Jump to content


Photo
- - - - -

Computer messed up!


  • This topic is locked This topic is locked
119 replies to this topic

#1 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 23 March 2008 - 07:45 AM

I have major problems with my computer and I am thinking it is a virus. But I have used AVG-Antispyware to do a complete system scan TWICE in a row. All the detected viruses were either ignored, deleted or quartined. There were some downloaders (High Risk), tracking cookies (Medium Risk) and Not-a-virus (Low Risk) I did the recommended actions.

Here are some of the problems going on my computer:

-Can't copy or paste
-Can't press links and some buttons
-It takes longer for the desktop to show up

When you type something in a box, my computer stores it. You type the letter and it will show you all the words you typed in that box

-It doesn't show I typed in before

When you go into device manager, you see a list of all the devices.

-When I try to go to the properties of a device, (by right-clicking) the properties window just doesn't open.

There are probably more problems but here are the ones at the top of my mind. NOTE: The problem is in both Internet Explorer and Windows.

Thanks!

Waterburn

#2 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 23 March 2008 - 11:41 AM

Are you able to post a hijackthis log?
To copy, use the Ctrl + C keys
to paste, use the Ctrl + V keys

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#3 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 23 March 2008 - 02:10 PM

<br />Are you able to post a hijackthis log?<br />To copy, use the Ctrl + C keys<br />to paste, use the Ctrl + V keys<br />

<br /><br /><br />

It seems I can copy and paste for this situation.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:27:37, on 2008-3-23
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prime95\Prime95.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NetMeeting\mstinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINNT\system32\internat.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\conime.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINNT\system32\lexpps.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TruePass EPF 7,0,100,739 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://www.worldwinn...man/hangman.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\Prime95.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (TPM) (RPCT) - Remote ABC - C:\Program Files\NetMeeting\mstinit.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1.GU-/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\My Pictures\let it snow.bmp

--
End of file - 7637 bytes

Thanks Again!

#4 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 23 March 2008 - 09:20 PM

Do you use Firewall software on this computer?
Or at least a hardware firewall?

Can you do the following
Use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Post the Kaspersky Online Scanner Report in your reply.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#5 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 24 March 2008 - 07:30 AM

Two problems:

1)I had to type the link since it didnt work when I clicked it
2)I can't do the scan since the "accept" button doesn't work

I thought of more problems from what seems to be a virus:

1)The yahoo e-mails are empty
2)Can't delete the yahoo e-mails since "delete" is a button
3)In windows I can't drag and drop
4)Another problem which may or may not be associated with all this:
When I try to install Kaspersky Antivirus with Windows Installer, A message pops up:

The Windows Installer Service could not be accessed. This can occur if you are runnining Windows in safe mode, or if
the Windows Installer is not correctly installed. Contact your support personnel for assistance.

This message pops up if you try to open any .msi file. But that's another story. I already looked up a lot for this so don't bother looking into it. If you provide a link, I probably would have already gone there.

*Keep in mind I can't type in long links*

I check for replies like every hours because I want to get this fixed A.S.A.P!

Thanks!

Waterburn

#6 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 March 2008 - 11:24 AM

I'm a bit surprised you don't already have AV or Firewall protection installed on Win 2000
Looks as if you may have had Symantecs installed at one time, but no longer?

Did you try the following?
1. Click Start, click Run, then type Regedt32.
2. For each of the registry hives, follow these steps:
a. Select the hive.
b. For Windows XP, on the Edit menu, click Permissions.
For Windows 2000 and Windows NT 4, on the Security menu, click Permissions.
3. Verify that the SYSTEM account has been added and that it has Full control. If it does not, add the SYSTEM account with Full control.

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#7 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 24 March 2008 - 11:33 AM

I used to have Symantec about a year ago. I guess it didn't get completely removed. But I usually don't spend money on av or firewall. I ususally download trials or free av. Right now I am scanning with AVG Anti-spyware and Superantispyware.

I checked permissions and found that for SYSTEM both boxes were checked for full permission.

P.S When I was checking the post, I saw you were posting, what a coincidence!

Thanks!

Waterburn

#8 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 March 2008 - 11:47 AM

If possible, can you post the logs from both AVG and Super when done

Try the keyboard keys to copy>paste

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#9 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 March 2008 - 12:16 PM

If you can't copy>paste
Can you use the UPLOAD button in a reply box and upload the results?

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#10 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 24 March 2008 - 05:01 PM

Sorry for the late reply but now I am having problems with the printer.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 17:21:19 2008-3-24

+ Scan result:



C:\WINNT\AutoUpdateWin32.exe -> Not-A-Virus.Adware.Agent : Ignored.


::Report end

--------------------------------------------------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/24/2008 at 04:48 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Custom Scan
Total Scan Time : 03:09:35

Memory items scanned : 0
Memory threats detected : 0
Registry items scanned : 22
Registry threats detected : 0
File items scanned : 28728
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Default User.WINNT\Cookies\[email protected][1].txt

Adware.webHancer
C:\WINNT\WH.EXE

Adware.eXactAdvertising-Installer
C:\WINNT\DLGB.EXE

Adware.IEPlugin
C:\WINNT\RGRT.EXE


If these massive problems are fixed, you are the first one I am going to thank.

Thanks!

Waterburn

#11 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 24 March 2008 - 09:25 PM

Download SDFix and save this to your desktop
We will need it in a bit


Reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
In safe mode
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Go to START>>My Computer>>Double click to open the C:\ folder
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

Post back the following:

1. Post the report from SDFixx
2. Post a fresh hijackthis log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#12 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 25 March 2008 - 02:18 PM

SDFix: Version 1.161

Run by Administrator on ??? 2008-03-25 at 16:13

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINNT\system32\kdgcl.exe - Deleted
C:\WINNT\AutoUpdateWin32.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 16:30:30
Windows 5.0.2195 Service Pack 4 FAT NTAPI

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe [496] 0x813BE7A0
\Program Files\Internet Explorer\IEXPLORE.EXE [372] 0x813408E0

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINNT\system32\kdgcl.exe 69632 bytes

scan completed successfully
hidden processes: 2
hidden services: 0
hidden files: 1


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 24 Feb 2005 392,192 ..SHR --- "C:\Program Files\NetMeeting\mstinit.exe"
Fri 14 Mar 2008 191,488 ..SH. --- "C:\WINNT\system32\nbjs.dll"
Sat 22 Mar 2008 23 A.SH. --- "C:\WINNT\system32\eadeafbdbafed_z.dll"
Sat 15 Mar 2008 136,704 ..SH. --- "C:\WINNT\systom32\svchost.exe"
Sat 3 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\DRMv1.bak"
Sat 3 Sep 2005 401 ..SH. --- "C:\Documents and Settings\All Users.WINNT\DRM\DRMv17.bak"
Mon 18 Feb 2008 23,552 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\~WRL1774.tmp"
Mon 18 Feb 2008 26,624 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\~WRL4056.tmp"
Mon 18 Feb 2008 27,648 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\~WRL3043.tmp"
Mon 18 Feb 2008 27,136 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\~WRL0825.tmp"
Thu 26 Dec 2002 1,429,504 ..SHR --- "C:\Program Files\Common Files\Microsoft Shared\Speech\svchost.exe"
Tue 25 Mar 2008 1,036,288 ..SHR --- "C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll"
Thu 27 Jul 2006 26,112 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Templates\~WRL0965.tmp"
Sun 3 Jul 2005 27,648 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Templates\~WRL1648.tmp"
Wed 13 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL0004.tmp"
Sat 14 Jan 2006 33,280 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL2917.tmp"
Wed 29 Mar 2006 19,456 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 13 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL1874.tmp"
Wed 13 Jul 2005 19,456 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL0968.tmp"
Sat 8 Jul 2006 27,136 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL1995.tmp"
Sat 8 Jul 2006 27,136 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL0466.tmp"
Sat 8 Jul 2006 26,624 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL0758.tmp"
Sun 6 Aug 2006 19,456 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL0005.tmp"
Sun 6 Aug 2006 19,968 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL1922.tmp"
Sun 6 Aug 2006 20,992 ...H. --- "C:\Documents and Settings\zhenzhen\Application Data\Microsoft\Word\~WRL3090.tmp"
Mon 8 Oct 2007 27,136 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Templates\~WRL0003.tmp"
Tue 31 Jul 2007 20,992 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL1574.tmp"
Tue 31 Jul 2007 20,992 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0163.tmp"
Tue 31 Jul 2007 20,992 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL2661.tmp"
Wed 5 Sep 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 5 Sep 2007 82,944 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL2362.tmp"
Mon 18 Feb 2008 21,504 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0007.tmp"
Tue 13 Nov 2007 19,456 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0006.tmp"
Mon 18 Feb 2008 24,576 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL3011.tmp"
Mon 18 Feb 2008 22,528 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0546.tmp"
Mon 18 Feb 2008 26,624 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0477.tmp"
Mon 18 Feb 2008 27,136 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0812.tmp"
Mon 18 Feb 2008 28,672 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL3892.tmp"
Sat 16 Jun 2007 29,696 ...H. --- "C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Microsoft\Word\~WRL0952.tmp"

Finished!

-----------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35:23, on 2008-3-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prime95\Prime95.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NetMeeting\mstinit.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINNT\system32\lexpps.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://www.worldwinn...man/hangman.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\Prime95.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (TPM) (RPCT) - Remote ABC - C:\Program Files\NetMeeting\mstinit.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1.GU-/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\My Pictures\let it snow.bmp

--
End of file - 7643 bytes

Thanks so much!

Waterburn

#13 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 25 March 2008 - 09:41 PM

Download Dr.Web CureIt to the desktop from this link
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

PRINT the rest of these instructions, or save them to a text file on desktop

Reboot the computer into Safe mode

When in safe mode,

Double click to run Dr.Web-cureit.exe from desktop
  • Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured.
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer

Afterwards, Post back all the following

1. Post a fresh hijackthis log
2. Post the new log from Combofix

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#14 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 27 March 2008 - 07:08 PM

Hi,

This time the scan took nearly 4 and a half hours. I had to find a time when I could run it for 4 hours straight since in safe mode there is no Internet and almost can't play any games. It scanned nearly 100,000 files. The log .csv. I can't seem to open it with excel. I don't exactly know how to open it. So I converted it into .txt and pasted the contents of it here. You mentioned Combofix, I thought maybe I should use it to open .csv.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:04, on 2008-3-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prime95\Prime95.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NetMeeting\mstinit.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINNT\system32\lexpps.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://www.worldwinn...man/hangman.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\Prime95.exe
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (TPM) (RPCT) - Remote ABC - C:\Program Files\NetMeeting\mstinit.exe
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1.GU-/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\My Pictures\let it snow.bmp

--
End of file - 7547 bytes

--------------------------------------------------------------------------------------------------------------------------------------

kdgcl.exe;C:\WINNT\system32;POLY!CRYPT - decompression error;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;

Thanks!

Waterburn

#15 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 28 March 2008 - 06:49 AM

Download the Flash_Disinfector.exe from here and save to desktop
http://www.techsuppo...Disinfector.exe


Run Flash_Disinfector.exe, Follow the prompts
Insert any removable flash drives you may have when prompted

Download this file - Combofix.exe and save it ONLY to your desktop

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back all the following

1. Post the log from ComboFix
2. Post a fresh hijackthis log

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#16 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 28 March 2008 - 02:04 PM

Hi,

Here are the logs:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:22:02, on 2008-3-28
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prime95\Prime95.exe
C:\Program Files\NetMeeting\mstinit.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINNT\system32\lexpps.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork (User '?')
O4 - HKUS\S-1-5-21-57989841-920026266-1202660629-500\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINNT\system32\Macromed\Flash\FlashUtil9d.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java 控制台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - http://www.worldwinn...rabblecubes.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - http://www.worldwinn...0/pool/pool.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} - http://www.worldwinn...jattack/bja.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - http://www.worldwinn...x/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - http://www.worldwinn...ll/freecell.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/sec...nfo/webscan.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - http://www.worldwinn...jo/wordmojo.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} - http://www.worldwinn...v46/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - http://www.worldwinn...man/hangman.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai...l/installer.exe
O16 - DPF: {E70E3E64-2793-4AEF-8CC8-F1606BE563B0} - http://www.worldwinn...es/wwspades.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: COM+ Event System (EventSystem) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Network Connections (Netman) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Removable Storage (NtmsSvc) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\Prime95.exe
O23 - Service: Remote Access Auto Connection Manager (RasAuto) - Unknown owner - C:\WINNT\systom32\svchost.exe (file missing)
O23 - Service: Remote Access Connection Manager (RasMan) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) (RpcSs) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Remote Procedure Call (TPM) (RPCT) - Remote ABC - C:\Program Files\NetMeeting\mstinit.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: System Event Notification (SENS) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Internet Connection Sharing (SharedAccess) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Telephony (TapiSrv) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINNT\system32\svchost.exe (file missing)
O23 - Service: Wireless Configuration (WZCSVC) - Unknown owner - C:\WINNT\System32\svchost.exe (file missing)
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/ADMINI~1.GU-/LOCALS~1/Temp/msoclip1/02/clip_image002.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\My Pictures\let it snow.bmp

--
End of file - 7587 bytes

-------------------------------------------------------------------------------------------------------------------------------------


ComboFix 08-03-27.1 - Administrator 2008-03-28 16:05:32.1 - FAT32x86
Running from: C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\桌面\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\drivers\npf.sys
C:\WINNT\system32\eadeafbdbafed_z.dll
C:\WINNT\system32\grecorder.dll
C:\WINNT\system32\nbjs.dll
C:\WINNT\system32\Packet.dll
C:\WINNT\system32\pthreadVC.dll
C:\WINNT\system32\WanPacket.dll
C:\WINNT\system32\wpcap.dll
C:\WINNT\systom32
C:\WINNT\systom32\svchost.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-27 21:42 . 08-03-28 10:07 923,740 ---h----- C:\WINNT\ShellIconCache
2008-03-26 17:50 . 08-03-26 17:50 <DIR> d-------- C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\DoctorWeb
2008-03-25 16:57 . 08-03-25 17:06 250 --a------ C:\WINNT\gmer.ini
2008-03-25 16:12 . 08-03-25 16:12 36,433 --a------ C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\catchme.zip
2008-03-25 16:09 . 08-03-25 16:09 <DIR> d-------- C:\WINNT\ERUNT
2008-03-25 16:07 . 08-03-25 06:29 <DIR> d-------- C:\SDFix
2008-03-24 19:47 . 03-06-19 15:05 12,592 --a------ C:\WINNT\system32\drivers\usbscan.sys
2008-03-24 19:47 . 03-06-19 15:05 12,592 --a------ C:\WINNT\system32\dllcache\usbscan.sys
2008-03-24 19:43 . 08-03-24 19:43 <DIR> d-------- C:\Lexmark X74-X75
2008-03-24 11:55 . 08-03-24 11:55 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab Setup Files
2008-03-24 10:32 . 08-03-24 13:29 187 --a------ C:\JANUS.ERR
2008-03-24 10:22 . 08-03-24 10:23 1,435 --a------ C:\WINNT\imsins.BAK
2008-03-23 11:36 . 08-03-23 11:36 <DIR> d-------- C:\kav
2008-03-23 11:08 . 08-03-23 11:08 217,088 --a------ C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\sysclean.exe
2008-03-22 09:53 . 08-03-22 09:53 <DIR> d-------- C:\Program Files\jv16 PowerTools 2008
2008-03-22 09:53 . 08-03-22 09:53 23 --a------ C:\WINNT\system32\dfaa6_z.ocx
2008-03-19 15:58 . 08-03-19 15:58 <DIR> d-------- C:\Program Files\RADVideo
2008-03-15 10:04 . 08-03-15 10:04 <DIR> d-------- C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\Moyea
2008-03-15 10:03 . 08-03-15 10:03 <DIR> d-------- C:\Program Files\Moyea
2008-03-14 12:33 . 08-03-16 13:14 8,192 --a------ C:\WINNT\system32\1.hiv
2008-03-14 09:37 . 08-03-14 09:37 <DIR> d-------- C:\Program Files\Deskshare
2008-03-12 09:54 . 08-03-12 09:54 <DIR> d-------- C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\DemoCreator
2008-03-12 09:53 . 08-03-12 09:53 <DIR> d-------- C:\Program Files\Wondershare
2008-03-12 09:49 . 08-03-12 09:49 <DIR> d-------- C:\Program Files\Wisdom-soft AutoScreenRecorder
2008-03-11 17:24 . 02-12-11 18:50 301,712 --a------ C:\WINNT\system32\drmclien.dll
2008-03-11 17:24 . 02-12-11 18:50 301,712 --a------ C:\WINNT\system32\dllcache\drmclien.dll
2008-03-11 17:24 . 02-12-11 17:34 82,432 --a------ C:\WINNT\system32\drmstor.dll
2008-03-11 17:24 . 02-12-11 17:34 82,432 --a------ C:\WINNT\system32\dllcache\drmstor.dll
2008-03-11 17:24 . 02-12-11 17:34 9,728 --a------ C:\WINNT\system32\dllcache\npwmsdrm.dll
2008-03-11 12:18 . 08-03-11 12:18 <DIR> d-------- C:\Program Files\PTAutoRun
2008-03-11 12:17 . 08-03-11 12:18 249,856 --------- C:\WINNT\Setup1.exe
2008-03-11 12:17 . 08-03-11 12:17 73,216 --a------ C:\WINNT\temp.000
2008-03-11 12:01 . 08-03-11 12:01 <DIR> d-------- C:\Program Files\free-downloads.net
2008-03-11 12:01 . 08-03-11 12:01 <DIR> d-------- C:\Program Files\Conduit
2008-03-11 11:49 . 08-03-11 11:49 <DIR> d-------- C:\Program Files\PhotoActions
2008-03-10 19:31 . 08-03-10 19:31 <DIR> d-------- C:\INF-Tool
2008-03-10 19:21 . 08-03-10 19:21 <DIR> d-------- C:\Program Files\Screen Recorder Gold
2008-03-10 18:42 . 08-03-10 18:42 <DIR> d-------- C:\Fraps
2008-03-10 18:27 . 08-03-10 18:27 <DIR> d-------- C:\Program Files\7-Zip
2008-03-10 18:14 . 08-03-10 18:14 <DIR> d-------- C:\install
2008-03-10 14:00 . 08-03-10 14:00 <DIR> d-------- C:\IV
2008-03-10 13:59 . 08-03-10 18:43 6,881 --a------ C:\IVWINST.RPT
2008-03-09 09:49 . 08-03-09 09:49 <DIR> d-------- C:\Program Files\TechSmith
2008-03-09 09:49 . 08-03-09 09:49 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\TechSmith
2008-03-06 19:09 . 08-03-06 19:09 <DIR> d-------- C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\AdobeUM
2008-03-05 19:38 . 08-03-05 19:38 <DIR> d-------- C:\WINNT\Cache
2008-03-05 16:13 . 08-03-05 16:13 <DIR> d-------- C:\Program Files\CamStudio
2008-03-02 15:48 . 08-03-02 15:48 <DIR> d-------- C:\Program Files\Hypercam2
2008-03-02 15:47 . 07-10-22 15:09 106,496 --a------ C:\Program Files\CamRes2.dll
2008-03-02 10:34 . 08-03-02 10:34 <DIR> d-------- C:\Program Files\ZD Soft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-18 16:25 --------- d-----w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\ABBYY
2008-02-18 15:57 --------- d-----w C:\Program Files\NJStar Chinese WP
2008-02-18 15:55 --------- d-----w C:\Program Files\Google
2008-02-18 03:28 --------- d-----w C:\Program Files\SoftwareForLitSupport
2008-02-18 00:26 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-02-18 00:22 72,192 ----a-w C:\WINNT\cadkasdeinst01e.exe
2008-02-18 00:22 --------- d-----w C:\Program Files\OCR-TextScan 2 Word 1
2008-02-17 23:40 --------- d-----w C:\Program Files\Cuneiform 6.0
2008-02-17 22:45 --------- d-----w C:\Program Files\MagicDisc
2008-02-17 22:35 716,272 ----a-w C:\WINNT\system32\drivers\sptd.sys
2008-02-17 22:35 --------- d-----w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\DAEMON Tools
2008-02-17 19:58 --------- d-----w C:\Program Files\Microsoft Office 2003 Developer Resources
2008-02-17 18:58 --------- d-----w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\NJStar
2008-02-12 06:36 92,544 ----a-w C:\WINNT\system32\drivers\mcdbus.sys
2008-02-10 05:37 --------- d-----w C:\Documents and Settings\All Users.WINNT\Application Data\SUPERAntiSpyware.com
2008-02-05 23:04 --------- d-----w C:\Program Files\Trend Micro
2008-02-03 19:04 --------- d-----w C:\Program Files\Fortinet
2008-02-03 18:52 --------- d-----w C:\Program Files\Pocket Tanks
2008-02-03 18:51 --------- d-----w C:\Program Files\Pocket Tanks Deluxe
2008-02-03 17:34 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-03 06:50 --------- d-----w C:\Program Files\ImmenseTech
2008-02-02 17:40 --------- d-----w C:\Program Files\IObit
2008-01-30 01:37 --------- d-----w C:\Program Files\Prime95
2008-01-28 23:20 --------- d-----w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Application Data\ImgBurn
2008-01-20 00:48 25,992 ----a-w C:\WINNT\system32\pgdfgsvc.exe
2008-01-16 23:25 52,736 ----a-w C:\WINNT\ipuninst.exe
2008-01-14 12:52 81,920 ----a-w C:\WINNT\system32\frapsvid.dll
2008-01-09 03:42 28,418 ----a-w C:\Program Files\lcdfont.zip
2008-01-09 03:42 13,234 ----a-w C:\Program Files\backfont.zip
2008-01-07 23:23 6,625,744 ----a-w C:\Program Files\FontCreatorSetup.exe
2007-12-28 22:43 139,264 ----a-w C:\WINNT\War3Unin.exe
2007-11-30 04:56 63 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\B50LOAD.DAT
2007-10-31 17:52 1,044,173 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\testmh240.exe
2007-08-29 15:55 37,475 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\Driver_Magician_3.22.zip
2007-07-20 18:03 20 ---h--w C:\Documents and Settings\All Users.WINNT\Application Data\PKP_DLec.DAT
2007-06-18 19:45 942,891 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\error-repair.exe
2006-12-14 17:18 3,274 ----a-w C:\Program Files\agreement.txt
2005-07-03 22:45 271 ---h--w C:\Program Files\desktop.ini
2005-07-03 22:45 21,931 ---h--w C:\Program Files\folder.htt
2003-09-30 15:46 5,120 ----a-w C:\Program Files\ACDSee.sip
2003-09-30 13:20 1,741 ----a-w C:\Program Files\ACDSee60Tips.tip
2000-01-10 19:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1999-06-24 18:49 587 ----a-w C:\Program Files\8-44100d.wav
1999-06-24 18:49 421 ----a-w C:\Program Files\8-44100u.wav
1999-06-24 18:47 317 ----a-w C:\Program Files\8-22050d.wav
1999-06-24 18:47 225 ----a-w C:\Program Files\8-22050u.wav
1999-06-24 18:46 183 ----a-w C:\Program Files\8-11025d.wav
1999-06-24 18:46 135 ----a-w C:\Program Files\8-11025u.wav
1999-06-24 18:44 127 ----a-w C:\Program Files\8-8000u.wav
1999-06-24 18:43 151 ----a-w C:\Program Files\8-8000d.wav
1999-06-24 18:41 220 ----a-w C:\Program Files\16-8000u.wav
1999-06-24 18:40 260 ----a-w C:\Program Files\16-8000d.wav
1999-06-24 18:38 956 ----a-w C:\Program Files\16-44100u.wav
1999-06-24 18:37 1,186 ----a-w C:\Program Files\16-44100d.wav
1999-06-24 18:34 652 ----a-w C:\Program Files\16-22050d.wav
1999-06-24 18:34 442 ----a-w C:\Program Files\16-22050u.wav
1999-06-24 17:54 340 ----a-w C:\Program Files\16-11025d.wav
1999-06-24 17:50 326 ----a-w C:\Program Files\16-11025u.wav
1996-12-19 21:26 25 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\TSGUIDE.BAT
1996-12-19 21:24 22 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\README.BAT
1996-12-19 00:34 487,850 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\L2DOSFIX.EXE
1996-12-19 00:34 347,178 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\L2WINFIX.EXE
1996-10-15 17:40 291,600 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\WININET.DLL
1996-07-29 19:11 733,296 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\OPENGL32.DLL
1996-07-29 19:09 139,712 ----a-w C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\GLU32.DLL
1995-10-13 03:42 423,424 ----a-r C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\SU27.EXE
1995-10-09 03:54 25 ----a-r C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\LOAD.BAT
1995-06-05 10:10 64,880 ----a-r C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\B50LOAD.EXE
1993-07-16 18:53 35,614 ----a-r C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\DOWNLOAD.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [00-01-10 12:00 21264 C:\WINNT\system32\internat.exe]
"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [07-03-05 14:57 1103480]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [08-02-22 04:30 217544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 15:05 111376 C:\WINNT\system32\mobsync.exe]
"LexPPS.exe"="C:\WINNT\system32\lexpps.exe" [02-10-14 14:00 174592]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [02-10-14 14:09 57344]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINNT\system32\Macromed\Flash\FlashUtil9d.exe" [07-06-11 13:04 190696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\My Documents\My Pictures\let it snow.bmp
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avi Player]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotSexy_ca]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Playboy_ca]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NoteBurner"=C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
"FortiClient"="C:\Program Files\Fortinet\FortiClient\FortiClient.exe" /minimize

*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-28 19:31:56 C:\WINNT\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-03-18 00:25:22 C:\WINNT\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 16:16:13
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Prime95\Prime95.exe
C:\Program Files\NetMeeting\mstinit.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\conime.exe
.
**************************************************************************
.
Completion time: 2008-03-28 16:18:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 23:18:22
Pre-Run: 300,048,384 bytes free
Post-Run: 251,138,048 bytes free
.
2008-03-12 18:03:18 --- E O F ---


Thanks Again!

Waterburn

#17 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 March 2008 - 10:27 AM

Are you able to now run the Kaspersky Online Scanner?

If you are, run it and post it's report

Also
Please supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#18 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 29 March 2008 - 11:08 AM

Hi,

Unfortuantely I am not able to run Kaspersky's Online Scanner. But I have the uninstall list.

Extra Info
-----------

1) The following three services I noticed are not started: RPC, Print Spooler, Windows Installer
2)When I try to start them from services.mcs, A message says: "1068: The dependency service or group failed to start."
3)Print Spooler explains why I can't print and there are no printers at Start>Settings>Printers although I have already installed the printer
4)Windows Installer explains why I can't install with windows installer, sometimes install shield...etc.
5)RPC explains why I can't click links,buttons, properties of files, sometimes with install shield it says "... The RPC server is unavailible"
6)I used Windows Malicious Software Removal tool to do a COMPLETE SCAN -> Found nothing out of a list of about 100 trojans...etc. One of them was the MSBLAST Virus which was the virus I thought I had.


Here's the uninstall list:


Moyea SWF to Video Converter Standard version 2.2.1.0
ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Reader 6.0.1
Adobe Shockwave Player
Advanced CAB Repair v1.2
AVG Anti-Spyware 7.5
Bink and Smacker
Camtasia Studio 3
CCleaner (remove only)
Conquest 3.0
Cuneiform 6.0
DemoCreator
Desperados 1.0
Download Manager 2.3.6
Drive Speed Checker
FastStone Capture 5.9
Finding Martin
FontCreator 5.6
FortiClient
Fraps
Free Snoopy Screensaver 1.0
FreeUndelete
FreshDiagnose
HijackThis 2.0.2
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
HyperCam 2
IrfanView (remove only)
Java 2 Runtime Environment, SE v1.4.1
jv16 PowerTools 2008
Karen's Autorun.inf Editor
Lexmark X74-X75
Magic ISO Maker v5.4 (build 0251)
MagicDisc 2.6.85
mergeOCR
Microsoft Office 2000 SR-1 Premium
My Screen Recorder 2.5
NJStar Chinese WP
nrg2iso
OCR-TextScan 2 Word 1
PC Wizard 2008.1.81
Pocket Tanks Deluxe v1.3(Total Uninstall)
Pocket Tanks v1.3
Prime95
Quick Screen Capture 3.0
Screen Recorder Gold
Silent Hunter II
SmartUndelete
SnagIt 8
SUPERAntiSpyware Free Edition
Windows 2000 (KB923689) 安全更新
Windows 2000 (KB941569) 安全更新
Windows 2000 Hotfix - KB823980
Windows 2000 Hotfix - KB941644
Windows 2000 Hotfix - KB943055
Windows 2000 Hotfix - KB943485
Windows 2000 Hotfix - KB944533
Windows 2000 Service Pack 4
Windows 2000 SP4 更新汇总 1
Windows 2000 修补程序 - KB842773
Windows 2000 修补程序 - KB890046
Windows 2000 修补程序 - KB893756
Windows 2000 修补程序 - KB896358
Windows 2000 修补程序 - KB896422
Windows 2000 修补程序 - KB896423
Windows 2000 修补程序 - KB896424
Windows 2000 修补程序 - KB899587
Windows 2000 修补程序 - KB899589
Windows 2000 修补程序 - KB900725
Windows 2000 修补程序 - KB901017
Windows 2000 修补程序 - KB901214
Windows 2000 修补程序 - KB905414
Windows 2000 修补程序 - KB905749
Windows 2000 修补程序 - KB908519
Windows 2000 修补程序 - KB908523
Windows 2000 修补程序 - KB908531
Windows 2000 修补程序 - KB911280
Windows 2000 修补程序 - KB912919
Windows 2000 修补程序 - KB913580
Windows 2000 修补程序 - KB914388
Windows 2000 修补程序 - KB914389
Windows 2000 修补程序 - KB917008
Windows 2000 修补程序 - KB917159
Windows 2000 修补程序 - KB917422
Windows 2000 修补程序 - KB917537
Windows 2000 修补程序 - KB917736
Windows 2000 修补程序 - KB917953
Windows 2000 修补程序 - KB918118
Windows 2000 修补程序 - KB920213
Windows 2000 修补程序 - KB920670
Windows 2000 修补程序 - KB920683
Windows 2000 修补程序 - KB920685
Windows 2000 修补程序 - KB920958
Windows 2000 修补程序 - KB921398
Windows 2000 修补程序 - KB921503
Windows 2000 修补程序 - KB921883
Windows 2000 修补程序 - KB922582
Windows 2000 修补程序 - KB922616
Windows 2000 修补程序 - KB923191
Windows 2000 修补程序 - KB923414
Windows 2000 修补程序 - KB923810
Windows 2000 修补程序 - KB923980
Windows 2000 修补程序 - KB924191
Windows 2000 修补程序 - KB924270
Windows 2000 修补程序 - KB924667
Windows 2000 修补程序 - KB925902
Windows 2000 修补程序 - KB926122
Windows 2000 修补程序 - KB926436
Windows 2000 修补程序 - KB927891
Windows 2000 修补程序 - KB928843
Windows 2000 修补程序 - KB930178
Windows 2000 修补程序 - KB931784
Windows 2000 修补程序 - KB932168
Windows 2000 修补程序 - KB933729
Windows 2000 修补程序 - KB935839
Windows 2000 修补程序 - KB935840
Windows 2000 修补程序 - KB936021
Windows 2000 修补程序 - KB937894
Windows 2000 修补程序 - KB938827
Windows 2000 修补程序 - KB938829
Windows 2000 修补程序包 - KB905495
Windows 2000 修补程序包 - KB911567
Windows 2000 修补程序包 - KB916281
Windows 2000 修补程序包 - KB918899
Windows 2000 修补程序包 - KB923694
Windows 2000 修补程序包 - KB928090
Windows 2000 修补程序包 - KB929969
Windows 2000 修补程序包 - KB931768
Windows 2000 修补程序包 - KB933566
Windows 2000 修补程序包 - KB937143
Windows 2000 修补程序包 - KB938127
Windows 2000 修补程序包 - KB939653
Windows 2000 修补程序包 - KB941202
Windows 2000 修补程序包 - KB942615
Windows Blaster Worm Removal Tool (KB833330)
Windows Installer 3.1 (KB893803)
Windows Media Player (KB911564) 安全更新
Windows Media Player 6.4 (KB925398) 安全更新
Windows Media Player 7.1 (KB917734) 安全更新
Windows Media Player 9 (KB911565) 安全更新
Windows Media Player 9 (KB917734) 安全更新
Windows Media Player 9 (KB936782) 安全更新
Windows Media Player Hotfix [请参阅 Q828026 以获得更多信息]
Windows Media Player system update (9 Series)
WinRAR archiver
WinRescue 2000
WinZip
Wisdom-soft AutoScreenRecorder 2.1 Pro
安全更新 for DirectX 9 (KB941568)
谷歌拼音输入法


Thanks!

Waterburn

#19 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 29 March 2008 - 01:21 PM

If you can't start RPC, you will lose a lot of functionality
Try the following, Mosaic1 wrote this small batch

Download/save and unzip to desktop
clearit.zip

Double click on clearit.bat

RESTART the computer
Let me know if you have some functions back

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#20 waterburn

waterburn

    Enthusiast

  • Members
  • PipPipPipPip
  • 104 posts

Posted 29 March 2008 - 05:41 PM

Hi,

The following message flashes quickly when I try to open clearit.bat:

C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\ 桌面>Reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs /v DependOnService /f
'Reg' is not recognized as an internal or external command, operable program or batch file.

C:\Documents and Settings\Administrator.GU-3R3LEUQBGPNO\桌面>Sc config Rpcss start= auto

'Sc' is not recognized as aninternal or external command, operable program or batch file.

Sorry gotta type quick, earth hour.

Thanks!

Waterburn