PDA

View Full Version : I am here again



mightyuselessone
2007-08-21, 05:53
hey guys;

unfortunatley i am back once again :sad:. i have no idea y this is here again (CONINE.INI):scratch:. this is really disturbing to me. the only use this computer gets is a game called conqueronline, e-mail checking and our son playing at nick games and other childrens sites. no real surfing, no porn and we have not downloaded any music in sometime. i don't know if this is a left over from the last time i posted or a new infection but i would like to get to the bottom of it.

thanking you in advance
mightyuselessone



Home > Support > Security Advisor View my documents (0)



Start Scan


Stop Scan


Cure Files


Delete Files


Reply email address for the file submission: Scanner Help


Virus scan finished. 1 virus found.
Scan Results: 24670 files scanned. 1 virus was detected.

File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07, on 2007-08-20
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159897217328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159897265265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5411 bytes


Previous topic: http://forums.spybot.info/showthread.php?p=110582

pskelley
2007-08-25, 15:39
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

It seems you post more than I do and Mr_JAk3 sent you home with a clean computer on 8/10/2007? He also posted information to help you avoid infections, did you review and use that information?

You may have a rootkit infection? Let's proceed like this:

1) TeaTimer <<< turn off TeaTimer until you finish:
http://russelltexas.com/malware/teatimer.htm

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

mightyuselessone
2007-08-25, 17:47
ComboFix 07-08-25.2 - "Administrator" 2007-08-24 23:55:03.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.669 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))


2007-08-24 23:55 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_31c.dat
2007-08-23 12:58 <DIR> d-------- C:\Program Files\Messenger
2007-08-23 12:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-08-23 11:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DMCache
2007-08-22 09:07 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-08-20 20:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 15:36 64,512 --a------ C:\WINNT\system32\PTPITCP.dll
2007-08-20 15:36 307,200 --a------ C:\WINNT\system32\KPDPM.dll
2007-08-20 15:36 229,376 --a------ C:\WINNT\system32\KPDPMUI.dll
2007-08-20 15:36 <DIR> d-------- C:\WINNT\Downloaded Installations
2007-08-20 15:35 <DIR> d-------- C:\WINNT\system32\BWKDLogs
2007-08-20 15:34 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-08-20 15:33 <DIR> d-------- C:\WINNT\system32\color
2007-08-20 15:33 <DIR> d-------- C:\KPCMS
2007-08-20 15:32 <DIR> d-------- C:\Program Files\Kodak
2007-08-20 15:32 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-08-20 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-08-08 18:26 1,156 --a------ C:\WINNT\mozver.dat
2007-08-08 15:16 0 --a------ C:\WINNT\nsreg.dat
2007-08-06 14:56 75,932 --a------ C:\WINNT\system32\drivers\klick.dat
2007-08-06 14:56 75,248 --a------ C:\WINNT\zllsputility.exe
2007-08-06 14:56 74,396 --a------ C:\WINNT\system32\drivers\klin.dat
2007-08-06 14:56 24,608 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2007-08-06 14:56 110,360 --a------ C:\WINNT\system32\drivers\kl1.sys
2007-08-06 14:56 1,824 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2007-08-06 14:56 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2007-08-06 14:56 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2007-08-03 20:46 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-08-03 20:46 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-02 13:52 <DIR> d-------- C:\WINNT\ERUNT
2007-08-01 23:27 <DIR> d--hs---- C:\WINNT\system32\inf
2007-07-30 20:21 279,552 --a------ C:\WINNT\swreg.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-24 20:06 --------- d-------- C:\Program Files\SpywareBlaster
07-08-24 20:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-08-23 12:58 --------- d-------- C:\Program Files\MSN Messenger
07-08-20 15:37 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-08-20 15:36 --------- d-------- C:\Program Files\Common Files\InstallShield
07-08-07 00:12 --------- d-------- C:\Program Files\Soulseek
07-08-06 15:00 2408 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
07-08-06 15:00 2288 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
07-08-06 14:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
07-08-01 23:38 27 --a------ C:\Program Files\paramstr.txt
07-07-30 21:24 --------- d-------- C:\Program Files\CCleaner
07-07-23 12:30 124416 --a------ C:\WINNT\swsc.exe
07-07-19 15:26 --------- d-------- C:\Program Files\Online Services
07-07-03 16:48 92944 --------- C:\WINNT\system32\services.exe
07-06-26 15:27 235280 --a------ C:\WINNT\system32\GDI32.DLL
07-06-17 00:11 51200 --a------ C:\WINNT\nircmd.exe
07-06-13 19:45 2368 --a------ C:\WINNT\system32\SVKP.sys
07-06-07 12:20 1119232 --a------ C:\WINNT\system32\msxml3.dll
06-10-02 20:01 271 ---h----- C:\Program Files\desktop.ini
06-10-02 20:01 21952 ---h----- C:\Program Files\folder.htt
03-07-04 06:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-04 06:00 C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-08-16 22:27 ]
"ZoneAlarm Client"="D:\Program Files\ZoneAlarm\zlclient.exe" [07-06-21 21:54 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 00:04 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 DcCam;Kodak Camera Proxy;C:\WINNT\system32\DRIVERS\DcCam.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\system32\drivers\dcfs2k.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S1 Exportit;Exportit;C:\WINNT\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINNT\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\system32\DRIVERS\DcPTP.sys
S3 moufiltr;Mouse Filter Driver;C:\WINNT\system32\DRIVERS\moufiltr.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 00:00:36
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-25 0:03:07

--- E O F ---

3D Groove Playback Engine
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
ATI Display Driver
AVG Free Edition
Bonjour
CCleaner (remove only)
CCScore
Conquer 2.0
Digital Camera Driver
Diskeeper Lite
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Foxit Reader
HijackThis 2.0.2
HLPPDOCK
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
Java(TM) 6 Update 2
kgcbase
Kodak EasyShare software
KSU
Mozilla Firefox (2.0.0.6)
MSN Messenger 7.0
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Realtek AC'97 Audio
SFR
SHASTA
SKIN0001
SKINXSDK
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
staticcr
Update Rollup 1 for Windows 2000 SP4
VIA Rhine-Family Fast Ethernet Adapter
Virtools 3D Life Player
VPRINTOL
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip 11.1
WIRELESS
World of Warcraft
ZoneAlarm

pskelley
2007-08-25, 17:58
No problems there that I can see, run a Kaspersky scan to see what it finds:


Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

mightyuselessone
2007-08-25, 18:08
Well hello and yeah it seems that i am posting alot.:laugh: But i can't help it unfortunately i have read and instrumented all the things that Mr.Jak3 asked of me. I am running firefox now, installed a firewall, the system is not used for surfing porn or downloading music(well the music hasn't been for 3+months), I also downloaded and ran the host file list that he gave me link to, use spyware blaster, spybot teatimer and run avg(all updated daily). The only one that i don't do is ATF Cleaner i use CCleaner. So i am at a loss maybe there is something that I am over looking:banghead:

hope to here from you soon
(I am off work for some time with injury so am able to look at this at just about anytime expect quick responses:D:
mightyuselessone

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53, on 2007-08-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159897217328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159897265265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4730 bytes

pskelley
2007-08-25, 18:20
Thanks...nothing has changed, read my last post and run the Kaspersky scan, then post the results.

Thanks

mightyuselessone
2007-08-25, 20:48
Here you go the log from kaspersky. is there a reason all these items are locked?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-08-25 12:38
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/08/2007
Kaspersky Anti-Virus database records: 365662
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 26059
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:57:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\THEBIGBA-E2C4A7.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\drivers\fidbox.dat Object is locked skipped
C:\WINNT\system32\drivers\fidbox.idx Object is locked skipped
C:\WINNT\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINNT\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_31c.dat Object is locked skipped
C:\WINNT\temp\ZLT03545.TMP Object is locked skipped
C:\WINNT\temp\ZLT0356f.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\00010005.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped

Scan process completed.

pskelley
2007-08-25, 21:02
The only ones we are concerned with as far as malware goes are not locked and your computer is scanning clean.

Before we run System File Checker, let's check that file you reported to see if it is infected.

These are the scanners you can use, use one or more until you get results to post.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

You will probably need to show all files and folders to see the file: Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Here is the file you want to scan:

C:\WINNT\system32\dllcache\CONINE.INI

I do not have that file on my computer with Windows XP but it may belong to a program you run and I do not.

This is important...I can only depend on the information you provide me and this is what you posted:

File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\

If you did not spell that file correct you may not find it, if you did and it is there, scan it to find out if it is infected or not, and post that information for me.

Thanks

mightyuselessone
2007-08-25, 21:54
here are the results from all 3 of the scan links u sent me i hope this helps to determine weather or not i am infected. all i know is that my system has been right bogged down and hardly moves at times. as you can see i am not running top of the line machine but it is not a piece of crap either. i cannot access add/remove programs nor will it access internet update(automatic or not) i need to go and find updates and manually down load them.

Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File CONINE.INI received on 08.25.2007 20:42:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 5/32 (15.63%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.25.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.25 -
Authentium 4.93.8 2007.08.25 -
Avast 4.7.1029.0 2007.08.25 -
AVG 7.5.0.484 2007.08.25 -
BitDefender 7.2 2007.08.25 Generic.Hacdef.INI.69CA5102
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.25 -
DrWeb 4.33 2007.08.25 -
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5085 2007.08.24 Win32/HacDef!INI
Ewido 4.0 2007.08.25 -
FileAdvisor 1 2007.08.25 -
Fortinet 2.91.0.0 2007.08.25 -
F-Prot 4.3.2.48 2007.08.25 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.25 -
Kaspersky 4.0.2.24 2007.08.25 -
McAfee 5105 2007.08.24 HackerDefender.ini
Microsoft 1.2803 2007.08.25 -
NOD32v2 2484 2007.08.25 -
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.25 Bck/Hacdef.gen
Prevx1 V2 2007.08.25 -
Rising 19.37.42.00 2007.08.24 -
Sophos 4.21.0 2007.08.25 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.25 -
TheHacker 6.1.8.172 2007.08.25 Trojan/HackerDefender.INI
VBA32 3.12.2.3 2007.08.24 -
VirusBuster 4.3.26:9 2007.08.25 -
Webwasher-Gateway 6.0.1 2007.08.25 -


You're clean!

Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

* Download a trial version of Kaspersky Anti-Virus
* Purchase Kaspersky Anti-Virus in our E-Store
* Purchase Kaspersky Anti-Virus from a certified partner



Scanned file: CONINE.INI

Statistics:
Known viruses: 389807 Updated: 25-08-2007
File size (Kb): 2 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: CONINE.INI
Status:
INFECTED/MALWARE
MD5: 6ca84e3cd8b1b825d2f08d12752e33f0
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 25 Aug 2007 18:37:16 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Hacdef.INI.69CA5102
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found Bck/Hacdef.gen
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

pskelley
2007-08-25, 22:17
here are the results from all 3 of the scan links u sent me i hope this helps to determine weather or not i am infected. all i know is that my system has been right bogged down and hardly moves at times. as you can see i am not running top of the line machine but it is not a piece of crap either. i cannot access add/remove programs nor will it access internet update(automatic or not) i need to go and find updates and manually down load them.Let me first say I went back and read what you posted so far, and you never once mentioned any of this information I have posted above as your quote???

This tool is supposed to remove this rootkit infection, let's see what happens. Please follow the instructions caredfully:

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

After you post that information, I would like you to go here: http://www.pcpitstop.com/
Run the free diagnostic (you will need to register free for them to save your information) then post the link from results of the report in this topic.

Thanks

mightyuselessone
2007-08-25, 23:40
sorry for not mentioning all the probs right off i get a little side tracked sometimes i will try to keep my mind a little more focused on the issues with the system. I have also noticed that it seems to take forever for the system to bring up avg, tea timer and zone alarm when the system starts up.

SDFix: Version 1.100

Run by Administrator on Sat 2007-08-25 at 14:39

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------


Files with Hidden Attributes:

C:\Program Files\Common Files\Microsoft Shared\MSInfo\_winsys.exe
C:\Program Files\Outlook Express\MSIMN.EXE

Finished

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32, on 2007-08-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159897217328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159897265265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4873 bytes

mightyuselessone
2007-08-25, 23:57
posted twice

mightyuselessone
2007-08-25, 23:58
TechExpress Link <---what is it i am to put in here i don't know what it is (this is in the registration at pcpitstop

pskelley
2007-08-26, 00:50
Read and follow the directions: http://www.pcpitstop.com/
Here is a tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
Look to see what everyoone else is doing here:
http://pcpitstop.invisionzone.com/index.php?showforum=6

mightyuselessone
2007-08-26, 07:50
http://www.pcpitstop.com/techexpress.asp?id=WKJJHW0L84VSLSEV

pskelley
2007-08-26, 13:46
Thanks, by now you should have reviewed the information you received from the diagnostic report.
You have a problem with your hard disk, it is performing very poorly and that can cause the problems you are having. Click on the word DISK near the yellow flag to see these details. I personally do not suggest purchasing products, I believe if the disk can not be defragged to where the performance is acceptable, that it should be replaced.

Unusually low performance (Drive C) <<< click this link and see this:
TIP > Unusually low disk performance

Drive C has an uncached speed of 2 megabytes per second. For comparison, systems with the same CPU and clock speed as this one have a speed of 41.26 MB/s. You should read all of the information but basically you can see how poorly your hard drive is performing.

You have adequate RAM, that is not an issue, from what I can see, the problem is the hard drive. Follow the directions under Solutions (I am not suggesting you purchase any programs) Under Performance-Related Windows Settings
I suggest you turn off Sleep/Resume policy in use <<< this feature to see if there is an improvement.

Here is some good information to help you with maintenance:
http://www.microsoft.com/technet/prodtechnol/windows2000pro/proddocs/probook/prof09.mspx

________________________________________________

You are showing Junk files 6 MB (0%) stored on the computer, let's download a tool to clean good, and remove some junk from the HJT log:

Here are links to ideas that may help improve your computers overall performance, keep in mind they all may not work on your operating system:
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b

Here is a link to the Windows Updates troubleshooter: http://v4.windowsupdate.microsoft.com/troubleshoot/
If you can not resolve that issue using the troubleshooter, then you need to contact Microsoft Support for help:
http://support.microsoft.com/

________________________________________________

1) Start by running System File Checker, I believe it is installed on your system: Click Start > Run, type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow This should replace any corrupted/missing system files. You may need your XP disc in your CD drive for this.
tutorials:
http://dwightblackburn.com/winxp/
http://www.updatexp.com/scannow-sfc.html

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Use these instructions to turn off TeaTimer, it will block changes HJT needs to make:
http://russelltexas.com/malware/teatimer.htm

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(NOT malware, just leftover junk)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log.

What program did you run that identifed this item?

Virus scan finished. 1 virus found.
Scan Results: 24670 files scanned. 1 virus was detected.
File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\
I see no mention of the program that identified it. Please mention the name of that program and then run it again, post the results.

Thanks

mightyuselessone
2007-08-27, 21:15
United States - English [Change]
Search Form

All of CA About Us Education Insights News and Events Partners Products Security Advisor Small and Medium Business Solutions
How to Buy Insights
Thought Leadership Success Stories White Papers On-Demand Webcasts Blogs Podcasts Partners
Channel Partners Service & Consulting Partners OEM Partners Strategic Alliances Partner Locator Partner Portal Support
Technical Support Service Center User Groups Security Advisor Education
Courses Learning Options Learning Paths Business Solutions Certification Policies Promotions Partners Solutions
ITIL EITM Capability Solutions Industry Solutions Services Products
Product Categories
Application Development & Databases Application Performance Management Database Management Infrastructure & Operations Management IT Service & Asset Management Mainframe Project, Portfolio & Financial Management Security Management Storage & Information Governance Product List Trials Demos Special Offers
Home > Support View my documents (0)



Start Scan


Stop Scan


Cure Files


Delete Files


Reply email address for the file submission: Scanner Help


Virus scan finished. 1 virus found.
Scan Results: 25732 files scanned. 1 virus was detected.

File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\



http://www.ca.com/us/securityadvisor

this is the scan results and part of their header on that page also a link to the page if u want it i don't know. i will post a hjt in a hr or 2 i started this then needed to go do something else sorry but ty for your patience

pskelley
2007-08-27, 21:24
Thanks for returning the information, as a result so this:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=38058
Win32.HacDef is a "rootkit", sometimes called "hacker defender" or "hxdef". It acts as a backdoor that allows an intruder to control an infected system remotely, as well as hide the presence of itself and other malicious files and processes.
and you should read all of that information, I need to post this information for you:

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks

mightyuselessone
2007-08-28, 17:40
Well we took your advise as i probably should have with Mr.Jak3 and bought a new hard drive last night.(groan) think we got the OS installed ok but we are getting pounded with ZoneAlarm warnings of things trying to access the internet [NetBIOS Session] from 24.77.86.60[TCP Port 20107][TCP Flags: S] when this comes up there are 3 or 4 that come in rapid sucsession. all with different IP addresses of course. are they to be worried about or should i allow them through? if you would like a new HJT or any scans let me know i plan on going and doing a few scans being as we had to google richard the lion heart to get HJT something was stopping us from down loading it what i don't know yet.(groan) ty for all your help thus far.
mightyuselessone

pskelley
2007-08-28, 19:08
Assuming you just installed a new Zone Alarm, outgoing requests are not as dangerous as incoming requests until you get the firewall configured. If you don't recognize what is requesting access to the internet, block it in the beginning to give you time to find out.
Use Google to see what it is: http://www.google.com/search?hl=en&q=NetBIOS+Session&btnG=Google+Search
You can also scan the IP number with various tools, here is one:
http://www.whois.sc/ >> 24.77.86.60 = http://whois.domaintools.com/24.77.86.60
Take the time to review the tutorial for Zone Alarm: Right click the Z and choose
"Restore Zone Alarm Control Center" the tutorial is to the upper right.

If you have done a reformat, you won't be infected, when you need HJT get it here:
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

That's a self-installer, just follow the prompts and it will install in the correct place.
All of your programs will be hollerring about going oneline in the beginning, until you get control, block them. You will need to allow your ISP access, Zone Alarm and your antivirus. Most of the rest can wait until you can control ZA after you view the tutorial.

More IP lookup sites if needed.
http://www.google.com/search?hl=en&q=IP+lookup&btnG=Google+Search

Good luck...Phil

mightyuselessone
2007-08-28, 21:38
Hi you are just going to love me LOL. Yes I did just do a fresh install on a brand new hd and I should not be infected but....

well look for yourself (groan) here are kap and HJT
the 3 017 entries on HJT are really troublesome to me are they really lop?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 11:10:04 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 394397
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 13630
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:08:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\7MVQFKE7\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\USM7QP0Q\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Documents and Settings\Ogre_Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\History\History.IE5\MSHist012007082820070829\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temp\~DF720.tmp Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ogre_Family\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\delsim\del.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\imsDebug.log Object is locked skipped
C:\WINNT\Internet Logs\OGRE-M4U5AONIU6.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{A9DA51B4-7EFE-4A9D-A7DA-70D7345D5E92}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\o Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINNT\Temp\ZLT06a05.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 11:10:47 AM, on 28/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ogre_Family\Desktop\TeaTimer.exe
C:\Documents and Settings\Ogre_Family\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188275347500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188282330906
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

pskelley
2007-08-28, 21:57
the 3 017 entries on HJT are really troublesome to me are they really lop?O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
All three are for http://www.robtex.com/dns/wp.shawcable.net.html

I have no idea how you could get infected this fast? Maybe you should not go online?

KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 11:10:04 AM
Number of infected objects: 4

Delete the complete contents of the folder in RED
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\7MVQFKE7\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\USM7QP0Q\dual[1].jpg Infected: not-a-virus:Dialer.Win32.Agent.b skipped

This is a dialer, delete the folder in REDC:\Program Files\Common Files\delsim\del.exe Infected: not-a-virus:Dialer.Win32.Agent.b skipped

This is a trojan downloader, delete the folder in RED
C:\WINNT\system32\o Infected: Trojan-Downloader.BAT.Ftp.ab skipped

If any of those give you problems, boot into Safe Mode and delete then there:
http://spyware-free.us/tutorials/safemode/

You may need to enabled hidden files and folders to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

This is how easy it is to get infected:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

You need to read this information about how to stay safe online:
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

mightyuselessone
2007-08-28, 22:53
I have no idea how you could get infected this fast? Maybe you should not go online?

What is this supposed to mean it sounds to me as if you are being rude about this! I don't understand how that this is any of my fault I had a copy of spybotsd14 on disk and zonealarm that was installed before even installing the internet providers software. We(my wife and I) also first updated spybot and zone alarm using thier updaters before accessing the internet and then we updated windows as fast as possible. We were infected from via Shaw from what i can tell and they are the Internet, Cable and Telephone provider that we use here. First of all I don't understand if this is a real lop infection, and I wish to know how to fix it. What more can i possibly use to keep from getting infected. We have always used and continue to use all recomended tools to us from the forums. Also i have not visited any sites except Microsoft, safer-networking, Javacool, Zonealarm, Griftsoft and our ISP startpage Directly(we manually typed in the addresses then pluged in the ethernet cable unpluging between downloads) We did not at any time use a search engine before all the above were updated and installed. nor did we "surf the web"

Please Advise and help with this problem
mightyuselessone

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 28, 2007 2:05:21 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/08/2007
Kaspersky Anti-Virus database records: 395278
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 12892
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:08:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temp\~DF720.tmp Object is locked skipped
C:\Documents and Settings\Ogre_Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ogre_Family\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ogre_Family\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\imsDebug.log Object is locked skipped
C:\WINNT\Internet Logs\OGRE-M4U5AONIU6.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{A9DA51B4-7EFE-4A9D-A7DA-70D7345D5E92}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\Temp\ZLT06a05.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 2:07:01 PM, on 28/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Ogre_Family\Desktop\TeaTimer.exe
C:\Documents and Settings\Ogre_Family\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188275347500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188282330906
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ,wp.shawcable.net,nr.wp.shawcable.net
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINNT\System32\ZoneLabs\isafe.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

pskelley
2007-08-28, 22:57
Those 017 items are valid, if you have additional questions about those, I suggest you contact your Internet Service Provider.
Your HJT log is clean as is your Kaspersky. This is about all I can do for you except to wish you safe surfing.

Thanks

mightyuselessone
2007-08-30, 20:19
sorry if i seem a little annoying to deal with i am not going out trying to get infected purposely, and i really do appreciate the help that i receive. i have managed to get my system somewhat secured now my wife doing most of it. i need help getting rid of 2 things in spybot i keep coming up with 9 redirects (windows sec etc) and a virus by f-secure's definition please help i am trying to get this system to a point where i can use it and not be infected as you will see the 017's that were on the HJT log are no longer there and Shaw has all but admitted that it was someone on the local internet that was the root of it when i gave them the ISP addresses that Zone Alarm was showing. Here is f-secure, HJT and virus total logs i hope that this is not that serious and you are willing to help.
ty
mightyuselessone

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:57:15 AM, on 30/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\cnmtmgr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188412521140
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3617 bytes

Scanning Report
Thursday, August 30, 2007 10:37:47 - 10:56:04

Computer name: PARKS-Z240HYQ5A
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 4 malware found
Alexa (spyware)

* System (Disinfected)

Text/BotFTP.gen (virus)

* C:\WINNT\SYSTEM32\I (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)
* System

Statistics
Scanned:

* Files: 15099
* System: 2788
* Not scanned: 2

Actions:

* Disinfected: 2
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 1

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINNT\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure AVP: 7.0.171, 2007-08-30
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0593-150-72
* F-Secure Libra: 2.4.2, 2007-08-28
* F-Secure Orion: 1.2.37, 2007-08-30
* F-Secure Pegasus: 1.19.0, 2007-07-19

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXXANI AVB BAT CMD LSP MAP MHT MIF PHP POT WMF NWS TAR
* Use Advanced heuristics

File i received on 08.30.2007 18:51:27 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/32 (25%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.31.0 2007.08.30 -
AntiVir 7.4.1.66 2007.08.30 -
Authentium 4.93.8 2007.08.29 -
Avast 4.7.1029.0 2007.08.29 -
AVG 7.5.0.484 2007.08.29 -
BitDefender 7.2 2007.08.30 -
CAT-QuickHeal 9.00 2007.08.30 -
ClamAV 0.91.2 2007.08.30 Trojan.Downloader.Bat.Ftp.gen-1
DrWeb 4.33 2007.08.30 -
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 -
Ewido 4.0 2007.08.30 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.30 BAT/Dloader.AB!worm
F-Prot 4.3.2.48 2007.08.29 -
F-Secure 6.70.13030.0 2007.08.30 Text/BotFTP.gen
Ikarus T3.1.1.12 2007.08.30 -
Kaspersky 4.0.2.24 2007.08.30 -
McAfee 5109 2007.08.30 W32/Sdbot.worm!ftp
Microsoft 1.2803 2007.08.30 TrojanDownloader:BAT/Ftper.gen
NOD32v2 2492 2007.08.30 -
Norman 5.80.02 2007.08.30 Text/BotFTP.gen
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.30 -
Rising 19.38.32.00 2007.08.30 -
Sophos 4.21.0 2007.08.30 Mal/BotFTP-A
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.30 -
TheHacker 6.1.9.175 2007.08.30 W32/SdBot.worm
VBA32 3.12.2.3 2007.08.30 -
VirusBuster 4.3.26:9 2007.08.30 -
Webwasher-Gateway 6.0.1 2007.08.30 -
Additional information
File size: 77 bytes
MD5: 4b169ca597ed0c1cf2ecf51e651273f7
SHA1: cfe0917ffb45c0077993143e9c13eb8b8f42841d

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware

pskelley
2007-08-30, 20:56
Let's try to clean the air a little:

1) I have no desire to see tracking cookies that are a part of surfing, you are going to get them if you go on the internet. Here is what they are:
http://en.wikipedia.org/wiki/HTTP_cookie if you wish to control them, here is how:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx

2) You are using a beta version of HJT, please delete it from your computer and download a self-installing version which will install itself in the proper location if you will follow the prompts:
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

Post a new HJT log and describe any malware symptoms. Please do not tell me about any tracking cookies.

Thank you

Thanks

mightyuselessone
2007-08-30, 21:34
Text/BotFTP.gen (virus)

* C:\WINNT\SYSTEM32\I (Submitted)
this is what i was thinking about not the tracking cookies those i don't worry about that badly. i uploaded that file to virus total and it came back 25% as a BOT or SDWorm. or other sujuest trojan as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:58 PM, on 30/08/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\cnmtmgr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188412521140
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 3650 bytes

pskelley
2007-08-30, 21:55
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

C:\WINNT\cnmtmgr.exe <<< scan that file, if it is bad, delete it

C:\WINNT\SYSTEM32\I <<< this has to be I something? I.exe ? I.dll ?
I can not google I

If you scanned it and it came back bad, delete it. You are gone to need a file ending though.

Here is a tool that can delete the junk for you if they give you trouble.
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

Thanks

mightyuselessone
2007-08-30, 23:19
I can not find the file C:\WINNT\cnmtmgr.exe on my own as far as i can tell i have all files visable including hidden ones. So am curious as to where it is. I manually typed in the file and Virus Total managed to upload it and here are the results. Now how do i find it to delete it. the other file C:\WINNT\system32\I has not got a designation(exe, cab, dll, etc.) it was list as file type: file when i looked at the properties of it. So I deleted it hopefully that took care of that part and it does not return if it is a bad file. please advise. ty
mightyuselessone


File cnmtmgr.exe received on 08.30.2007 21:54:38 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/32 (21.88%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.31.0 2007.08.30 -
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Authentium 4.93.8 2007.08.29 -
Avast 4.7.1029.0 2007.08.30 -
AVG 7.5.0.484 2007.08.30 -
BitDefender 7.2 2007.08.30 DeepScan:Generic.Sdbot.30E42382
CAT-QuickHeal 9.00 2007.08.30 -
ClamAV 0.91.2 2007.08.30 -
DrWeb 4.33 2007.08.30 -
eSafe 7.0.15.0 2007.08.29 -
eTrust-Vet 31.1.5095 2007.08.30 -
Ewido 4.0 2007.08.30 -
FileAdvisor 1 2007.08.30 -
Fortinet 3.11.0.0 2007.08.30 -
F-Prot 4.3.2.48 2007.08.29 -
F-Secure 6.70.13030.0 2007.08.30 -
Ikarus T3.1.1.12 2007.08.30 Generic.Sdbot
Kaspersky 4.0.2.24 2007.08.30 -
McAfee 5109 2007.08.30 -
Microsoft 1.2803 2007.08.30 -
NOD32v2 2492 2007.08.30 -
Norman 5.80.02 2007.08.30 -
Panda 9.0.0.4 2007.08.29 -
Prevx1 V2 2007.08.30 Generic.Malware
Rising 19.38.32.00 2007.08.30 -
Sophos 4.21.0 2007.08.30 -
Sunbelt 2.2.907.0 2007.08.25 VIPRE.Suspicious
Symantec 10 2007.08.30 W32.Spybot.Worm
TheHacker 6.1.9.175 2007.08.30 -
VBA32 3.12.2.3 2007.08.30 -
VirusBuster 4.3.26:9 2007.08.30 -
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Additional information
File size: 512000 bytes
MD5: 750b6410cc7f0b2d029c5c19f7cc8277
SHA1: 4ecee6b3812cf13197ea96f4920c0d80cf3dbdd3
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=0705D404002F0B54D0BF078C1B20A10002CDF62E
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

pskelley
2007-08-30, 23:30
Look at the last HJT log you posted:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:23:58 PM, on 30/08/2007

You only have 16 items that start with C:\WINNT\

and it is one of them:
C:\WINNT\cnmtmgr.exe

Use Search Companion to locate it, the hackers do not make it easy, it could be in Temp Prefetch or elsewhere.
It needs to be located and deleted and you are the only one that can do it. Be patient with Search Companion, there are a lot of files to look through.

Thanks

mightyuselessone
2007-08-31, 19:43
Well first of al I would like to thank you for your assistance in the problems. I would also like to say sorry if I bent your brain some. I broke down and got rid of windows 2000 all together and got xp sp2. I installed and got all updates and avg 7.5free, spybot, spyware blaster, mvps hosts file (from post with Mr.Jak3) and CCleaner. I did not install firefox though (my wife doesn't like it). I preformed and online scan and nothing came up I am not sure how to interpret HJT with xp so am going to ask if you would look at log and tell me if its ok or not. please and thanks
mightyuselessone

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:58 AM, on 31/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\TeaTimer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188527783937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188527776890
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4259 bytes

pskelley
2007-08-31, 20:48
Good move, I have Firefox installed myself and never use it. It's a myth ask me that it is safe and IE is not, it all depends on the user, the protection that is installed and the care that is taken to maintain good safe online habits. Stuff can still happen, it is a cyber-jungle out there, but that is your best chance. AVG is a good free antivirus program, I installed it on my sister's new Dell. You are running a good firewall. Read the links I provided also, but I believe you need at least one good spyware program. If you want a free one, try this one which is free from Microsoft:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

If you wish to run TeaTimer, keep Spybot S&D updated and immunized and it will do much to protect you:
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html

Make sure everything in the Security Center in your Control Panel is green for GO and safe surfing to you.

Thanks...Phil

mightyuselessone
2007-08-31, 23:58
I am already running spybot with tea timer going. can i run defender as well. i was under the impresion that u could only operate one spyware program at a time or there would be conflicts between them?

pskelley
2007-09-01, 00:14
Yes...Windows Defender and TeaTimer will run fine together and compliment each others efforts in keeping you safe. I posted three tutorials for Spybot, have you looked at them?

mightyuselessone
2007-09-01, 00:26
no i hadn't yet ty and hopefully not ttyl lol
mightyuselessone

pskelley
2007-09-01, 15:18
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks