Post by: mikey6969 on May 10, 2007, 02:56:03 PM
msccrt.dll..
it keeps reapperaing after i remove it with AVG..heres HJT log
any help would be appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 3:51:49 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\Antivirus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lib.verycd.com/tv/integration/archive/00005.html (http://\"http://lib.verycd.com/tv/integration/archive/00005.html\")
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.travian.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
Post by: guestolo on May 10, 2007, 11:00:13 PM
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Back in Windows
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Post by: mikey6969 on May 12, 2007, 03:50:40 PM
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot your computer
Back in Windows
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://\"ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe\")
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found: (http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. - After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Here's what was in DrWeb:
dbmmgr32.dll;c:\windows\media;Trojan.Spambot;Will be cured after reboot.;
SetupDTSB.exe;C:\Program Files\DAEMON Tools;Adware.SaveNow;Incurable.Moved.;
A0025238.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP264;Adware.Zango;Incurable.Moved.;
A0025373.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP267;Adware.Zango;Incurable.Moved.;
A0025375.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP267;Adware.Hotbar;Incurable.Moved.;
A0025376.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP267;Adware.Hotbar;Incurable.Moved.;
A0025567.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Zango;Incurable.Moved.;
A0025569.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Hotbar;Incurable.Moved.;
A0025570.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Hotbar;Incurable.Moved.;
A0025572.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Zango;Incurable.Moved.;
A0025577.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP271;Adware.Zango;Incurable.Moved.;
A0025814.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP276;Adware.Zango;Incurable.Moved.;
A0026261.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP283;Adware.Zango;Incurable.Moved.;
A0027082.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP298;Adware.Zango;Incurable.Moved.;
A0027085.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP298;Adware.Zango;Incurable.Moved.;
A0027185.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP299;Trojan.PWS.Wsgame;Deleted.;
A0028498.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP304;Adware.Zango;Incurable.Moved.;
A0028622.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP305;Adware.Zango;Incurable.Moved.;
A0030084.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Hotbar;Incurable.Moved.;
A0030086.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Hotbar;Incurable.Moved.;
A0030090.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Starware;Incurable.Moved.;
A0030093.dll;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Zango;Incurable.Moved.;
A0030094.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Zango;Incurable.Moved.;
A0030096.exe;C:\System Volume Information\_restore{938221C4-1183-4D3B-A7B3-EBADAFF02DAD}\RP317;Adware.Zango;Incurable.Moved.;
dbmmgr32.dll;C:\WINDOWS\Media;Trojan.Spambot;Will be cured after reboot.;
And this is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:44:29 PM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\Antivirus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lib.verycd.com/tv/integration/archive/00005.html (http://\"http://lib.verycd.com/tv/integration/archive/00005.html\")
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.travian.com
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab (http://\"http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab\")
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab\")
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab\")
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
Post by: guestolo on May 12, 2007, 07:14:34 PM
can you run a couple quick scans for me and post the logs
Download [color=\"red\"]SDFix[/color] (http://\"http://downloads.andymanchesta.com/RemovalTools/SDFix.exe\") and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the top of the screen that appears.
Sign in with your normal user account
SDFix
Go to START>>My Computer>>Double click to open the C:\ folder
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post the log from combofix please along with the log from SDFix
Post by: mikey6969 on May 13, 2007, 06:18:19 PM
SDFix: Version 1.83
Run by Administrator - 2007-05-13 - 18:39:29.76
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hdpD9.tmp - Deleted
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\onew1ng3dEmail Removed\Sharing Folders\morrispeterson_17Email Removed\The.Number.23.[TS-Screener].[www.BitBox.us]\Thumbs.db
Finished
combofix log:
"Administrator" - 2007-05-13 18:47:09 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Administrator\Desktop\"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\death.sishen
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))
2007-05-12 15:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-05-11 20:22 <DIR> d-------- C:\My Music
2007-05-11 20:21 <DIR> d-------- C:\Program Files\MP3 Convert Lord
2007-05-10 22:25 <DIR> d-------- C:\Program Files\ParadisePoker
2007-05-06 07:27 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-05-05 10:55 <DIR> d--h----- C:\WINDOWS\PIF
2007-05-04 21:08 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2007-05-04 21:08 1,970,176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-05-04 21:08 <DIR> d-------- C:\Program Files\Cheat Engine
2007-04-23 16:31 <DIR> d-------- C:\Program Files\Seekmo
2007-04-21 13:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-16 22:21 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-16 08:00 12,245,711 --------- C:\AVG7QT.DAT
2007-04-15 20:12 162,132 --a------ C:\LSPRegBackup_15042007_201213.REG
2007-04-15 19:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Prevx
2007-04-15 19:58 77,312 --a------ C:\WINDOWS\ua2.dll
2007-04-15 19:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-04-13 18:48 <DIR> d-------- C:\Program Files\Yahoo! Games
2007-04-13 18:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-04-13 18:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\funkitron
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-05-13 22:49:55 -------- d-----w C:\Program Files\eMule
2007-05-13 22:49:37 -------- d-----w C:\Program Files\Steam
2007-05-12 20:38:35 -------- d-----w C:\Program Files\DAEMON Tools
2007-05-11 15:17:50 -------- d-----w C:\Program Files\Tiger Gaming
2007-05-10 20:34:06 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\U3
2007-04-30 19:34:03 -------- d-----w C:\Program Files\Conquer 2.0
2007-04-29 19:10:30 -------- d-----w C:\Program Files\Warcraft III
2007-04-20 00:04:45 79,891 ----a-w C:\WINDOWS\War3Unin.dat
2007-04-18 11:19:52 -------- d-----w C:\Program Files\BitComet
2007-04-18 11:19:31 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-04-17 11:35:22 -------- d-----w C:\Program Files\NJStar CJK Viewer
2007-04-17 11:35:20 -------- d-----w C:\Program Files\MSN Messenger
2007-04-17 11:34:57 -------- d-----w C:\Program Files\Messenger Plus! Live
2007-04-05 01:54:53 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\CoreCodec
2007-04-05 01:54:16 -------- d-----w C:\Program Files\CoreCodec
2007-04-05 01:51:47 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-03-27 00:41:16 -------- d-----w C:\Program Files\Flash Movie Player
2007-03-25 04:38:55 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-03-25 04:38:55 -------- d-----w C:\Program Files\Full Tilt Poker
2007-03-25 04:30:09 -------- d-----w C:\Program Files\Incomplete
2007-03-25 04:27:21 -------- d-----w C:\Program Files\LimeWire
2007-03-25 03:57:04 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\LimeWire
2007-03-05 22:06:23 -------- d-----w C:\Program Files\PokerStars
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}=C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll [2007-03-29 10:31]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}=C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll [2006-01-10 12:09]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{bf00e119-21a3-4fd1-b178-3b8537e75c92}=C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll [2006-12-11 18:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"SoundMan"="SOUNDMAN.EXE"
"AlcWzrd"="ALCWZRD.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 C:\WINDOWS\system32\HdAShCut.exe])
"SoundMan"="SOUNDMAN.EXE" [])
"AlcWzrd"="ALCWZRD.EXE" [])
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-27 19:11]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 10:49]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-14 16:09]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-24 09:10]
"PrevxOne"="C:\Program Files\Prevx1\PXConsole.exe" [2007-03-27 11:16]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2006-07-29 19:34]
"Steam"="c:\program files\steam\steam.exe" [2007-01-08 19:25]
"eMuleAutoStart"="C:\Program Files\eMule\emule.exe" [2006-09-14 10:15]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Steam"="\"c:\\program files\\steam\\steam.exe\" -silent"
"eMuleAutoStart"="C:\\Program Files\\eMule\\emule.exe -AutoStart"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoVisualStyleChoice"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=dword:00000001
"NoSaveSettings"=dword:00000000
"NoSMConfigurePrograms"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoSharedDocuments"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0
Security Packages kerberosmsv1_0schannelwdigest
Notification Packages scecli
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter
LocalService AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunchTermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
Usnsvc usnsvc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{732da908-4d50-11db-a548-00112f2f07c9}]
Shell\AutoRun\command M:\LaunchU3.exe
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070512-155154-898
O2 - BHO: Seekmo Search Assistant Helper /fleok=1D8A83A5C4E5147C9EAB6D2A1FBB39BFE4976E26CAEDDA7D5474452C3FCEC3 - {5929CD6E-2062-44a4-B2C5-2C7E78FBAB38} - c:\program files\seekmo\seekmohook.dll (file missing)
backup-20070512-155154-753
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
backup-20070512-155154-533
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
backup-20070512-155154-928
O4 - HKCU\..\Run: [udz7e3iqlkel] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
backup-20070510-155113-807
O4 - HKLM\..\RunOnce: [SeekmoToolbar] cmd /c "rmdir "C:\Program Files\SeekmoToolbar" /s /q"
backup-20070510-155027-371
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
backup-20070510-155015-765
O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"
backup-20070510-155015-910
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
backup-20070510-152700-110
O3 - Toolbar: Seekmo Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\SkHostIE.dll
backup-20070510-152700-965
O3 - Toolbar: Starware Recipe Toolbar - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware337\bin\Starware337.dll
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
********************************************************************
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-05-13 18:50:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 2007-05-13 18:51:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 18:51
And after that, prevx found a malware called swsc.exe
Post by: guestolo on May 14, 2007, 09:50:02 PM
Can you let me know how things are running
Do you have restrictions on your account to not allow change from Windows XP theme to Classic theme
OR
Not to be able to share files on network
Quote
And after that, prevx found a malware called swsc.exeNot to worry, it's a false positive, it's just from a tool that we used
Post by: mikey6969 on May 17, 2007, 03:32:16 PM
Can you let me know how things are running
Do you have restrictions on your account to not allow change from Windows XP theme to Classic theme
OR
Not to be able to share files on network
Not to worry, it's a false positive, it's just from a tool that we used[/quote]
Nope! Everything seems A'ok guestolo! Hopefully I can gain the knowledge to do this on my own sooner or later !
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> Thanks!
Post by: guestolo on May 22, 2007, 07:26:26 PM
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />