Post by: goxen4 on November 09, 2006, 08:41:41 AM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />
Post by: guestolo on November 09, 2006, 09:55:18 AM
Also, can i see the following. This will help in identifying operating system and
a double check on anything suspicious
Download Hijackthis from my signature below
SAVE it to your desktop
Double click on hijackthis_sfx.exe on desktop
Click the UNZIP button>>OK the prompt
This will self extract to C:\Program Files\HijackThis
Delete hijackthis_sfx.exe from desktop
Go to START>>RUN
Copy>>paste the following to the open field, then hit OK
%systemdrive%\Program Files\HijackThis
This will open the Hijackthis folder
RIGHT CLICK on Hijackthis.exe and select SEND TO>>Desktop (create shortcut)
You can now run Hijackthis.exe from the new shortcut placed on your desktop
Double click to run Hijackthis.exe
Do a "SCAN and Save a Log file"
A log will open in Notepad
Copy and paste the WHOLE contents of the log here
Post by: goxen4 on November 09, 2006, 04:16:52 PM
Scan saved at 4:00:50 AM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\services.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SupraConnect\Wave\fts.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\goxen4\My Documents\Ares\Ares.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Wave Connect\PropelAC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SupraConnect\Wave\FWPortal.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runescape.com/ (http://\"http://runescape.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.averatec.com (http://\"http://www.averatec.com\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\Wave Connect\prpl_IePopupBlocker.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [%FP%SupraTelecom fts.exe] "C:\Program Files\SupraConnect\Wave\fts.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Wave Connect\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Documents and Settings\goxen4\My Documents\Ares\Ares.exe" -h
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Wave Connect\pac-addwl.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Wave Connect\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Wave Connect\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.averatec.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096490317211 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096490317211\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{34109656-A6DE-4229-8A36-F88AA6C3F8E2}: NameServer = 66.19.192.200 216.126.128.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{34109656-A6DE-4229-8A36-F88AA6C3F8E2}: NameServer = 66.19.192.200 216.126.128.40
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
ok there and also the exact message is "The following message could not be delivered to all recipients:"
srry it took me so long but i just got out of school does that help you?
Post by: goxen4 on November 09, 2006, 08:26:11 PM
Post by: guestolo on November 09, 2006, 08:59:08 PM
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from combofix please
Post by: goxen4 on November 11, 2006, 06:32:38 PM
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\goxen4\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))
2006-11-05 03:33 353,792 --a------ C:\WINDOWS\system32\lncom_.exe
2006-10-29 01:39 36,864 --a------ C:\WINDOWS\system32\reginv.dll
2006-10-29 01:39 350,764 --a------ C:\WINDOWS\system32\lncom.exe
2006-10-29 01:39 350,764 ---hs---- C:\WINDOWS\system32\fservice.exe
2006-10-29 01:39 350,764 ---hs---- C:\WINDOWS\services.exe
2006-10-29 01:39 13,312 --a------ C:\WINDOWS\system32\winkey.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-12 05:20 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-10 04:00 -------- d-------- C:\Program Files\HijackThis
2006-11-06 11:22 -------- d-------- C:\Program Files\NetMeeting
2006-10-29 18:57 -------- d-------- C:\Documents and Settings\goxen4\Application Data\Mozilla
2006-10-29 00:55 -------- d-------- C:\Program Files\HostMonitor6
2006-10-09 08:23 -------- d---s---- C:\Documents and Settings\goxen4\Application Data\Microsoft
2006-10-08 03:02 -------- d-------- C:\Program Files\Internet Explorer
2006-10-07 22:42 -------- d-------- C:\Program Files\Messenger
2006-10-07 03:06 -------- d-------- C:\Program Files\Windows Media Player
2006-10-07 03:01 -------- d-------- C:\Program Files\Outlook Express
2006-10-07 03:01 -------- d-------- C:\Program Files\Common Files\System
2006-10-05 09:17 -------- d-------- C:\Documents and Settings\goxen4\Application Data\Macromedia
2006-10-05 07:02 -------- d-------- C:\Documents and Settings\goxen4\Application Data\Sun
2006-10-05 06:52 -------- d-------- C:\Program Files\Java
2006-10-05 05:12 -------- d-------- C:\Program Files\Common Files\Java
2006-10-05 05:12 -------- d-------- C:\Program Files\Common Files
2006-10-04 10:59 -------- d-------- C:\Program Files\Wave Connect
2006-10-04 10:52 -------- d-------- C:\Documents and Settings\goxen4\Application Data\Wave
2006-10-04 05:24 -------- d-------- C:\Program Files\SupraConnect
2006-10-04 05:24 -------- d-------- C:\Program Files\Common Files\FTL Shared
2006-09-12 17:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 03:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 00:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-20 21:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-15 23:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ares"="\"C:\\Documents and Settings\\goxen4\\My Documents\\Ares\\Ares.exe\" -h"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"%FP%SupraTelecom fts.exe"="\"C:\\Program Files\\SupraConnect\\Wave\\fts.exe\""
"Propel Accelerator"="\"C:\\Program Files\\Wave Connect\\trayctl.exe\" /STARTUPLAUNCH"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"DirectX For Microsoft® Windows"="C:\\WINDOWS\\system32\\fservice.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - goxen4.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-11-12 6:23:34.76
C:\ComboFix.txt ... 06-11-12 06:23
hope this will help :/
Post by: guestolo on November 11, 2006, 08:32:02 PM
Download The Avenger.zip (http://\"http://swandog46.geekstogo.com/avenger.zip\") by Swandog46 to your Desktop.
* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop
Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\system32\lncom_.exe
C:\WINDOWS\system32\reginv.dll
C:\WINDOWS\system32\lncom.exe
C:\WINDOWS\system32\fservice.exe
C:\WINDOWS\services.exe
C:\WINDOWS\system32\winkey.dll
Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run | DirectX For Microsoft Windows
Programs to launch on reboot:
C:\Program Files\HijackThis\HijackThis.exe
[/color]
==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop
* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.
Avenger should now Reboot your computer
After reboot, Windows will take a bit longer to load
After a bit, Hijackthis will open
Do a "SCAN" only
Put a tick next to this entry
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\fservice.exe
Then click FIX CHECKED
Ok any prompts
Windows desktop icons will finally load
Once loaded
Reboot your computer one more time
Can you do the following
1. Post a fresh hijackthis log
2. Post the report from Avenger, located here>>C:\Avenger.txt
With the above 2 logs, could you also
RIGHT CLICK an empty spot on your desktop and select
NEW>>Text Document
A new text document will be placed on desktop
Name it find.txt
Open find.txt
Copy>>Paste all the text below in the code box to it
Don't include the word 'code'
Close find.txt after you paste the info below and save the changes
Code: [Select]
RegSearch Options File
[Search]
5Y99AE78-58TT-11dW-BE53-Y67078979Y
9B71D88C-C598-4935-C5D1-43AA4DB90836
[Options]
Filter=KVDLUIDownload Registry Search (http://\"http://www.bleepingcomputer.com/files/steelwerx/regsearch.zip\") to your desktop.
* Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
* Open the new folder, and double click on regsearch.exe
* Click "Import" in the lower left corner and browse to the find.txt file that you just saved on your desktop.
* Double click on find.txt
* Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
* Please reply here with the entire contents of the Notepad file from RegSearch.
Post by: goxen4 on November 20, 2006, 12:12:05 PM
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' /> can you tell me nything i might be able to do to fix it offline? srry i took so long to reply
Post by: guestolo on November 21, 2006, 08:09:00 PM
Quote
i cant do that right now cause i dont have internet acces anymoreIs there a reason you don't have internet?
The files I asked you too download, and even all the instructions are small enough to fit on a floppy
You can download them and transfer the tools to your other computer
Also, copy>>paste all the instructions to a text file, to ensure you follow along with all instructions