Author Topic: trojan horse collected.5.l (Read 1255 times)

nitewolf · « **on:** June 19, 2005, 02:11:42 PM »

hey people i just brought a pc from my mate but when i brought it, the pc had this msdirect.sys virus on it, i have AVG free, spybot S&D, ad aware, armour2net firewall, microsoft antispyware, CWshredder, but nothing seems to get rid of this virus here is a copy of my log i hope that will help but i really really need help please ASAP, not only that its making my pc slow down alot so any type of help will be appreciated, thank you people i hope this is enough information for you to help me..

Logfile of HijackThis v1.99.1
Scan saved at 19:58:46, on 19/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Armor2net\Armor2net Personal Firewall\armor2net.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\System32\rmctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\sysmon32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Kyle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.homecallbroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.startsearches.net/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.startsearches.net/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.startsearches.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.homecall.co.uk/
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: A2NPopUpKiller Class - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\System32\rmctrl.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RegistryMechanic] C:\Documents and Settings\Kyle\Desktop\dc++\Registry Mechanic v4.0.0.100 + CRACK\Crack\RegMech.exe /QS
O4 - HKLM\..\Run: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\Run: [Ad-watch] C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - HKLM\..\Run: [NTSF MICROSOFT SYSTEM] scvhost.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [Internet Services] interserv.exe
O4 - HKLM\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [System Event Manager] secsvc.exe
O4 - HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] scvhost.exe
O4 - HKLM\..\RunServices: [sysPersonalFirewall] msnmssgr.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Internet Services] interserv.exe
O4 - HKLM\..\RunServices: [Internet2 Optimizer] wkfix.exe
O4 - HKLM\..\RunServices: [Win Drivers SSL] TASKMAN4.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\RunServices: [System Event Manager] secsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] scvhost.exe
O4 - HKCU\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Internet Services] interserv.exe
O4 - HKCU\..\Run: [Internet2 Optimizer] wkfix.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Internet Services] interserv.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1116252633637
O17 - HKLM\System\CCS\Services\Tcpip\..\{E924F205-55DD-41AD-8D54-4873AB1FC5F5}: NameServer = 212.74.114.129 212.74.114.193
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe (file missing)
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\cfmon.exe (file missing)

nitewolf · « **Reply #1 on:** June 20, 2005, 05:07:51 PM »

please could some1 help me this worm or whatever it is, is really getting bad, now it pop ups bout every 3 minutes then i cant dp nuthin so plz plz plz help me

BeavisQ · « **Reply #2 on:** June 24, 2005, 06:22:08 PM »

The file on your machine "systeminfos.exe" is the culprit, you might find "ctrl,alt+ delete" to bring up task manager doesn't work, and your antivirus or firewall is also not working correctly. Go into your "C:\windows\system32" folder. Using your folder options, tick box show hidden files, untick box hide extenions for known file types. find the systeminfos.exe file and change its extension to .txt so "systeminfos.exe" BECOMES "systeminfos.txt". As the process is running, and protecting it's self, you won't be able to delete it until you restart the computer. You won't do any damage doing it that way. You can clear up the registry afterwards. THE "systeminfos.exe" DOES NOT SHOW AS A VIRUS USING MY ANTIVRUS SOFTWARE, BUT ONCE EXECUTED, IT'S "OFFSPRING" IS DETECTED.

BEAVISQ · « **Reply #3 on:** June 24, 2005, 06:23:24 PM »

[quote name=\'BeavisQ\' date=\'Jun 24 2005, 05:22 PM\']The file on your machine "systeminfos.exe" is the culprit, you might find "ctrl,alt+ delete" to bring up task manager doesn't work, and your antivirus or firewall is also not working correctly. Go into your "C:\windows\system32" folder. Using your folder options, tick box show hidden files, untick box hide extenions for known file types. find the systeminfos.exe file and change its extension to .txt so "systeminfos.exe" BECOMES "systeminfos.txt". As the process is running, and protecting it's self, you won't be able to delete it until you restart the computer. You won't do any damage doing it that way. You can clear up the registry afterwards. THE "systeminfos.exe" DOES NOT SHOW AS A VIRUS USING MY ANTIVRUS SOFTWARE, BUT ONCE EXECUTED, IT'S "OFFSPRING" IS DETECTED.

[post=\"46469\"]<{POST_SNAPBACK}>[/post]

[/quote]

UNITED KINGDOM OF GREAT BRITAIN

ALan · « **Reply #4 on:** June 30, 2005, 05:35:17 AM »

check

http://www.sophos.com/virusinfo/analyses/w32rbotabd.html

TheTechGuide Forum

News:

Author Topic: trojan horse collected.5.l (Read 1255 times)

nitewolf

trojan horse collected.5.l

nitewolf

trojan horse collected.5.l

BeavisQ

trojan horse collected.5.l

BEAVISQ

trojan horse collected.5.l

ALan

trojan horse collected.5.l