Post by: tarameary on January 17, 2006, 07:16:19 AM
- goaway.exe
- mmxxxxmas2.exe
- emoticonz.exe
- clickthis.exe
Here's my hijack log file.
Logfile of HijackThis v1.99.1
Scan saved at 9:26:10 PM, on 1/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKLM\..\Run: [Windows Media Loader] wmloader.exe
O4 - HKLM\..\Run: [Internet Services] \netsvc.exe
O4 - HKLM\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE~1.00I\RGW\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKLM\..\RunServices: [Windows Media Loader] wmloader.exe
O4 - HKLM\..\RunServices: [Internet Services] \netsvc.exe
O4 - HKLM\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\RunServices: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKCU\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136508111906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136508111906\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINDOWS\rund1132.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Here's my Ewido report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:51:45 PM, 1/16/2006
+ Report-Checksum: D4D0F5B8
+ Scan result:
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0030724.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0030739.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0030740.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0030741.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0030742.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0030743.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP102\A0031726.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\clickthis.exe -> Downloader.Adload.j : Cleaned with backup
::Report End
And here's my programs list
ACDSee 5.0 Standard
Ad-Aware SE Personal
Adobe Reader 7.0
ADSL USB Modem Network Adapter
Advanced Searchbar for Windows
ArcSoft PhotoBase 3
ArcSoft PhotoStudio 5
AVG Free Edition
Azureus
Black and White
CA eTrust PestPatrol
Canon CanoScan Toolbox 4.1
Canon S200SP
Canon Utilities Easy-PhotoPrint
CanoScan LiDE20,30 Manual
Chinese Star XP
C-Media Audio
DAEMON Tools
ewido anti-malware
HijackThis 1.99.1
IsoBuster 1.7
J2SE Runtime Environment 5.0 Update 6
Lavasoft VX2 Cleaner
Macromedia Flash Player 8
Macromedia Shockwave Player
Messenger-Control plug-in for Ad-Aware SE
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
MSN Music Assistant
MYOB Accounting v12
Nero 6 Ultra Edition
NetoDragon 56K Voice Modem
OE/W Messengerctrl plug-in for Ad-Aware SE
PowerDVD
RealPlayer
Registry Repair 2006
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
SiS 900 PCI Fast Ethernet Adapter Driver
Skype 1.4
Tweak-SE plug-in for Ad-Aware SE
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.2
Web Nexus Network
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB905915
WinZip
I can't open Internet explorer to surf the net. whenever i wan to save as a file, it'll freeze.
I can't use some of my programs installed. If not, it'll freeze.
Please kindly help me to look at this problem.
Thanks.
Post by: guestolo on January 17, 2006, 12:23:59 PM
Additionally, can I get you to post a fresh hijackthis log done in Normal mode
Your last one appears to have been saved in safe mode
Post by: tarameary on January 17, 2006, 09:18:09 PM
Here's my hijackthis log file in normal mode.
Logfile of HijackThis v1.99.1
Scan saved at 10:14:54 AM, on 1/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\msoftconf.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\WINDOWS\rund1132.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKLM\..\Run: [Windows Media Loader] wmloader.exe
O4 - HKLM\..\Run: [Internet Services] \netsvc.exe
O4 - HKLM\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE~1.00I\RGW\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKLM\..\RunServices: [Windows Media Loader] wmloader.exe
O4 - HKLM\..\RunServices: [Internet Services] \netsvc.exe
O4 - HKLM\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\RunServices: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKCU\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136508111906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136508111906\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: windows dll service (dll service) - Unknown owner - C:\WINDOWS\rund1132.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post by: guestolo on January 18, 2006, 12:07:37 AM
==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
Open Ewido:
I need to make sure it is right up to date
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
==Download Killbox
From one of these loactions
http://www.downloads.subratam.org/KillBox.exe (http://\"http://www.downloads.subratam.org/KillBox.exe\")
http://www.atribune.org/downloads/KillBox.exe (http://\"http://www.atribune.org/downloads/KillBox.exe\")
and save it too your desktop or folder
Please save these instructions to a Notepad file and save it to your Desktop for reference
This is important as I need you too follow some instructions in safe mode
Go to start>>>run>>type in notepad >>Hit OK
Can you disable Pest Patrol's realtime protections so it won't interfere with any fixes we try
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
==Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- windows dll service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Open killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste the full entry below in bold
C:\WINDOWS\System32\msoftconf.exe
Then click the Red Circle with the White X
Allow to make a backup and delete the file
Don't worry about no file found messages
Carry on with the same instructions in killbox with the rest of these
C:\WINDOWS\rund1132.exe
C:\WINDOWS\System32\mssnt.exe
C:\WINDOWS\System32\wmloader.exe
C:\WINDOWS\System32\ntdrv.exe
C:\Goaway.exe
C:\mmxxxxmas2.exe
C:\emoticonz.exe
C:\clickthis.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
When that's done, exit Killbox
Please keep track of any files that wouldn't delete, we'll need them again later
Find and delete this folder
C:\Program Files\Common Files\VCClient <-this folder
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Stay in safe mode
Open Hijackthis>>Open Misc tools section>>Open "Delete an NT service"
Copy and paste the bolded name below into the open field and then hit OK
dll service
Hijackthis should prompt that the service is found
We want to delete the service but DO NOT reboot yet
Instead, click BACK in Hijackthis>>>Select SCAN
Put a check next to these entries:
O4 - HKLM\..\Run: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKLM\..\Run: [Windows Media Loader] wmloader.exe
O4 - HKLM\..\Run: [Internet Services] \netsvc.exe
O4 - HKLM\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\RunServices: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKLM\..\RunServices: [Windows Media Loader] wmloader.exe
O4 - HKLM\..\RunServices: [Internet Services] \netsvc.exe
O4 - HKLM\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [Microsoft NT Drivers] ntdrv.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\RunServices: [Microsoft Windows MSNNT] mssnt.exe
O4 - HKCU\..\RunServices: [Microsoft NT Drivers] ntdrv.exe
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open Killbox.exe again
For any file that wouldn't delete, copy and paste
In the "Full path of File to Delete"
This time select "Delete file on Reboot" option
then click the Red Circle with the white X
Allow to delete on Reboot but don't reboot until you have entered
the last file to killbox
At which time
Reboot back to Normal mode
Back in Windows
Can i see the following please
1. Post a fresh hijackthis log
2. Post the full report from Ewido's
3. From below, download and UNZIP to your desktop Find.zip, so you now have Find.bat extracted onto the desktop
Double click on Find.bat, a text file will open, can you copy and paste the whole contents back here to please
Post by: tarameary on January 18, 2006, 07:09:44 AM
my pc is getting much more clean now but there's still one more trojan horse detected by AVG: drupdate(1).exe
Meanwhile, when i wan to extract the file from Find.zip, my pc started to freeze and there's some program which I couldn't open, for instance Azureus. However, I am able to launch internet explorer now.
Here are the reports u requested.
Logfile of HijackThis v1.99.1
Scan saved at 7:43:20 PM, on 1/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\svbhost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE~1.00I\RGW\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136508111906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136508111906\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: windows network (network services) - Unknown owner - C:\WINDOWS\svbhost.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 7:02:48 PM, 1/18/2006
+ Report-Checksum: 517A551B
+ Scan result:
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP103\A0035852.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP103\A0035853.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP103\A0035854.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP103\A0035855.exe -> Downloader.VB.jl : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP103\A0035856.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\System Volume Information\_restore{4759A5B1-D202-48ED-8EF3-58BF0E9B4173}\RP103\A0035860.exe -> Downloader.Adload.j : Cleaned with backup
C:\!KillBox\msoftconf.exe -> Backdoor.Rbot : Cleaned with backup
C:\!KillBox\rund1132.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\!KillBox\goaway.exe -> Trojan.LowZones.ct : Cleaned with backup
C:\!KillBox\mmxxxxmas2.exe -> Downloader.VB.jl : Cleaned with backup
C:\!KillBox\emoticonz.exe -> Trojan.LowZones.cf : Cleaned with backup
C:\!KillBox\drupdate.exe -> Downloader.Adload.j : Cleaned with backup
::Report End
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:00000298
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000001
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"Microsoft Windows MSNNT"="mssnt.exe"
"Windows Media Loader"="wmloader.exe"
"AUOptions"="1"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:63,4a,6a,e1,ff,fe,90,05,0d,03,80,35,fa,fb,8e,90,61,62,31,35,31,\
66,37,66,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,e4,42,2c,37
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b0,ff,a3,a0,b1,27,ed,2e,52
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:2e,bd,bb,4e,ec,23
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:3a,89,b5,8e,ab,4b,1c,e0,47,ea,ca,12,58,b7,fe,a5
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:32,6c,c5,fb,26,fd,c5,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,0d,26,de,0d,4f,c2,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,20,7c,22,cb,2b,c1,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,75,af,e7,0d,4f,c2,01
"Type"=dword:00000031
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="N"
"Microsoft Windows MSNNT"="mssnt.exe"
"Windows Media Loader"="wmloader.exe"
Post by: tarameary on January 18, 2006, 08:06:22 PM
Post by: guestolo on January 19, 2006, 01:15:41 AM
Go to the following link
Take note how to enable the Firewall for Service pack 1
http://www.uic.edu/depts/accc/lan/res-net/xpfirewall.html (http://\"http://www.uic.edu/depts/accc/lan/res-net/xpfirewall.html\")
If it's not enabled, try and enable it now, if it won't enable now
Carry on with the rest of the instructions
From below, right at the bottom of this reply box, download and save then UNZIP to your desktop StartRem.zip
So you now have a StartRem folder on your desktop
Don't run this yet
==Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop, well need this later, don't run it yet
Ensure to include REGEDIT4 and below in the code box
Code: [Select]
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Microsoft Windows MSNNT"=-
"Windows Media Loader"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"
"Microsoft Windows MSNNT"=-
"Windows Media Loader"=- Please save these instructions to a Notepad file and save it to your Desktop for reference
This is important as I need you too follow some instructions in safe mode
Reboot back into safe mode
Open the StartRem folder and double click on startrem.bat
Follow the prompts, remain in safe mode when done
Double click on fix.reg and allow to add/merge to the registry
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
Stay in safe mode
Open "Internet Options" via Control Panel
# Click on the Security tab.
# Click on the Internet Icon on upper pane of the window.
# Click on Default Level on lower right corner of the window.
# Click on the Local Internet Icon on upper pane of the window.
# Click on Default Level on lower right corner of the window.
# Click on the Trusted sites Icon on upper pane of the window.
# Click on Default Level on lower right corner of the window.
# Click on the Restricted sites Icon on upper pane of the window.
# Click on Default Level on lower right corner of the window.
# Click OK on lower right corner of the window.
Reboot back to Normal mode
If you couldn't enable the Firewall earlier, try now!!
Use Internet Explorer and Run the online Panda ActiveScan (http://\"http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan.htm&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest\")
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.
When the scan is complete
click See Report, then click Save Report and save it to your Desktop.
Post back the following please
1. Post back a fresh hijackthis log
2. Post the full report from Panda's
3. Post the contents of start.txt inside the startrem folder
4. Again, double click on Find.bat and post the contents
Post by: tarameary on January 19, 2006, 09:14:33 PM
Here are the reports u asked for.
Logfile of HijackThis v1.99.1
Scan saved at 9:58:33 AM, on 1/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE~1.00I\RGW\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136508111906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136508111906\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Panda Scan Report
Incident Status Location
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.msn
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\msoftconf.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\mingw.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_51204.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\system32\schost.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_64380.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_81588.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_71742.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_35111.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_88348.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_72036.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_82006.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_78651.exe
Virus:Bck/Ircbot.RZ Disinfected C:\WINDOWS\system32\setup_83123.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload.dat
Virus:Bck/Sdbot.GDO Disinfected C:\WINDOWS\kaspersky32.exe
Virus:W32/Gaobot.gen.worm Disinfected C:\WINDOWS\sse.exe
Start.txt
~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~
~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~
Find.bat
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"LsaPid"=dword:00000298
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"restrictanonymous"="0"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:63,4a,6a,e1,ff,fe,90,05,0d,03,80,35,fa,fb,8e,90,61,62,31,35,31,\
66,37,66,00,68,07,00,01,00,00,00,d8,00,00,00,dc,00,00,00,48,fa,06,00,d6,48,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,e4,42,2c,37
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:b0,ff,a3,a0,b1,27,ed,2e,52
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:2e,bd,bb,4e,ec,23
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:3a,89,b5,8e,ab,4b,1c,e0,47,ea,ca,12,58,b7,fe,a5
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:32,6c,c5,fb,26,fd,c5,01
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,0d,26,de,0d,4f,c2,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,20,7c,22,cb,2b,c1,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,75,af,e7,0d,4f,c2,01
"Type"=dword:00000031
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
Post by: guestolo on January 19, 2006, 09:32:59 PM
Find and delete this file
C:\WINDOWS\drsmartload.dat
Do a "System scan only" with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [Microsoft Configure 32] msoftconf.exe
O4 - HKLM\..\RunServices: [Microsoft Configure 32] msoftconf.exe
O4 - HKCU\..\Run: [Microsoft Configure 32] msoftconf.exe
After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
recomm
Reboot the computer
Back in Windows
Open IE, don't go surfing
Instead click on TOOLS>>Windows updates
When you get to windows updates
Download and install all High Priority updates
Excluding Service pack 2
Don't install SP2 yet, we must make sure your computer is clean before the installation
But get all other High Priorities>>This does not include Optional updates
Come back here and post a fresh hijackthis log
Post by: tarameary on January 21, 2006, 01:20:58 AM
Scan saved at 2:19:36 PM, on 1/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Synacast\SynaLive\PE.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\MCAFEE~1.00I\RGW\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\Advanced Searchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136508111906 (http://\"http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136508111906\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
Post by: guestolo on January 21, 2006, 12:59:22 PM
C:\WINDOWS\svbhost.exe <-file
If it's not gone, please let me know, delete if found
Exact file name in the Windows folder
How's everything running?
Can you also do the following please:
Download Trackqoo.zip (http://\"http://www.bleepingcomputer.com/files/mosaic1/Trackqoo.zip\")
Save it to the Desktop
Double Click on "Track qoo.vbs"
Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!
Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post
Also, Download Find-Qoologic.zip (http://\"http://downloads.subratam.org/Find-Qoologic.zip\") and save it to your Desktop.
UNZIP the files inside into their own folder called FindQoologic to the desktop
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply
Post by: tarameary on January 21, 2006, 11:05:22 PM
I can 'Save as' a file without any problem...it won't freeze like before..
i search for svbhost.exe, it's gone already.
Everything goes smoothly....thanks for ur help.
HEre are the reports u asked
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"DAEMON Tools-1033"="\"D:\\daemon.exe\" -lang 1033"
"McRegWiz"="C:\\PROGRA~1\\MCAFEE~1.00I\\RGW\\McRegWiz.exe /autorun"
"eTrust PestPatrol Active Protection"="\"C:\\Program Files\\CA\\eTrust PestPatrol\\PPActiveDetection.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll
Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido anti-malware\context.dll
Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll
Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
D:\Program\rarext.dll
Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll
=====================
HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers
Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll
Subkey --- {F9DB5320-233E-11D1-9F84-707F02C10627}
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini
Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk
==============================
C:\Documents and Settings\Admin\Start Menu\Programs\Startup
desktop.ini
Adobe Gamma Loader.lnk
Adobe Reader Speed Launch.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files
hdwwiz.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
sysdm.cpl Microsoft Corporation
jpicpl32.cpl Sun Microsystems, Inc.
access.cpl Microsoft Corporation
slcpappl.cpl
Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\Admin\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
C:\WINDOWS\SYSTEM32\LINKINFO.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
Post by: guestolo on January 22, 2006, 12:54:27 AM
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
REGEDIT4
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
[-HKEY_LOCAL_MACHINE\Software\qstat]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}] Double click on fix.reg and allow to add/merge to the registry
Open Hijackthis>>>Open misc tools section>>Open Uninstall manager
left to highlight only "Web Nexus Network"
then select 'Delete this Entry'
Reboot the computer afterwards
Back in Windows
*If everything is running better
We should clear all your restore points to ensure you don't restore any nasties that may be residing in the
restore folders
Go to START>>RUN>>In the open field
type in msconfig
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"
Apply it and OK out of there>>Reboot your computer
Back in Windows, Go back and take the check out of Turn off system restore
This will reenable the System Restore feature and creates a new restore point
[indent]===========================[/indent]
*For added protections against future attacks
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"
Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"
[/list]*Check for updates with your anti-spyware programs and run a check on a regular basis
About every couple of weeks
[indent]===========================[/indent]
I would opt to hold onto CleanUp! <--can be ran once a week
and Ewido<--check for updates once a month and run a scan
[indent]===========================[/indent]
Now to get you updated to SP2
I would run Cleanup! again with the instructions I posted earlier
This cleans your temp folders, etc...
Also cleans your prefetch folder, if you find the first bootup after running CleanUp! is a little slower
That is because of the cleaning of the prefetch, not to worry
Bootup will be faster next time around
I would also take this oppurtunity to to a Disk Defragment
I prefer to do this in safe mode, allows minimal running
It may take some time if it hasn't been done for awhile
Afterwards, boot back to Normal mode
We've started you in the right direction to install SP2
Please, additionally, take a look at this link
http://www.microsoft.com/windowsxp/sp2/default.mspx (http://\"http://www.microsoft.com/windowsxp/sp2/default.mspx\")
Take note of the link 'What to know before you download and install'
Afterwards, visit Windows updates and install SP2, may take about 30 minutes or more on cable, dsl
you can order the free cd (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx\") if on dialup
Once installed, reboot the computer
Just a reminder, if you are not set to Autoupdate, make a habit of visiting Windows Updates
and check for High Priority updates at least once a month
This is important in keeping your system secure
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on January 30, 2006, 12:01:10 AM
I'll lock this topic
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />