 2008.04.12 -

Norman 5.80.02 2008.04.12 -

Panda 9.0.0.4 2008.04.12 -

Prevx1 V2 2008.04.13 -

Rising 20.39.52.00 2008.04.12 -

Sophos 4.28.0 2008.04.13 -

Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious

Symantec 10 2008.04.13 -

TheHacker 6.2.92.276 2008.04.12 -

VBA32 3.12.6.4 2008.04.06 -

VirusBuster 4.3.26:9 2008.04.12 -

Webwasher-Gateway 6.6.2 2008.04.11 Win32.Malware.dam (suspicious)

Additional information

File size: 153646 bytes

MD5...: 5e3527f53b863be1d1f00d8c9e3205ed

SHA1..: 05e76df21687bf5a8d46d913b12933576fa0ce6f

SHA256: 9829b8519fade0286dab2ebd0667e980f2f964a7b13a1deba2221aee82791717

SHA512: 4154ddb9f3732b12ba43efce6f56f0c5465217c1d5ff532432330f2e49f1722a<br>25b44e379b1f0540624720eea5fd02dcba348be852617ac32ae94875af642127

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x437068<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x36438 0x36600 6.48 642897e4b34c00168200b0ab325c6f57<br>DATA 0x38000 0x1de4 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>BSS 0x3a000 0x2404 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x3d000 0x1c9a 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.tls 0x3f000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x40000 0x18 0x200 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.reloc 0x41000 0x33b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x45000 0x8a00 0x8a00 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 0 imports ) <br><br>( 0 exports ) <br>

packers: PE_Patch

 

File ddd.exe received on 04.13.2008 05:05:54 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2008.4.12.0 2008.04.11 -

AntiVir 7.6.0.85 2008.04.11 DR/Kelebek.g.1.B

Authentium 4.93.8 2008.04.13 -

Avast 4.8.1169.0 2008.04.12 Win32:Kelebek-C

AVG 7.5.0.516 2008.04.12 -

BitDefender 7.2 2008.04.13 Application.Irc.Flood.Tool.E

CAT-QuickHeal 9.50 2008.04.12 -

ClamAV 0.92.1 2008.04.13 Trojan.Muldrop.744

DrWeb 4.44.0.09170 2008.04.12 IRC.Flood

eSafe 7.0.15.0 2008.04.09 -

eTrust-Vet 31.3.5692 2008.04.11 -

Ewido 4.0 2008.04.12 -

F-Prot 4.4.2.54 2008.04.13 -

F-Secure 6.70.13260.0 2008.04.13 not-a-virus:NetTool.Win32.Sniffer.c

FileAdvisor 1 2008.04.13 -

Fortinet 3.14.0.0 2008.04.13 -

Ikarus T3.1.1.26.0 2008.04.13 Trojan-Dropper.Win32.Agent.amm

Kaspersky 7.0.0.125 2008.04.13 not-a-virus:NetTool.Win32.Sniffer.c

McAfee 5272 2008.04.11 -

Microsoft 1.3408 2008.04.13 -

NOD32v2 3021 2008.04.12 -

Norman 5.80.02 2008.04.12 -

Panda 9.0.0.4 2008.04.12 -

Prevx1 V2 2008.04.13 Heuristic: Suspicious Self Modifying File

Rising 20.39.52.00 2008.04.12 -

Sophos 4.28.0 2008.04.13 Troj/Flood-I

Sunbelt 3.0.1041.0 2008.04.12 -

Symantec 10 2008.04.13 -

TheHacker 6.2.92.276 2008.04.12 -

VBA32 3.12.6.4 2008.04.06 -

VirusBuster 4.3.26:9 2008.04.12 -

Webwasher-Gateway 6.6.2 2008.04.11 -

Additional information

File size: 1103600 bytes

MD5...: 8417012022258c29024b154c5b6a3a3c

SHA1..: 4f74f79db8b92e1b53c67838b52e526bbc9a2b1b

SHA256: 8d9cd572585524e92fb90a4a67e6916035e12f68d42b8005ab91bff41f1dbe0a

SHA512: 85f7a69b5805813ac2eef961592333a861e07c7ec31157841a27d54244dd39ec<br>fe6e934e13a02b85538195e00cee3aa71a5296b114e751046d59e1297289f63e

PEiD..: WARNING -> TROJAN -> HuiGeZi

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x437068<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x36438 0x36600 6.48 6bfde59f209ee0cf6ba7af700b54822b<br>DATA 0x38000 0x1de4 0x1e00 3.40 0d9e59e139ff8b88abe05d8225bded08<br>BSS 0x3a000 0x2404 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x3d000 0x1c9a 0x1e00 4.87 59736360bf8263e50ba1a7f88f9cf242<br>.tls 0x3f000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x40000 0x18 0x200 0.19 77087fe0db892842ed99a00f4d341d9b<br>.reloc 0x41000 0x33b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x45000 0x8a00 0x8a00 4.66 7846224ea339e9408d06d8cd2051349d<br><br>( 12 imports ) <br>> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, GetModuleHandleA, GetModuleFileNameA, GetLastError, GetCommandLineA, GetCurrentDirectoryA, ExitThread, CreateThread, CreateDirectoryA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, MoveFileA, GetStdHandle, GetFileSize, GetFileType, ExitProcess, DeleteFileA, CreateFileA, CloseHandle<br>> user32.dll: MessageBoxA<br>> oleaut32.dll: VariantChangeTypeEx, VariantCopy, VariantClear, SysStringLen, SysAllocStringLen<br>> advapi32.dll: RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey<br>> kernel32.dll: WriteFile, WinExec, WaitForSingleObject, VirtualAlloc, TerminateThread, SizeofResource, SetFileTime, SetFilePointer, SetFileAttributesA, SetErrorMode, ResumeThread, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LocalFileTimeToFileTime, LoadResource, LoadLibraryA, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVolumeInformationA, GetVersionExA, GetVersion, GetSystemDirectoryA, GetSystemDefaultLCID, GetShortPathNameA, GetProcAddress, GetModuleFileNameA, GetLogicalDrives, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, FreeResource, FreeLibrary, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, DosDateTimeToFileTime, DeleteFileA, CreateThread, CreateProcessA, CreateFileA, CreateDirectoryA, CompareStringA, CloseHandle<br>> mpr.dll: WNetGetConnectionA<br>> version.dll: VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA<br>> gdi32.dll: UnrealizeObject, TextOutA, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetEnhMetaFileBits, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetCurrentPositionEx, GetClipBox, GetBitmapBits, ExcludeClipRect, EnumFontsA, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateFontIndirectA, CreateDIBitmap, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt<br>> user32.dll: WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowOwnedPopups, ShowCursor, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClassA, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRgn, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetSystemMetrics, GetSystemMenu, GetSysColor, GetSubMenu, GetScrollPos, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIcon, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreateWindowExA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharLowerBuffA, CharLowerA, CharUpperBuffA, AdjustWindowRectEx<br>> comctl32.dll: ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Create<br>> ole32.dll: CoCreateInstance, CoUninitialize, CoInitialize<br>> shell32.dll: ShellExecuteA<br><br>( 0 exports ) <br>

Prevx info: http://info.prevx.com/aboutprogramtext.asp...E933E00A7EC9066

packers (Kaspersky): UPX, PE_Patch.PECompact, PecBundle, PECompact, UPX, ASPack

Edited by getaran

Share this post


Link to post
Share on other sites
getaran   

File mstn.exe received on 04.13.2008 05:24:38 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2008.4.12.0 2008.04.11 -

AntiVir 7.6.0.85 2008.04.11 TR/Crypt.XPACK.Gen

Authentium 4.93.8 2008.04.13 -

Avast 4.8.1169.0 2008.04.12 -

AVG 7.5.0.516 2008.04.12 Downloader.Generic7.EXO

BitDefender 7.2 2008.04.13 Packer.XComp.A

CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan

ClamAV 0.92.1 2008.04.13 -

DrWeb 4.44.0.09170 2008.04.12 -

eSafe 7.0.15.0 2008.04.09 -

eTrust-Vet 31.3.5692 2008.04.11 -

Ewido 4.0 2008.04.12 -

F-Prot 4.4.2.54 2008.04.13 W32/Downloader-Tir-based!Maximus

F-Secure 6.70.13260.0 2008.04.13 W32/Downloader

FileAdvisor 1 2008.04.13 -

Fortinet 3.14.0.0 2008.04.13 -

Ikarus T3.1.1.26.0 2008.04.13 Packer.XComp.A

Kaspersky 7.0.0.125 2008.04.13 Heur.Downloader

McAfee 5272 2008.04.11 -

Microsoft 1.3408 2008.04.13 Trojan:Win32/Malagent

NOD32v2 3021 2008.04.12 a variant of Win32/TrojanDownloader.Small.OAA

Norman 5.80.02 2008.04.12 W32/Smalltroj.DUNO

Panda 9.0.0.4 2008.04.12 Suspicious file

Prevx1 V2 2008.04.13 -

Rising 20.39.52.00 2008.04.12 Packer.Win32.Xcomp.a

Sophos 4.28.0 2008.04.13 Sus/UnkPacker

Sunbelt 3.0.1041.0 2008.04.12 -

Symantec 10 2008.04.13 -

TheHacker 6.2.92.276 2008.04.12 -

VBA32 3.12.6.4 2008.04.06 -

VirusBuster 4.3.26:9 2008.04.12 -

Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Crypt.XPACK.Gen

Additional information

File size: 5064 bytes

MD5...: 8abd2ea3eba231b64a5d4d126c252ea4

SHA1..: 2a69e152ae9c4b2ae562e60fbc6acf655010ca92

SHA256: 1f8ed2e42a1c93cc54371a42b52a498d46fbeb91864bc47f042c6f1349b542d4

SHA512: 550ae9256f04d4176290240e79dd05dff45d7153532fad0982c83a0b4f4bf0a4<br>0504ba25de8736c6deb658ec1c24b8080f9981a2302f2ddc3660db5c37c7b364

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x409000<br>timedatestamp.....: 0x47f61e82 (Fri Apr 04 12:26:42 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 2 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.zunty0 0x1000 0x8000 0xe00 7.55 faf9f55be217e66f527f823623c0bfd4<br>.zunty 0x9000 0x3c8 0x3c8 6.09 094cdb253356bf1f8f32672bbdd9b4cb<br><br>( 1 imports ) <br>> KERNEL32.DLL: GetProcAddress, LoadLibraryA, VirtualAlloc, VirtualFree, VirtualProtect<br><br>( 0 exports ) <br>

packers (F-Prot): XComp, UPX

 

File qip.exe received on 04.13.2008 05:08:36 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2008.4.12.0 2008.04.11 -

AntiVir 7.6.0.85 2008.04.11 -

Authentium 4.93.8 2008.04.13 -

Avast 4.8.1169.0 2008.04.12 -

AVG 7.5.0.516 2008.04.12 -

BitDefender 7.2 2008.04.13 -

CAT-QuickHeal 9.50 2008.04.12 -

ClamAV 0.92.1 2008.04.13 -

DrWeb 4.44.0.09170 2008.04.12 -

eTrust-Vet 31.3.5692 2008.04.11 -

Ewido 4.0 2008.04.12 -

F-Prot 4.4.2.54 2008.04.13 -

F-Secure 6.70.13260.0 2008.04.13 -

FileAdvisor 1 2008.04.13 -

Fortinet 3.14.0.0 2008.04.13 -

Ikarus T3.1.1.26 2008.04.13 -

Kaspersky 7.0.0.125 2008.04.13 -

McAfee 5272 2008.04.11 -

Microsoft 1.3408 2008.04.13 -

NOD32v2 3021 2008.04.12 -

Norman 5.80.02 2008.04.12 -

Panda 9.0.0.4 2008.04.12 -

Prevx1 V2 2008.04.13 -

Rising 20.39.52.00 2008.04.12 -

Sophos 4.28.0 2008.04.13 -

Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious

Symantec 10 2008.04.13 -

TheHacker 6.2.92.276 2008.04.12 -

VBA32 3.12.6.4 2008.04.06 -

VirusBuster 4.3.26:9 2008.04.12 -

Webwasher-Gateway 6.6.2 2008.04.11 Win32.Malware.dam (suspicious)

Additional information

File size: 153646 bytes

MD5...: 5e3527f53b863be1d1f00d8c9e3205ed

SHA1..: 05e76df21687bf5a8d46d913b12933576fa0ce6f

SHA256: 9829b8519fade0286dab2ebd0667e980f2f964a7b13a1deba2221aee82791717

SHA512: 4154ddb9f3732b12ba43efce6f56f0c5465217c1d5ff532432330f2e49f1722a<br>25b44e379b1f0540624720eea5fd02dcba348be852617ac32ae94875af642127

PEiD..: -

PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x437068<br>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<br>machinetype.......: 0x14c (I386)<br><br>( 8 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>CODE 0x1000 0x36438 0x36600 6.48 642897e4b34c00168200b0ab325c6f57<br>DATA 0x38000 0x1de4 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>BSS 0x3a000 0x2404 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.idata 0x3d000 0x1c9a 0x1e00 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.tls 0x3f000 0x8 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rdata 0x40000 0x18 0x200 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.reloc 0x41000 0x33b4 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<br>.rsrc 0x45000 0x8a00 0x8a00 0.00 d41d8cd98f00b204e9800998ecf8427e<br><br>( 0 imports ) <br><br>( 0 exports ) <br>

packers: PE_Patch

Share this post


Link to post
Share on other sites
getaran   

File/Folder C:\lam2.exe not found.

File/Folder C:\lam3.exe not found.

File/Folder C:\lam4.exe not found.

 

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04132008_121151

 

 

Rebooting

 

 

Checking Files :

 

No Trojan Files Found

 

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2002-01-01 00:06:38

Windows 5.0.2195 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

Remaining Files :

 

 

 

Files with Hidden Attributes :

 

Tue 3 Jul 2007 1,152 A.SH. --- "C:\vdemvefv.sys"

Sat 2 Apr 2005 1,682 A.SH. --- "C:\WINNT\system32\KGyGaAvL.sys"

Sat 2 Apr 2005 56 ..SHR --- "C:\WINNT\system32\83B2BDE68A.sys"

Tue 1 Jan 2002 65,198 ..SHR --- "C:\WINNT\system32\windowsupdate.exe"

Wed 11 Dec 2002 73,728 ..SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"

Tue 1 Jan 2002 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Sat 22 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0001.tmp"

Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL2051.tmp"

Sun 23 Apr 2006 44,544 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3363.tmp"

Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL0053.tmp"

Sun 22 Jan 2006 36,864 ...H. --- "C:\Documents and Settings\Ducky1\My Documents\~WRL3238.tmp"

Sun 22 Jan 2006 41,472 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL0004.tmp"

Sun 23 Apr 2006 42,496 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL2341.tmp"

Sun 23 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\Ducky1\Application Data\Microsoft\Word\~WRL3041.tmp"

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Finished!

 

 

ComboFix 08-04-12.5 - Ducky1 04/13/2008 11:32:33.6 - FAT32x86

Running from: C:\Documents and Settings\Ducky1\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\WINNT\system32\ss.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_CCEVTMGR

-------\Legacy_CCPWDSVC

 

 

((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))

.

 

2008-04-12 23:20 . 08-04-12 15:21 <DIR> d-------- C:\SDFix

2008-04-12 23:10 . 08-04-12 23:11 186,981 --a------ C:\WINNT\system32\qip.exe

2008-04-12 21:15 . 03-03-16 15:49 33,792 --a------ C:\WINNT\system32\d.dll

2008-04-12 21:15 . 08-01-02 02:40 418 --a------ C:\WINNT\system32\aliases.ini

2008-04-12 21:15 . 08-01-07 07:51 156 --a------ C:\WINNT\system32\747.reg

2008-04-12 20:51 . 08-04-12 23:11 153,646 --a------ C:\qip.exe

2008-04-12 19:34 . 08-04-12 19:34 <DIR> d-------- C:\Program Files\Panda Security

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-13 03:47 136 ----a-w C:\WINNT\system32\drivers\ALCICH.DAT

2008-04-12 13:27 77,975 ----a-w C:\WINNT\system32\fixweb.exe

2008-03-26 12:28 50,176 ----a-w C:\WINNT\uninstyler.exe

2008-03-11 01:22 23,495 ----a-w C:\WINNT\system32\syscmd.dll

2008-02-09 07:35 9,229 ----a-w C:\WINNT\system32\msconfger.dll

2007-03-09 18:48 4 ----a-w C:\Documents and Settings\Ducky1\ravver.dat

2001-12-31 17:38 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\sowdp88.dat

2001-12-31 17:06 271 ---h--w C:\Program Files\desktop.ini

2001-12-31 17:06 21,952 ---h--w C:\Program Files\folder.htt

2001-09-28 09:00 164,864 ------w C:\Program Files\UNWISE.EXE

1999-12-07 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys

2005-04-01 20:18 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys

2005-04-01 20:18 56 --sh--r C:\WINNT\system32\83B2BDE68A.sys

2001-12-31 17:31 65,198 --sh--r C:\WINNT\system32\windowsupdate.exe

.

 

((((((((((((((((((((((((((((( snapshot@Fri 04-11-2008_22.39.07.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-03-13 02:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE

+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE

- 2008-04-04 18:58:30 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE

+ 2008-04-12 07:21:20 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE

- 2001-12-31 19:27:18 3,407,872 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat

+ 2008-04-12 15:34:38 3,403,776 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat

- 2001-12-31 19:27:20 12,288 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-04-12 15:34:38 12,288 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat

- 2006-12-17 22:00:30 16,007 ----a-w C:\WINNT\mozver.dat

+ 2008-04-12 11:34:34 17,363 ----a-w C:\WINNT\mozver.dat

- 2001-12-31 17:13:46 77,975 ----a-w C:\WINNT\system32\lam.exe

+ 2001-12-31 20:32:32 77,975 ----a-w C:\WINNT\system32\lam.exe

+ 2001-12-31 16:54:58 41,936 ----a-w C:\WINNT\system32\setup_01208.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [07-09-04 16:40 6856704]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03-04-22 14:43 413775]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [04-08-06 15:33 2502656]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="soundman.exe" [01-05-29 02:02 124416 C:\WINNT\soundman.exe]

"Synchronization Manager"="mobsync.exe" [99-12-07 12:00 111376 C:\WINNT\system32\mobsync.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [02-01-01 03:11 579072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" [07-07-12 11:10 69632]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [02-01-01 03:11 219136]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Windows has Layer"="fixweb.exe" [08-04-12 21:27 77975 C:\WINNT\system32\fixweb.exe]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07 1183744]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

"LockTaskbar"= 0 (0x0)

"NoChangeStartMenu"= 1 (0x1)

"NoStartMenuMorePrograms"= 1 (0x1)

"NoSimpleStartMenu"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [02-01-01 03:12 ]

 

.

**************************************************************************

 

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-13 11:52:06

Windows 5.0.2195 FAT NTAPI

 

scanning hidden processes ...

 

? [692]

Explorer.exe [692] 0x870F04A0

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

SystemRoot\System32\smss.exe [140]

??\C:\WINNT\system32\csrss.exe [164]

??\C:\WINNT\system32\winlogon.exe [160]

C:\WINNT\system32\services.exe [212]

C:\WINNT\system32\lsass.exe [224]

C:\WINNT\system32\svchost.exe [400]

C:\WINNT\system32\spoolsv.exe [432]

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe [460]

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [488]

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [508]

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [556]

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [196]

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe [620]

C:\WINNT\system32\cisvc.exe [648]

C:\WINNT\System32\svchost.exe [684]

C:\WINNT\system32\hidserv.exe [720]

C:\WINNT\system32\rundll32.exe [736]

C:\WINNT\System32\svchost.exe [772]

C:\WINNT\system32\slserv.exe [820]

C:\WINNT\system32\stisvc.exe [848]

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe [856]

C:\WINNT\System32\WBEM\WinMgmt.exe [984]

C:\WINNT\system32\svchost.exe [1000]

C:\WINNT\system32\CF2318.exe [1132]

C:\WINNT\soundman.exe [1156]

C:\Program Files\MSN Messenger\MsnMsgr.Exe [1252]

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [1188]

C:\WINNT\system32\msiexec.exe [1324]

C:\WINNT\system32\cidaemon.exe [1388]

C:\WINNT\system32\cidaemon.exe [1116]

C:\WINNT\Explorer.exe [692]

C:\ComboFix\catchme.cfexe [1332]

.

**************************************************************************

.

Completion time: 2008-04-13 12:05:31 - machine was rebooted

ComboFix3.txt 2001-12-31 17:54:26

ComboFix-quarantined-files.txt 2008-04-13 04:04:56

ComboFix2.txt 2008-04-11 14:40:00

Pre-Run: 325,050,368 bytes free

Post-Run: 261,095,424 bytes free

Share this post


Link to post
Share on other sites
getaran   

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:14:26 PM, on 4/13/2008

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\soundman.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\Explorer.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

 

--

End of file - 7410 bytes

Share this post


Link to post
Share on other sites
getaran   

DrWeb.csv

 

vindte.dll;c:\program files\common files\vindte;Adware.Baidu.308;Incurable.Moved.;

fixweb.exe;c:\winnt\system32;Win32.IRC.Bot.based;Deleted.;

qzei.dll;c:\winnt\system32;Trojan.DownLoader.51062;Deleted.;

lam.exe;C:\WINNT\System32;Win32.IRC.Bot.based;Deleted.;

edih.dll;C:\WINNT\System32;IRC.Flood;Deleted.;

lam1.exe;C:\WINNT\System32;Program.PrcView.3725;Incurable.Moved.;

lam2.exe;C:\WINNT\System32;Program.DaSniff;Incurable.Moved.;

lam3.exe;C:\WINNT\System32;Trojan.Flood.22016;Deleted.;

d.dll;C:\WINNT\System32;Tool.Moo;Incurable.Moved.;

lam4.exe;C:\WINNT\System32;IRC.Flood;Deleted.;

wacult.exe;C:\WINNT\System32;BackDoor.IRC.based;Deleted.;

Share this post


Link to post
Share on other sites
Juliet   

It appears DrWeb has helped us out....

 

 

I would print this out or copy/paste it into notepad and save it so you can find it in safe mode.

 

 

Boot into safe mode

 

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select Show hidden files and folders.

* Uncheck the Hide protected operating system files (recommended) option.

* Click Yes to confirm.

* Click OK.

 

Search for and delete if found, don't be alarmed if not all can be found.

 

C:\WINNT\system32\windowsupdate.exe

C:\delextra.exe

C:\WINDOWS\Ddd.exe

C:\WINDOWS\mstn.exe

C:\WINNT\system32\qip.exe

C:\qip.exe

C:\WINNT\system32\aliases.ini

C:\WINNT\system32\syscmd.dll

 

 

Reboot

 

Please go to: VirusTotal

  • Posted Image

     

     

     

  • Click the Browse button and search for the following file: C:\WINNT\system32\d.dll

     

     

  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.

Next please have these files scanned

C:\WINNT\system32\msconfger.dll

C:\WINNT\system32\setup_01208.exe

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O4 - HKUS\.DEFAULT\..\RunOnce: [Windows has Layer] fixweb.exe (User 'Default user')

 

 

Next, launch Notepad, (Start > Run, type in: notepad)

copy and paste next present in the quotebox below in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"Windows has Layer"=-

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this: Posted Image

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful. You may delete the file afterwards

 

Again, reboot the machine after the regfix.

 

 

 

Please run ComboFix once again and post the log it creates.

 

 

In your next reply post:

Files requested scanned

ComboFix.txt

New HJT

 

How is the computer at the moment?

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites
getaran   

File d.dll received on 03.15.2008 02:31:41 (CET)

Antivirus Version Last Update Result

AhnLab-V3 - - Win-Trojan/MircPack.33792

AntiVir - - -

Authentium - - -

Avast - - Win32:IRC-Flood

AVG - - -

BitDefender - - -

CAT-QuickHeal - - Tool.Win32.Moo (Not a Virus)

ClamAV - - -

DrWeb - - Tool.Moo

eSafe - - suspicious Trojan/Worm

eTrust-Vet - - -

Ewido - - -

F-Prot - - -

F-Secure - - -

FileAdvisor - - High threat detected

Fortinet - - Misc/Motherboardmonitor

Ikarus - - Backdoor.IRC.Lambot.G

Kaspersky - - -

McAfee - - potentially unwanted program MotherboardMonitor

Microsoft - - -

NOD32v2 - - -

Norman - - -

Panda - - Application/MotherboardMonitor.A

Prevx1 - - Generic.Malware

Rising - - Trojan.Spy.Agent.aer

Sophos - - -

Sunbelt - - Backdoor.Irc.Lambot.G

Symantec - - -

TheHacker - - -

VBA32 - - -

VirusBuster - - Trojan.DuckIRC.F

Webwasher-Gateway - - Riskware.Remotexec.A.03

Additional information

MD5: 638a6f2b03c828e9b3c77c104c56f4ea

SHA1: ec1d56a6530a3004aa49d748a9c8385801cf0029

SHA256: 8e2db43518297a45d664dcaaf6ee29a93e8cb9ea28e5fff96324628f74871fda

SHA512: b8c943cc17ab646546ba7f6ccd9246f6e3bde665a450932d40ab418fd36421cbf00385e8e1074e4e2477a6abb2e343f4cd1bd312bd6200601a8cddf572579609

Share this post


Link to post
Share on other sites
getaran   

File msconfger.dll received on 04.19.2008 20:33:21 (CET)

Antivirus Version Last Update Result

AhnLab-V3 2008.4.19.0 2008.04.18 -

AntiVir 7.8.0.8 2008.04.18 -

Authentium 4.93.8 2008.04.19 -

Avast 4.8.1169.0 2008.04.19 -

AVG 7.5.0.516 2008.04.19 -

BitDefender 7.2 2008.04.19 Trojan.IRC.Flood.ISC

CAT-QuickHeal 9.50 2008.04.19 -

ClamAV 0.92.1 2008.04.19 -

DrWeb 4.44.0.09170 2008.04.19 -

eSafe 7.0.15.0 2008.04.17 -

eTrust-Vet 31.3.5714 2008.04.19 MIRC/IRCFlood

Ewido 4.0 2008.04.19 -

F-Prot 4.4.2.54 2008.04.19 -

F-Secure 6.70.13260.0 2008.04.19 -

FileAdvisor 1 2008.04.19 -

Fortinet 3.14.0.0 2008.04.19 -

Ikarus T3.1.1.26 2008.04.19 -

Kaspersky 7.0.0.125 2008.04.19 -

McAfee 5277 2008.04.18 -

Microsoft 1.3408 2008.04.19 Backdoor:IRC/Cloner.gen

NOD32v2 3040 2008.04.19 -

Norman 5.80.02 2008.04.18 -

Panda 9.0.0.4 2008.04.19 -

Prevx1 V2 2008.04.19 -

Rising 20.40.52.00 2008.04.19 -

Sophos 4.28.0 2008.04.19 -

Sunbelt 3.0.1056.0 2008.04.17 -

Symantec 10 2008.04.19 IRC Trojan

TheHacker 6.2.92.284 2008.04.18 -

VBA32 3.12.6.4 2008.04.16 -

VirusBuster 4.3.26:9 2008.04.19 IRC.Flood.CJ

Webwasher-Gateway 6.6.2 2008.04.18 -

Additional information

File size: 9229 bytes

MD5...: 01fb8ffe3df3df9064ce45e8570a4554

SHA1..: 942791efc2312ab5f5d453628740f44e581245ed

SHA256: 69590c9a2452bb201cb2b8fac94b8aa87c2cb6f74700cc36fbcbc3654f98e97c

SHA512: af99bdc199dd72239ddeb3e20c640e27e0b134aded4be792bab76205fa29d95a<br>a54e47b34ce00985ac1ceef981f0638fa6be73b9a7870e925c480441a5c75049

PEiD..: -

PEInfo: -

Share this post


Link to post
Share on other sites
getaran   

Hi...I am sorry for the late reply as I normally won't be around my computer during weekdays..

 

I couldn't find C:\WINNT\system32\setup_01208.exe ... what should I do?

 

I'll post the HJT and ComboFix log soon...

 

btw, the time setting on my computer is still set to 1st Jan 2002 every time I start up. Any idea on how to fix this problem?

Share this post


Link to post
Share on other sites
Juliet   

Welcome back

 

 

Please boot your computer into safe mode

 

Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

====

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following files/folders in bold

 

C:\WINNT\system32\d.dll

C:\WINNT\system32\msconfger.dll

 

 

Now boot back into normal mode

 

 

To configure Time and Date Options

 

* Please go to Start -> Control Panel -> Date, Time, Language, and Regional Options -> Regional and Language Options.

* Click the "Customize" button.

* From there you should be able to change the format of the clock and calendar date to your preferred format.

 

 

Post back with a new HJT log and let me know what issues remain.

Share this post


Link to post
Share on other sites
getaran   

ComboFix 08-04-12.5 - Ducky1 04/20/2008 15:57:50.8 - FAT32x86 MINIMAL

Running from: C:\Documents and Settings\Ducky1\Desktop\ComboFix.exe

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))

.

 

2008-04-20 15:58 . 04/20/08 03:58p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_184.dat

2008-04-12 23:20 . 04/12/08 03:21p <DIR> d-------- C:\SDFix

2008-04-12 21:15 . 01/07/08 07:51a 156 --a------ C:\WINNT\system32\747.reg

2008-04-12 19:34 . 04/12/08 07:34p <DIR> d-------- C:\Program Files\Panda Security

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-26 12:28 50,176 ----a-w C:\WINNT\uninstyler.exe

2007-03-09 18:48 4 ----a-w C:\Documents and Settings\Ducky1\ravver.dat

2001-12-31 17:38 1,024 ----a-w C:\Documents and Settings\All Users\Application Data\sowdp88.dat

2001-12-31 17:06 271 ---h--w C:\Program Files\desktop.ini

2001-12-31 17:06 21,952 ---h--w C:\Program Files\folder.htt

2001-09-28 09:00 164,864 ------w C:\Program Files\UNWISE.EXE

1999-12-07 04:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys

2005-04-01 20:18 1,682 --sha-w C:\WINNT\system32\KGyGaAvL.sys

2005-04-01 20:18 56 --sh--r C:\WINNT\system32\83B2BDE68A.sys

.

 

((((((((((((((((((((((((((((( snapshot@Fri 04-11-2008_22.39.07.17 )))))))))))))))))))))))))))))))))))))))))

.

- 2007-03-13 02:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE

+ 2005-10-20 12:02:28 163,328 ----a-w C:\WINNT\erdnt\subs\ERDNT.EXE

- 2008-04-04 18:58:30 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE

+ 2008-04-12 07:21:20 163,328 ----a-w C:\WINNT\ERUNT\SDFIX\ERDNT.EXE

- 2001-12-31 19:27:18 3,407,872 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat

+ 2008-04-12 15:34:38 3,403,776 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000001\ntuser.dat

- 2001-12-31 19:27:20 12,288 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-04-12 15:34:38 12,288 ----a-w C:\WINNT\ERUNT\SDFIX\Users\00000002\UsrClass.dat

- 2006-12-17 22:00:30 16,007 ----a-w C:\WINNT\mozver.dat

+ 2008-04-12 11:34:34 17,363 ----a-w C:\WINNT\mozver.dat

+ 2008-01-09 23:07:36 32,849 ----a-w C:\WINNT\system32\raf.pif

+ 2008-01-09 22:38:16 35,963 ----a-w C:\WINNT\system32\raf1.pif

+ 2008-01-01 18:58:34 21,746 ----a-w C:\WINNT\system32\raf2.pif

+ 2008-01-01 18:58:02 33,469 ----a-w C:\WINNT\system32\raf3.pif

+ 2008-01-13 12:20:44 18,616 ----a-w C:\WINNT\system32\raf4.pif

+ 2003-04-19 03:43:12 86,016 ----a-w C:\WINNT\system32\reg.dll

+ 2002-08-27 10:03:14 29,184 ----a-w C:\WINNT\system32\systemac.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [09/04/07 04:40p 6856704]

"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [04/22/03 02:43p 413775]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/06/04 03:33p 2502656]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="soundman.exe" [05/29/01 02:02a 124416 C:\WINNT\soundman.exe]

"Synchronization Manager"="mobsync.exe" [12/07/99 12:00p 111376 C:\WINNT\system32\mobsync.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [01/01/02 03:11a 579072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\msn messenger\msnmsgs.exe" [07/12/07 11:10a 69632]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [01/01/02 03:11a 219136]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2006-07-23 12:44:07 1183744]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoToolbarCustomize"= 0 (0x0)

"NoViewOnDrive"= 0 (0x0)

"LockTaskbar"= 0 (0x0)

"NoChangeStartMenu"= 1 (0x1)

"NoStartMenuMorePrograms"= 1 (0x1)

"NoSimpleStartMenu"= 0 (0x0)

"NoCloseDragDropBands"= 0 (0x0)

"NoMovingBands"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

"AntiVirusDisableNotify"=dword:00000001

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

 

S0 xmfti;xmft;C:\WINNT\System32\DRIVERS\xmfti.sys []

S1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\System32\Drivers\avg7rsnt.sys [01/01/02 03:12a]

S1 sglfb;sglfb;C:\WINNT\System32\drivers\sglfb.sys [12/07/99 12:00p]

S2 pydh;Windows pydh RunThem;C:\WINNT\System32\svchost.exe [12/07/99 12:00p]

S3 ENDETECT;ENDETECT;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [11/12/02 09:55a]

S3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;C:\WINNT\System32\DRIVERS\enetnt.sys [11/12/02 09:55a]

S3 FA31X;NETGEAR FA311/FA312 NDIS 5.0 Miniport Driver;C:\WINNT\System32\DRIVERS\FA31XND5.SYS [06/06/01 04:24p]

S3 NTSTPL1;NTSTPL1;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [11/12/02 09:56a]

S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS [11/12/02 09:55a]

S3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINNT\System32\DRIVERS\RMSPPPOE.SYS [10/03/02 12:09a]

S3 Slnt7554;USB Soft Modem Driver;C:\WINNT\System32\DRIVERS\slnt7554.sys [08/08/00 11:16a]

S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [11/12/02 09:56a]

S3 USBARW;=USB Mass Storage Disk Driver=;C:\WINNT\System32\DRIVERS\USBARW.SYS []

S3 V90drv;v90drv;C:\WINNT\System32\DRIVERS\v90drv.sys [08/08/00 11:16a]

S4 Windows Output Browser;Windows Output Browser;"C:\WINNT\system32\smsc.exe" []

 

*Newly Created Service* - PXHELP20

.

**************************************************************************

 

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-20 16:00:54

Windows 5.0.2195 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

PROCESS: C:\WINNT\system32\winlogon.exe

-> C:\WINNT\system32\tsd32.dll

-> C:\WINNT\system32\mobilev.acm

.

Completion time: 04/20/2008 16:02:02

ComboFix5.txt 2001-12-31 17:54:26

ComboFix-quarantined-files.txt 2008-04-20 08:01:58

ComboFix4.txt 2008-04-11 14:40:00

ComboFix3.txt 2008-04-13 04:05:36

ComboFix2.txt 2008-04-20 07:38:04

Pre-Run: 389,996,544 bytes free

Post-Run: 381,394,944 bytes free

Share this post


Link to post
Share on other sites
getaran   

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:22:36 PM, on 4/20/2008

Platform: Windows 2000 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Boot mode: Normal

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINNT\system32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\hidserv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

C:\WINNT\Explorer.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\soundman.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\cidaemon.exe

C:\WINNT\system32\cidaemon.exe

C:\Program Files\tmnet streamyx\streamyx.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\DUCKY1\Application Data\Mozilla\Profiles\default\zo3dc3m5.slt\prefs.js)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [soundMan] soundman.exe

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "c:\program files\msn messenger\msnmsgs.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINNT\system32\SHDOCVW.DLL

O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{362E849A-77C7-4D47-ABB7-C8D53C60B3F5}: NameServer = 202.188.0.133,202.188.1.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0B6A9C-AE08-4F61-8015-45904A9EF6F5}: NameServer = 202.188.0.133 202.188.1.5

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

 

--

End of file - 6899 bytes

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×