View Full Version : My First Virus Command Service
dilan_thomas
2007-11-10, 04:41
I would like to bore you with pointless information about how frustrated I am...I'm frustrated...That was fun. Now moving right along...
I have spybot S&D 1.4. I have updated it, but cannot download 1.5 because my computer already has a virus. Spybot will not fix Command Service. I have tried to download HiJackThis, but haven't been successful. I will copy to disk tonight and take to infected computer tomorrow in necessary. In the meantime...
Can I just by RegCure for $30 and be done with this? Here is my log from Spybot.
Command Service: Library (File, fixed)
C:\WINNT\system32\atmtd.dll._
Command Service: Settings (Registry key, fixing failed) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Clickbank: Tracking cookie (Internet Explorer: Administrator) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-05-17 unins000.exe (51.41.0.0)
2005-05-31 SpybotSD.exe (1.4.0.3)
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-08-31 Update.exe (1.4.0.5)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-05-23 advcheck.dll (1.5.3.0)
2007-07-31 Tools.dll (2.1.2.0)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\Cookies.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\TrojansC.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll
--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
--- Startup entries list ---
Located: HK_LM:Run, IndexSearch
command: "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
file: C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
size: 40960
MD5: 71b5d6309a8ac83f6e63358ff2350284
Located: HK_LM:Run, ntdll.dll
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: fa7eb9aff3d726a6bf0494bee7e378f6
Located: HK_LM:Run, PaperPort PTD
command: "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
file: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
size: 36864
MD5: 8d4f45f50f40e50a2b625ef3eeba8eb1
Located: HK_LM:Run, Picasa Media Detector
command: C:\Program Files\Picasa2\PicasaMediaDetector.exe
file: C:\Program Files\Picasa2\PicasaMediaDetector.exe
size: 366400
MD5: 04717bf0c76a6dd9fa3df1560e5d3a42
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: fa7eb9aff3d726a6bf0494bee7e378f6
Located: HK_LM:Run, runner1
command: C:\WINNT\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
file:
Located: HK_LM:Run, Smapp
command: Smtray.exe
file: C:\WINNT\system32\Smtray.exe
size: 229376
MD5: 9236534e177a694c6101a068ea2cb1a6
Located: HK_LM:Run, SSBkgdUpdate
command: "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
file: C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
size: 155648
MD5: 1c3ca3e7807f915933bb4e08e599ddab
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
size: 132496
MD5: d4f0f7437327dbaa264338baafb5e5af
Located: HK_LM:Run, Synchronization Manager
command: mobsync.exe /logon
file: C:\WINNT\system32\mobsync.exe
size: 111376
MD5: 9b2f5b9e745deaaa57fb78329ed03061
Located: HK_LM:Run, tourpath
command: regedit /s c:\winnt\tour.reg
file:
Located: HK_CU:Run, ctfmon.exe
command: ctfmon.exe
file:
Located: HK_CU:Run, Insider
command: C:\Program Files\Insider\Insider.exe
file: C:\Program Files\Insider\Insider.exe
size: 136192
MD5: edc71bb21ac2b8a30fbc20a3a1ca59aaa
Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0
Located: Startup (common), AUTOCHK.LNK
command: C:\CFGSAFE\AUTOCHK.EXE
file: C:\CFGSAFE\AUTOCHK.EXE
size: 11808
MD5: a7689e6778ebbfa7189efce39d24f1a8
Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, pmnoopq
command: pmnoopq.dll
file: pmnoopq.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, wzcnotif
command: wzcdlg.dll
file: wzcdlg.dll
--- Browser helper object list ---
{1C1DD717-53B2-485E-A17B-C9977C205E10} ()
BHO name:
CLSID name:
Path: C:\WINNT\System32\
Long name: pmnoopq.dll
Short name:
Date (created): 11/9/2007 8:18:08 AM
Date (last access): 11/10/2007
Date (last write): 11/9/2007 8:18:08 AM
Filesize: 35328
Attributes: archive
MD5: 2A82CD00CC4A8076393520D43190A1E5
CRC32: 3BA2592B
{8206B86D-8AAD-41A6-1D98-84EDC09CC0A2} (0)
BHO name: 0
CLSID name:
Path: C:\Program Files\Outlook Express\
Long name: sajubusak531.dll
Short name: SABA48~1.DLL
Date (created): 11/10/2007 11:57:40 AM
Date (last access): 11/10/2007
Date (last write): 11/10/2007 11:57:40 AM
Filesize: 70144
Attributes: archive
MD5: 39D8FEB675241490403CBD33A7C14159
CRC32: 9DD5EBB1
{8A636CBA-5FE3-46F8-8AD3-9915D3E8C88A} ()
BHO name:
CLSID name:
Path: C:\Program Files\Windows Media Player\
Long name: poweher83122.dll
Short name: POWEHE~1.DLL
Date (created): 8/2/2007 5:44:00 AM
Date (last access): 11/10/2007
Date (last write): 8/2/2007 5:44:00 AM
Filesize: 282624
Attributes: archive
MD5: 0B36BD26E49F50029B240EF4C5F2F729
CRC32: 73A2E000
{A6AAA2F0-2D5A-4896-BBCC-1DFD5AECCA6C} ()
BHO name:
CLSID name:
Path: C:\Program Files\Windows Media Player\
Long name: poweher4444.dll
Short name: POWEHE~2.DLL
Date (created): 8/2/2007 5:44:00 AM
Date (last access): 11/10/2007
Date (last write): 8/2/2007 5:44:00 AM
Filesize: 282624
Attributes: archive
MD5: 0B36BD26E49F50029B240EF4C5F2F729
CRC32: 73A2E003
{CFE906A1-EB71-49A9-B92A-9E4A6C167773} ()
BHO name:
CLSID name:
Path: C:\WINNT\System32\
Long name: awvtt.dll
Short name:
Date (created): 11/9/2007 8:23:16 AM
Date (last access): 11/10/2007
Date (last write): 11/9/2007 8:23:28 AM
Filesize: 315488
Attributes: archive
MD5: 6D06BE455B5C8EBC493B8D0E1E89A86C
CRC32: 676BDB1F
--- ActiveX list ---
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_03
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_03\bin\
Long name: npjpi160_03.dll
Short name: NPJPI1~1.DLL
Date (created): 9/24/2007 11:31:44 PM
Date (last access): 11/9/2007
Date (last write): 9/25/2007 1:11:34 AM
Filesize: 132496
Attributes: archive
MD5: D6A4682A6FF41832A3F1A7AB9AE08199
CRC32: 9080B537
Version: 6.0.30.5
--- Process list ---
PID: 0 ( 0) [System]
PID: 136 ( 8) \SystemRoot\System32\smss.exe
PID: 160 ( 136) \??\C:\WINNT\system32\csrss.exe
PID: 180 ( 136) \??\C:\WINNT\system32\winlogon.exe
PID: 208 ( 180) C:\WINNT\system32\services.exe
size: 89360
MD5: CFED2D28F5B8A24127E9E06043070643
PID: 220 ( 180) C:\WINNT\system32\lsass.exe
size: 33552
MD5: 271229760CCED993E9E7CAB1C7274134
PID: 412 ( 208) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 436 ( 208) C:\WINNT\system32\spoolsv.exe
size: 45328
MD5: 987DAF317B917CFC973DE8364D62A76C
PID: 464 ( 208) C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
size: 155665
MD5: DE1A9DDD66FAAA71E4E2494FBC970CB7
PID: 476 ( 208) C:\WINNT\QURQIENsaWVudA\command.exe
size: 293888
MD5: 3E2C234DDE711C6754F2DF994FB3CC94
PID: 496 ( 208) C:\WINNT\System32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 552 ( 208) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
size: 270336
MD5: DF631667AC107A56FBD3F111577ECD80
PID: 636 ( 208) C:\WINNT\System32\NMSSvc.exe
size: 1036288
MD5: BB687A703C6944FB0678772F9EC33D20
PID: 672 ( 208) C:\WINNT\system32\regsvc.exe
size: 68368
MD5: 250C4CE389783FA2398E3AFA4317008C
PID: 692 ( 208) C:\WINNT\system32\MSTask.exe
size: 119568
MD5: 00D8C428B2D6DFFCABEB859BC69F632B
PID: 704 ( 464) C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
size: 90129
MD5: 16847187B542113E8FDF4383A6FD489D
PID: 744 ( 208) C:\WINNT\System32\WBEM\WinMgmt.exe
size: 196706
MD5: 05B2001E1BC653FD6091E741B46F71B4
PID: 796 ( 704) C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
size: 114705
MD5: ACBCB66344F31C1D51D8C03F310DE468
PID: 820 ( 208) C:\WINNT\System32\mspmspsv.exe
size: 53520
MD5: 5B6DA8F4F5047D6DF51E1C38FC57D4D9
PID: 832 ( 208) C:\WINNT\system32\svchost.exe
size: 7952
MD5: 9E64AD53CFD9DA2D22E8A924F8C6E62C
PID: 856 ( 464) C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
size: 172049
MD5: ED760A385B7C7115C41A12F2692E5D50
PID: 912 ( 208) C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
size: 221261
MD5: 73D5892583E9E816E78E9C0CD37A539A
PID: 1208 (1192) C:\WINNT\Explorer.EXE
size: 243472
MD5: 59CF2B7DCED9111F48F51B4B570E672D
PID: 1352 (1208) C:\WINNT\system32\Smtray.exe
size: 229376
MD5: 9236534E177A694C6101A068EA2CB1A6
PID: 1092 (1208) C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
size: 132496
MD5: D4F0F7437327DBAA264338BAAFB5E5AF
PID: 1360 (1208) C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
size: 36864
MD5: 8D4F45F50F40E50A2B625EF3EEBA8EB1
PID: 1396 (1208) C:\Program Files\Picasa2\PicasaMediaDetector.exe
size: 366400
MD5: 04717BF0C76A6DD9FA3DF1560E5D3A42
PID: 1344 (1208) C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: FA7EB9AFF3D726A6BF0494BEE7E378F6
PID: 1312 (1208) C:\Program Files\Insider\Insider.exe
size: 136192
MD5: EDC71BB21AC2B8A30FBC20A3A1CA59AA
PID: 1440 (1208) C:\CFGSAFE\AUTOCHK.EXE
size: 11808
MD5: A7689E6778EBBFA7189EFCE39D24F1A8
PID: 1492 (1428) C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe
size: 135168
MD5: 80D62C1F4C24794FF54CFE2F98BB307E
PID: 1504 (1208) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 1364 (1208) C:\Program Files\Reflection\r2win.exe
size: 2351104
MD5: A020C2C9A4A4B18D013D793B5906B9DA
PID: 8 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 11/10/2007 12:19:48 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\System32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/ig?hl=en
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\msafd.
dilan_thomas
2007-11-10, 19:20
Half Conscious Luke Skywalker Voice: Don't know how long browser will stay open...sending logs...please reply...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 11, 2007 12:01:11 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 456038
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 40835
Number of viruses found: 18
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 01:22:19
Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\comxp32.dll Object is locked skipped
C:\WINNT\system32\compctrl.dll Object is locked skipped
C:\WINNT\system32\dhcpsock.dll Object is locked skipped
C:\WINNT\system32\tcpcomp.exe Object is locked skipped
C:\WINNT\system32\hostact.dll Object is locked skipped
C:\WINNT\system32\xpie.dll Object is locked skipped
C:\WINNT\system32\msfax\ntlan.drv Object is locked skipped
C:\WINNT\system32\msfax\msve9nwin.msj Object is locked skipped
C:\WINNT\system32\msfax\mspbli32.msj Object is locked skipped
C:\WINNT\system32\msfax\mspbli32.rcv Object is locked skipped
C:\WINNT\system32\msfax\msve9nwin.rcv Object is locked skipped
C:\WINNT\system32\msfax\msjfev32.msj Object is locked skipped
C:\WINNT\system32\msfax\msjfev32.rcv Object is locked skipped
C:\WINNT\system32\pmnoopq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINNT\system32\a1\rarndrll2.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINNT\system32\g2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINNT\system32\g2\caws83122.exe NSIS: infected - 1 skipped
C:\WINNT\system32\r2\wr31drs.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINNT\system32\khfdbcy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINNT\system32\mljijkl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr skipped
C:\WINNT\system32\Mz02r\Mz02r1065.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINNT\system32\SBUtils\SBWebCtl.dll Infected: not-a-virus:AdWare.Win32.WindowEnhancer.c skipped
C:\WINNT\system32\WvUW6h68.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\17PHolmes572.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\WINNT\17PHolmes1000106.exe Infected: Trojan-Downloader.Win32.Agent.emo skipped
C:\WINNT\QURQIENsaWVudA\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINNT\QURQIENsaWVudA\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINNT\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINNT\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINNT\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINNT\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF8E2.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\xA71nMoK.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\wavesnet.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007111120071112\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4PQZWTM3\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4PQZWTM3\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OV88S9X0\tk58[1].exe Infected: Trojan.Win32.BHO.ab skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GXMVS92J\CAYZ76AR Infected: Trojan-Downloader.Win32.Searcher.e skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4FILSDKI\83122[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4FILSDKI\83122[1].exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4FILSDKI\83122[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4FILSDKI\setup_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\USOLA8XN\a8f5a020e4b833865a1034489887c8b9[1].zip/b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\USOLA8XN\a8f5a020e4b833865a1034489887c8b9[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\USOLA8XN\f4d28682d186cc6beb75f106d133f489[1].zip/b128.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\USOLA8XN\f4d28682d186cc6beb75f106d133f489[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mobipocket\mobibook.mbl Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mobipocket\MBP_global_configuration.mbp Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Outlook Express\sajubusak.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\sajubusak682.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\sajubusak916.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\sajubusak486.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\sajubusak8.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\sajubusak531.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\sajubusak314.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Outlook Express\wuorypromoj.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Windows Media Player\poweher83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Windows Media Player\poweher4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\wndyoir.exe Infected: Trojan-Downloader.Win32.Searcher.e skipped
E:\COMMANDER\7C702202.max Object is locked skipped
Scan process completed.
Hello dilan_thomas and welcome to the Forums :)
You're infected. There is no need for you to buy anything...
Please post a HijackThis log to here.
Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
dilan_thomas
2007-11-12, 22:02
Thank you for your help. This is what happened when I tried to run HiJackThis
#
# An unexpected error has been detected by Java Runtime Environment:
#
# java.lang.OutOfMemoryError: requested 256000 bytes for GrET in C:\BUILD_AREA\jdk6_03\hotspot\src\share\vm\utilities\growableArray.cpp. Out of swap space?
#
# Internal Error (414C4C4F434154494F4E0E494E4C494E450E4850500017), pid=1448, tid=1092
#
# Java VM: Java HotSpot(TM) Client VM (1.6.0_03-b05 mixed mode, sharing)
# If you would like to submit a bug report, please visit:
# http://java.sun.com/webapps/bugreport/crash.jsp
#
--------------- T H R E A D ---------------
Current thread (0x0306d000): VMThread [id=1092]
Stack: [0x03150000,0x031a0000)
[error occurred during error reporting, step 110, id 0xc0000005]
VM_Operation (0x08d6e5f4): full generation collection, mode: safepoint, requested by thread 0x03c86400
--------------- P R O C E S S ---------------
Java Threads: ( => current thread )
0x086d9800 JavaThread "Timer-66" [_thread_blocked, id=288]
0x08579000 JavaThread "Thread-126" daemon [_thread_blocked, id=1116]
0x085dd800 JavaThread "Thread-122" daemon [_thread_blocked, id=1320]
0x03c2e400 JavaThread "Worker Thread 9" [_thread_blocked, id=808]
0x03c2d400 JavaThread "Worker Thread 8" [_thread_blocked, id=740]
0x03c2c400 JavaThread "Worker Thread 7" [_thread_blocked, id=1208]
0x03c2bc00 JavaThread "Worker Thread 6" [_thread_blocked, id=800]
0x085d2c00 JavaThread "Worker Thread 5" [_thread_blocked, id=1576]
0x085d1c00 JavaThread "Worker Thread 4" [_thread_blocked, id=1656]
0x085d1000 JavaThread "Worker Thread 3" [_thread_blocked, id=1744]
0x0858b000 JavaThread "Worker Thread 2" [_thread_blocked, id=1740]
0x0858a400 JavaThread "Worker Thread 1" [_thread_blocked, id=1520]
0x08589800 JavaThread "Worker Thread 0" [_thread_blocked, id=1444]
0x0867b400 JavaThread "Timer-16" daemon [_thread_blocked, id=1608]
0x08531400 JavaThread "Thread-41" [_thread_blocked, id=1212]
0x084e6000 JavaThread "Thread-39" daemon [_thread_blocked, id=1288]
0x03d54400 JavaThread "Thread-26" [_thread_blocked, id=1368]
0x03c86400 JavaThread "AWT-EventQueue-0" [_thread_blocked, id=1668]
0x03d18400 JavaThread "AWT-EventQueue-1" [_thread_blocked, id=1248]
0x03c36400 JavaThread "AWT-Shutdown" [_thread_blocked, id=1516]
0x030ad400 JavaThread "TimerQueue" daemon [_thread_blocked, id=1680]
0x03d1c800 JavaThread "TimerQueue" daemon [_thread_blocked, id=1780]
0x03148400 JavaThread "CacheCleanUpThread" daemon [_thread_blocked, id=532]
0x030cc400 JavaThread "traceMsgQueueThread" daemon [_thread_blocked, id=1688]
0x00d46400 JavaThread "DestroyJavaVM" [_thread_blocked, id=1644]
0x030c9c00 JavaThread "Javaws Secure Thread" [_thread_blocked, id=1632]
0x03094800 JavaThread "AWT-Windows" daemon [_thread_in_native, id=1648]
0x03092c00 JavaThread "Java2D Disposer" daemon [_thread_blocked, id=1676]
0x0307dc00 JavaThread "Low Memory Detector" daemon [_thread_blocked, id=1760]
0x03078c00 JavaThread "CompilerThread0" daemon [_thread_blocked, id=1704]
0x03077c00 JavaThread "Attach Listener" daemon [_thread_blocked, id=1376]
0x03076c00 JavaThread "Signal Dispatcher" daemon [_thread_blocked, id=1024]
0x03072800 JavaThread "Finalizer" daemon [_thread_blocked, id=1148]
0x0306e400 JavaThread "Reference Handler" daemon [_thread_blocked, id=1548]
Other Threads:
=>0x0306d000 VMThread [id=1092]
0x0307f000 WatcherThread [id=1696]
VM state:at safepoint (normal execution)
VM Mutex/Monitor currently owned by a thread: ([mutex/lock_event])
[0x00d45e90/0x000002c4] Threads_lock - owner thread: 0x0306d000
[0x00d46030/0x00000284] Heap_lock - owner thread: 0x03c86400
Heap
def new generation total 4416K, used 1712K [0x16900000, 0x16dc0000, 0x17cb0000)
eden space 3968K, 38% used [0x16900000, 0x16a7fcd0, 0x16ce0000)
from space 448K, 39% used [0x16d50000, 0x16d7c668, 0x16dc0000)
to space 448K, 0% used [0x16ce0000, 0x16ce0000, 0x16d50000)
tenured generation total 57424K, used 27207K [0x17cb0000, 0x1b4c4000, 0x26900000)
the space 57424K, 47% used [0x17cb0000, 0x19741e40, 0x19742000, 0x1b4c4000)
compacting perm gen total 14612K, used 14611K [0x26900000, 0x27745000, 0x2a900000)
the space 14612K, 99% used [0x26900000, 0x27744fd8, 0x27745000, 0x27745000)
ro space 8192K, 62% used [0x2a900000, 0x2ae014a8, 0x2ae01600, 0x2b100000)
rw space 12288K, 52% used [0x2b100000, 0x2b747278, 0x2b747400, 0x2bd00000)
Dynamic libraries:
0x00400000 - 0x00423000 C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe
0x77f80000 - 0x77ffb000 C:\WINNT\system32\ntdll.dll
0x7c2d0000 - 0x7c332000 C:\WINNT\system32\ADVAPI32.dll
0x7c4e0000 - 0x7c599000 C:\WINNT\system32\KERNEL32.DLL
0x77d30000 - 0x77da1000 C:\WINNT\system32\RPCRT4.DLL
0x77e10000 - 0x77e75000 C:\WINNT\system32\USER32.dll
0x77f40000 - 0x77f7c000 C:\WINNT\system32\GDI32.DLL
0x00780000 - 0x007f5000 C:\WINNT\QURQIENsaWVudA\asappsrv.dll
0x71710000 - 0x71794000 C:\WINNT\system32\comctl32.dll
0x779b0000 - 0x77a4b000 C:\WINNT\system32\oleaut32.dll
0x77a50000 - 0x77b47000 C:\WINNT\system32\ole32.dll
0x77820000 - 0x77827000 C:\WINNT\system32\version.dll
0x759b0000 - 0x759b6000 C:\WINNT\system32\LZ32.DLL
0x7c340000 - 0x7c396000 C:\Program Files\Java\jre1.6.0_03\bin\msvcr71.dll
0x6d7c0000 - 0x6da0a000 C:\Program Files\Java\jre1.6.0_03\bin\client\jvm.dll
0x77570000 - 0x775a0000 C:\WINNT\system32\WINMM.dll
0x6bd00000 - 0x6bd0d000 C:\WINNT\system32\SYNCOR11.DLL
0x6d310000 - 0x6d318000 C:\Program Files\Java\jre1.6.0_03\bin\hpi.dll
0x690a0000 - 0x690ab000 C:\WINNT\system32\PSAPI.DLL
0x6d770000 - 0x6d77c000 C:\Program Files\Java\jre1.6.0_03\bin\verify.dll
0x6d3b0000 - 0x6d3cf000 C:\Program Files\Java\jre1.6.0_03\bin\java.dll
0x6d7b0000 - 0x6d7bf000 C:\Program Files\Java\jre1.6.0_03\bin\zip.dll
0x6d000000 - 0x6d1c3000 C:\Program Files\Java\jre1.6.0_03\bin\awt.dll
0x77800000 - 0x7781e000 C:\WINNT\system32\WINSPOOL.DRV
0x76620000 - 0x76631000 C:\WINNT\system32\MPR.DLL
0x75e60000 - 0x75e7a000 C:\WINNT\system32\IMM32.dll
0x51000000 - 0x5104a000 C:\WINNT\system32\ddraw.dll
0x78000000 - 0x78045000 C:\WINNT\system32\MSVCRT.dll
0x728a0000 - 0x728a6000 C:\WINNT\system32\DCIMAN32.dll
0x10000000 - 0x100c3000 C:\WINNT\System32\dhcpsock.dll
0x03500000 - 0x0350f000 C:\WINNT\system32\secur32.dll
0x75050000 - 0x75058000 C:\WINNT\system32\wsock32.dll
0x75030000 - 0x75044000 C:\WINNT\system32\WS2_32.DLL
0x75020000 - 0x75028000 C:\WINNT\system32\WS2HELP.DLL
0x69640000 - 0x6965f000 C:\WINNT\system32\OLEACC.DLL
0x6d250000 - 0x6d261000 C:\Program Files\Java\jre1.6.0_03\bin\deploy.dll
0x77440000 - 0x774b8000 C:\WINNT\system32\CRYPT32.dll
0x77430000 - 0x77440000 C:\WINNT\system32\MSASN1.DLL
0x782f0000 - 0x78538000 C:\WINNT\system32\SHELL32.dll
0x70bd0000 - 0x70c35000 C:\WINNT\system32\SHLWAPI.DLL
0x70200000 - 0x70295000 C:\WINNT\system32\WININET.dll
0x702b0000 - 0x7032a000 C:\WINNT\system32\urlmon.dll
0x6d2b0000 - 0x6d303000 C:\Program Files\Java\jre1.6.0_03\bin\fontmanager.dll
0x774e0000 - 0x77513000 C:\WINNT\system32\RASAPI32.DLL
0x774c0000 - 0x774d1000 C:\WINNT\system32\RASMAN.DLL
0x77530000 - 0x77552000 C:\WINNT\system32\TAPI32.DLL
0x77830000 - 0x7783e000 C:\WINNT\system32\RTUTILS.DLL
0x75ab0000 - 0x75ab5000 C:\WINNT\system32\sensapi.dll
0x7c0f0000 - 0x7c152000 C:\WINNT\system32\USERENV.DLL
0x75170000 - 0x751bf000 C:\WINNT\system32\netapi32.dll
0x751c0000 - 0x751c6000 C:\WINNT\system32\NETRAP.DLL
0x75150000 - 0x7515f000 C:\WINNT\system32\SAMLIB.DLL
0x77950000 - 0x7797a000 C:\WINNT\system32\WLDAP32.DLL
0x77980000 - 0x779a4000 C:\WINNT\system32\DNSAPI.DLL
0x77340000 - 0x77353000 C:\WINNT\system32\IPHLPAPI.DLL
0x77520000 - 0x77525000 C:\WINNT\system32\ICMP.DLL
0x77320000 - 0x77337000 C:\WINNT\system32\MPRAPI.DLL
0x773b0000 - 0x773df000 C:\WINNT\system32\ACTIVEDS.DLL
0x77380000 - 0x773a3000 C:\WINNT\system32\ADSLDPC.DLL
0x77880000 - 0x7790e000 C:\WINNT\system32\SETUPAPI.DLL
0x77360000 - 0x77379000 C:\WINNT\system32\DHCPCSVC.DLL
0x782c0000 - 0x782cc000 C:\WINNT\System32\rnr20.dll
0x777e0000 - 0x777e8000 C:\WINNT\System32\winrnr.dll
0x777f0000 - 0x777f5000 C:\WINNT\system32\rasadhlp.dll
0x6d570000 - 0x6d583000 C:\Program Files\Java\jre1.6.0_03\bin\net.dll
0x6d590000 - 0x6d599000 C:\Program Files\Java\jre1.6.0_03\bin\nio.dll
0x74fd0000 - 0x74fee000 C:\WINNT\system32\msafd.dll
0x75010000 - 0x75017000 C:\WINNT\System32\wshtcpip.dll
0x7ca00000 - 0x7ca23000 C:\WINNT\system32\rsaenh.dll
0x6d450000 - 0x6d474000 C:\Program Files\Java\jre1.6.0_03\bin\jpeg.dll
0x6d220000 - 0x6d243000 C:\Program Files\Java\jre1.6.0_03\bin\dcpr.dll
0x775a0000 - 0x77626000 C:\WINNT\system32\CLBCATQ.DLL
0x77840000 - 0x7787e000 C:\WINNT\system32\cscui.dll
0x770c0000 - 0x770e3000 C:\WINNT\system32\CSCDLL.DLL
0x76710000 - 0x76719000 C:\WINNT\system32\LINKINFO.DLL
0x76fa0000 - 0x76faf000 C:\WINNT\system32\ntshrui.dll
0x773e0000 - 0x773f5000 C:\WINNT\system32\ATL.DLL
0x6d750000 - 0x6d758000 C:\Program Files\Java\jre1.6.0_03\bin\sunmscapi.dll
VM Arguments:
jvm_args: -Xbootclasspath/a:C:\Program Files\Java\jre1.6.0_03\lib\javaws.jar;C:\Program Files\Java\jre1.6.0_03\lib\deploy.jar -Djava.security.policy=file:C:\Program Files\Java\jre1.6.0_03\lib\security\javaws.policy -DtrustProxy=true -Xverify:remote -Djnlpx.home=C:\Program Files\Java\jre1.6.0_03\bin -Djnlpx.remove=true -Xmx256m -Djnlpx.heapsize=NULL,256m -Djnlpx.splashport=1057 -Djnlpx.jvm="C:\Program Files\Java\jre1.6.0_03\bin\javaw.exe"
java_command: com.sun.javaws.Main C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\javaws3
Launcher Type: SUN_STANDARD
Environment Variables:
--------------- S Y S T E M ---------------
OS: Windows 2000 Build 2195 Service Pack 4
CPU:total 1 (1 cores per cpu, 1 threads per core) family 6 model 11 stepping 1, cmov, cx8, fxsr, mmx, sse
Memory: 4k page, physical 260528k(2904k free), swap 632192k(0k free)
vm_info: Java HotSpot(TM) Client VM (1.6.0_03-b05) for windows-x86, built on Sep 24 2007 22:24:33 by "java_re" with unknown MS VC++:1310
dilan_thomas
2007-11-12, 23:39
HJT keeps closing but I think I managed to save a log. Is this right? Any help is appreciated. Thank you so much for your time.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:32 PM, on 11/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
C:\WINNT\QURQIENsaWVudA\command.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Insider\Insider.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Mobipocket.com\Mobipocket Reader\reader.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ntdll.dll] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted IP range: 199.194.219.124
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://199.194.219.124/reports/cr/activexviewer92.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194649378140
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B6A8CCA-DE3C-4EE1-893E-2D7421B719C9}: NameServer = 199.194.219.150,199.194.219.147
O21 - SSODL: Dhcpweb - {4E0B511C-9667-4392-A1BF-9264D061B618} - C:\WINNT\System32\compctrl.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\QURQIENsaWVudA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Outlook Express\wuorypromoj.html
O24 - Desktop Component 1: (no name) - http://www.cbsnews.com/images/2006/05/25/image36557e52-38f2-49e5-a527-a68dde7a3a40.jpg
--
End of file - 5363 bytes
Hello :)
Yes that is a correct log.
You're infected.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
dilan_thomas
2007-11-14, 01:39
I'm still getting a wierd popup asking me if I want to install windows XP for small business??? Sorry this took so long, but I will be on this machine all day tomorrow.
Thank you, Thank you, Thank you.
ComboFix 07-11-08.1 - Administrator 11/14/2007 18:19:09.1 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.79 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4VCD6HKP\ComboFix[1].exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Administrator\Application Data\DOBE~1
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\Outlook Express\sajubusak.dll
C:\Program Files\Outlook Express\sajubusak162.dll
C:\Program Files\Outlook Express\sajubusak314.dll
C:\Program Files\Outlook Express\sajubusak461.dll
C:\Program Files\Outlook Express\sajubusak486.dll
C:\Program Files\Outlook Express\sajubusak531.dll
C:\Program Files\Outlook Express\sajubusak572.dll
C:\Program Files\Outlook Express\sajubusak682.dll
C:\Program Files\Outlook Express\sajubusak796.dll
C:\Program Files\Outlook Express\sajubusak8.dll
C:\Program Files\Outlook Express\sajubusak916.dll
C:\Program Files\Outlook Express\sajubusak989.dll
C:\Program Files\Outlook Express\wuorypromoj.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINNT\b122.exe
C:\WINNT\b147.exe
C:\WINNT\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINNT\QURQIENsaWVudA\asappsrv.dll
C:\WINNT\QURQIENsaWVudA\command.exe
C:\WINNT\system32\a1
C:\WINNT\system32\a1\rarndrll2.exe
C:\WINNT\system32\atmtd.dll
C:\WINNT\system32\atmtd.dll._
C:\WINNT\System32\awvtt.dll
C:\WINNT\system32\g2
C:\WINNT\system32\g2\caws83122.exe
C:\WINNT\system32\h1
C:\WINNT\system32\pac.txt
C:\WINNT\system32\r2
C:\WINNT\system32\r2\wr31drs.exe
C:\WINNT\system32\ttvwa.ini
C:\WINNT\system32\ttvwa.ini2
C:\WINNT\tk58.exe
C:\WINNT\TTC-4444.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-14 18:17 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-13 14:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-13 12:12 184,320 --a------ C:\WINNT\system32\SEWOWPXf.dll
2007-11-11 10:11 184,320 --a------ C:\WINNT\system32\WvUW6h68.dll
2007-11-11 09:53 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-11 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-10 12:00 27,200 --a------ C:\WINNT\system32\8O3f6431.exe
2007-11-09 17:00 27,200 --a------ C:\WINNT\system32\uF4WMY6N.exe
2007-11-09 16:00 27,200 --a------ C:\WINNT\system32\Qun8I5sb.exe
2007-11-09 15:04 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-11-09 15:04 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-11-09 15:04 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-11-09 15:04 33,624 --a------ C:\WINNT\system32\wups.dll
2007-11-09 15:00 27,200 --a------ C:\WINNT\system32\RJiYbOAp.exe
2007-11-09 14:32 <DIR> d-------- C:\WINNT\system32\ie_de
2007-11-09 14:32 <DIR> d-------- C:\WINNT\system32\CertSrv
2007-11-09 09:37 29,995 --a------ C:\wndyoir.exe
2007-11-09 09:20 27,200 --a------ C:\Temp\svcipa.exe
2007-11-09 08:21 35,328 --a------ C:\WINNT\system32\mljijkl.dll
2007-11-09 08:19 35,328 --a------ C:\WINNT\system32\khfdbcy.dll
2007-11-09 08:18 <DIR> d-------- C:\WINNT\system32\Mz02r
2007-11-09 08:18 <DIR> d--hs---- C:\WINNT\QURQIENsaWVudA
2007-11-09 08:18 <DIR> d-------- C:\Temp\mZOr
2007-11-09 08:18 <DIR> d-------- C:\Temp
2007-11-09 08:18 35,840 --a------ C:\WINNT\17PHolmes572.exe
2007-11-09 08:18 35,840 --a------ C:\WINNT\17PHolmes1000106.exe
2007-11-09 08:18 35,328 --a------ C:\WINNT\system32\pmnoopq.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-06-25 01:32 62,592 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-03-21 08:05 271 ---h--w C:\Program Files\desktop.ini
2002-03-21 08:05 21,952 ---h--w C:\Program Files\folder.htt
2000-07-26 13:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2005-07-30 00:24:26 472 --sha-r C:\WINNT\QURQIENsaWVudA\kolkKHhPuqpRxE.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
07-11-09 08:18 35328 --a------ C:\WINNT\System32\pmnoopq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
07-11-13 12:12 184320 --a------ C:\WINNT\system32\SEWOWPXf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A636CBA-5FE3-46F8-8AD3-9915D3E8C88A}]
07-08-02 05:44 282624 --a------ C:\Program Files\Windows Media Player\poweher83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6AAA2F0-2D5A-4896-BBCC-1DFD5AECCA6C}]
07-08-02 05:44 282624 --a------ C:\Program Files\Windows Media Player\poweher4444.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tourpath"="regedit /s c:\winnt\tour.reg" []
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\system32\mobsync.exe]
"Smapp"="Smtray.exe" [01-04-13 11:26 C:\WINNT\system32\SMTray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [03-10-14 10:22 ]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [05-02-27 15:01 ]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [05-02-27 15:02 ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [07-01-31 19:52 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-12-08 18:40 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AUTOCHK.LNK - C:\CFGSAFE\AUTOCHK.EXE [1980-01-01]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"= C:\WINNT\System32\pmnoopq.dll [07-11-09 08:18 35328]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Dhcpweb"= {4E0B511C-9667-4392-A1BF-9264D061B618} - C:\WINNT\System32\compctrl.dll [01-05-04 12:05 1073152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoopq]
pmnoopq.dll 07-11-09 08:18 35328 C:\WINNT\system32\pmnoopq.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\System32\awvtt.dll
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R2 AvSynMgr;AVSync Manager;C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys
S2 NMSSvc;NMS Service;C:\WINNT\System32\NMSSvc.exe
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2007-11-10 08:00:02 C:\WINNT\Tasks\At1.job"
"2007-11-10 09:00:02 C:\WINNT\Tasks\At2.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 10:00:02 C:\WINNT\Tasks\At3.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 11:00:02 C:\WINNT\Tasks\At4.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 12:00:02 C:\WINNT\Tasks\At5.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 13:00:02 C:\WINNT\Tasks\At6.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 14:00:02 C:\WINNT\Tasks\At7.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 15:00:02 C:\WINNT\Tasks\At8.job"
"2007-11-10 16:00:02 C:\WINNT\Tasks\At9.job"
"2007-11-10 17:00:02 C:\WINNT\Tasks\At10.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-11 18:00:02 C:\WINNT\Tasks\At11.job"
"2007-11-11 19:00:04 C:\WINNT\Tasks\At12.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-13 20:00:02 C:\WINNT\Tasks\At13.job"
"2007-11-13 21:00:02 C:\WINNT\Tasks\At14.job"
"2007-11-13 22:00:02 C:\WINNT\Tasks\At15.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-13 23:00:02 C:\WINNT\Tasks\At16.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-14 00:00:02 C:\WINNT\Tasks\At17.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-14 01:00:02 C:\WINNT\Tasks\At18.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-14 02:00:02 C:\WINNT\Tasks\At19.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-11 03:00:02 C:\WINNT\Tasks\At20.job"
"2007-11-10 04:00:02 C:\WINNT\Tasks\At21.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 05:00:02 C:\WINNT\Tasks\At22.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 06:00:02 C:\WINNT\Tasks\At23.job"
- C:\WINNT\System32\w26h35Q8.exe
"2007-11-10 07:00:02 C:\WINNT\Tasks\At24.job"
"2007-11-10 08:00:46 C:\WINNT\Tasks\At25.job"
"2007-11-10 09:00:46 C:\WINNT\Tasks\At26.job"
"2007-11-10 10:00:46 C:\WINNT\Tasks\At27.job"
"2007-11-10 11:00:46 C:\WINNT\Tasks\At28.job"
"2007-11-10 12:00:46 C:\WINNT\Tasks\At29.job"
"2007-11-10 13:00:46 C:\WINNT\Tasks\At30.job"
"2007-11-10 14:00:46 C:\WINNT\Tasks\At31.job"
"2007-11-10 15:00:02 C:\WINNT\Tasks\At32.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-10 16:00:02 C:\WINNT\Tasks\At33.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-10 17:00:02 C:\WINNT\Tasks\At34.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-11 18:00:48 C:\WINNT\Tasks\At35.job"
"2007-11-11 19:00:54 C:\WINNT\Tasks\At36.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-13 20:01:56 C:\WINNT\Tasks\At37.job"
"2007-11-13 21:00:48 C:\WINNT\Tasks\At38.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-13 22:00:46 C:\WINNT\Tasks\At39.job"
"2007-11-13 23:01:46 C:\WINNT\Tasks\At40.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-14 00:00:50 C:\WINNT\Tasks\At41.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-14 01:00:46 C:\WINNT\Tasks\At42.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-14 02:01:52 C:\WINNT\Tasks\At43.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-11 03:00:48 C:\WINNT\Tasks\At44.job"
"2007-11-10 04:00:46 C:\WINNT\Tasks\At45.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-10 05:00:46 C:\WINNT\Tasks\At46.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-10 06:00:46 C:\WINNT\Tasks\At47.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-10 07:00:46 C:\WINNT\Tasks\At48.job"
- C:\WINNT\system32\RJiYbOAp.exe
"2007-11-10 08:00:46 C:\WINNT\Tasks\At49.job"
"2007-11-10 09:00:46 C:\WINNT\Tasks\At50.job"
"2007-11-10 10:00:46 C:\WINNT\Tasks\At51.job"
"2007-11-10 11:00:46 C:\WINNT\Tasks\At52.job"
"2007-11-10 12:00:46 C:\WINNT\Tasks\At53.job"
"2007-11-10 13:00:46 C:\WINNT\Tasks\At54.job"
"2007-11-10 14:00:46 C:\WINNT\Tasks\At55.job"
"2007-11-10 15:00:02 C:\WINNT\Tasks\At56.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-10 16:00:02 C:\WINNT\Tasks\At57.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-10 17:00:02 C:\WINNT\Tasks\At58.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-11 18:01:22 C:\WINNT\Tasks\At59.job"
"2007-11-11 19:00:54 C:\WINNT\Tasks\At60.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-13 20:00:48 C:\WINNT\Tasks\At61.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-13 21:00:48 C:\WINNT\Tasks\At62.job"
"2007-11-13 22:00:46 C:\WINNT\Tasks\At63.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-13 23:00:48 C:\WINNT\Tasks\At64.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-14 00:00:50 C:\WINNT\Tasks\At65.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-14 01:00:46 C:\WINNT\Tasks\At66.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-14 02:00:48 C:\WINNT\Tasks\At67.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-11 03:00:48 C:\WINNT\Tasks\At68.job"
"2007-11-10 04:00:46 C:\WINNT\Tasks\At69.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-10 05:00:46 C:\WINNT\Tasks\At70.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-10 06:00:46 C:\WINNT\Tasks\At71.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-10 07:00:46 C:\WINNT\Tasks\At72.job"
- C:\WINNT\system32\Qun8I5sb.exe
"2007-11-10 08:00:46 C:\WINNT\Tasks\At73.job"
"2007-11-10 09:00:46 C:\WINNT\Tasks\At74.job"
"2007-11-10 10:00:46 C:\WINNT\Tasks\At75.job"
"2007-11-10 11:00:46 C:\WINNT\Tasks\At76.job"
"2007-11-10 12:00:46 C:\WINNT\Tasks\At77.job"
"2007-11-10 13:00:46 C:\WINNT\Tasks\At78.job"
"2007-11-10 14:00:46 C:\WINNT\Tasks\At79.job"
"2007-11-10 15:00:02 C:\WINNT\Tasks\At80.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-10 16:00:02 C:\WINNT\Tasks\At81.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-10 17:00:02 C:\WINNT\Tasks\At82.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-11 18:00:48 C:\WINNT\Tasks\At83.job"
"2007-11-11 19:02:14 C:\WINNT\Tasks\At84.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-13 20:00:48 C:\WINNT\Tasks\At85.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-13 21:00:48 C:\WINNT\Tasks\At86.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-13 22:00:46 C:\WINNT\Tasks\At87.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-13 23:00:48 C:\WINNT\Tasks\At88.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-14 00:02:00 C:\WINNT\Tasks\At89.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-14 01:00:46 C:\WINNT\Tasks\At90.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-14 02:00:48 C:\WINNT\Tasks\At91.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-11 03:00:48 C:\WINNT\Tasks\At92.job"
"2007-11-10 04:00:46 C:\WINNT\Tasks\At93.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-10 05:00:46 C:\WINNT\Tasks\At94.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-10 06:00:46 C:\WINNT\Tasks\At95.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-10 07:00:46 C:\WINNT\Tasks\At96.job"
- C:\WINNT\system32\uF4WMY6N.exe
"2007-11-10 20:00:46 C:\WINNT\Tasks\At97.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:46 C:\WINNT\Tasks\At98.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:46 C:\WINNT\Tasks\At99.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:46 C:\WINNT\Tasks\At100.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:46 C:\WINNT\Tasks\At101.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:46 C:\WINNT\Tasks\At102.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:48 C:\WINNT\Tasks\At103.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:48 C:\WINNT\Tasks\At104.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:48 C:\WINNT\Tasks\At105.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:48 C:\WINNT\Tasks\At106.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-11 18:00:48 C:\WINNT\Tasks\At107.job"
"2007-11-11 19:00:54 C:\WINNT\Tasks\At108.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-13 20:00:48 C:\WINNT\Tasks\At109.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-13 21:00:48 C:\WINNT\Tasks\At110.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-13 22:00:46 C:\WINNT\Tasks\At111.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-13 23:00:48 C:\WINNT\Tasks\At112.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-14 00:00:50 C:\WINNT\Tasks\At113.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-14 01:00:48 C:\WINNT\Tasks\At114.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-14 02:00:48 C:\WINNT\Tasks\At115.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-11 03:00:48 C:\WINNT\Tasks\At116.job"
"2007-11-10 20:00:50 C:\WINNT\Tasks\At117.job"
"2007-11-10 20:00:50 C:\WINNT\Tasks\At118.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:52 C:\WINNT\Tasks\At119.job"
- C:\WINNT\system32\8O3f6431.exe
"2007-11-10 20:00:52 C:\WINNT\Tasks\At120.job"
- C:\WINNT\system32\8O3f6431.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 18:26:57
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-14 18:28:22 - machine was rebooted
.
--- E O F ---
Hi, we'll continue :)
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file del.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on del.bat and let it run.
@echo off
cd C:\WINNT\Tasks
attrib -r -s -h C:\WINNT\Tasks\*.*
del C:\WINNT\Tasks\*.*
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINNT\system32\SEWOWPXf.dll
C:\WINNT\system32\WvUW6h68.dll
C:\WINNT\system32\8O3f6431.exe
C:\WINNT\system32\uF4WMY6N.exe
C:\WINNT\system32\Qun8I5sb.exe
C:\WINNT\system32\RJiYbOAp.exe
C:\WINNT\system32\ie_de
C:\WINNT\system32\CertSrv
C:\wndyoir.exe
C:\Temp\svcipa.exe
C:\WINNT\system32\mljijkl.dll
C:\WINNT\system32\khfdbcy.dll
C:\WINNT\17PHolmes572.exe
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\system32\pmnoopq.dll
C:\Program Files\Windows Media Player\poweher83122.dll
C:\Program Files\Windows Media Player\poweher4444.dll
C:\WINNT\System32\compctrl.dll
C:\WINNT\system32\8O3f6431.exe
Folder::
C:\WINNT\system32\Mz02r
C:\WINNT\QURQIENsaWVudA
C:\Temp\mZOr
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C1DD717-53B2-485E-A17B-C9977C205E10}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A636CBA-5FE3-46F8-8AD3-9915D3E8C88A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A6AAA2F0-2D5A-4896-BBCC-1DFD5AECCA6C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{1C1DD717-53B2-485E-A17B-C9977C205E10}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Dhcpweb"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnoopq]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
dilan_thomas
2007-11-14, 22:51
Hello and thank you again. Here are the logs you requested. During the first step it stated File Not Found - C:\WINNT\Tasks\*.* I answered yes to the prompt anyway. I have no idea if this is relevant, but am trying to help you help me.
ComboFix 07-11-08.1 - Administrator 2007-11-15 15:28:00.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.86 [GMT -8:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
FILE
C:\Program Files\Windows Media Player\poweher4444.dll
C:\Program Files\Windows Media Player\poweher83122.dll
C:\Temp\svcipa.exe
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\system32\8O3f6431.exe
C:\WINNT\system32\CertSrv
C:\WINNT\System32\compctrl.dll
C:\WINNT\system32\ie_de
C:\WINNT\system32\khfdbcy.dll
C:\WINNT\system32\mljijkl.dll
C:\WINNT\system32\pmnoopq.dll
C:\WINNT\system32\Qun8I5sb.exe
C:\WINNT\system32\RJiYbOAp.exe
C:\WINNT\system32\SEWOWPXf.dll
C:\WINNT\system32\uF4WMY6N.exe
C:\WINNT\system32\WvUW6h68.dll
C:\wndyoir.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Outlook Express\sajubusak.dll
C:\Program Files\Outlook Express\sajubusak2.dll
C:\Program Files\Outlook Express\sajubusak567.dll
C:\Program Files\Outlook Express\sajubusak848.dll
C:\Program Files\Outlook Express\wuorypromoj.html
C:\Program Files\Windows Media Player\poweher4444.dll
C:\Program Files\Windows Media Player\poweher83122.dll
C:\Temp\mZOr
C:\Temp\mZOr\tOasF.log
C:\Temp\svcipa.exe
C:\WINNT\17PHolmes1000106.exe
C:\WINNT\17PHolmes572.exe
C:\WINNT\QURQIENsaWVudA
C:\WINNT\QURQIENsaWVudA\kolkKHhPuqpRxE.vbs
C:\WINNT\system32\8O3f6431.exe
C:\WINNT\System32\compctrl.dll
C:\WINNT\system32\jkkjk.dll
C:\WINNT\system32\khfdbcy.dll
C:\WINNT\system32\kjkkj.ini
C:\WINNT\system32\kjkkj.ini2
C:\WINNT\system32\mljijkl.dll
C:\WINNT\system32\Mz02r
C:\WINNT\system32\Mz02r\Mz02r1065.exe
C:\WINNT\system32\pmnoopq.dll
C:\WINNT\system32\Qun8I5sb.exe
C:\WINNT\system32\RJiYbOAp.exe
C:\WINNT\system32\SEWOWPXf.dll
C:\WINNT\system32\uF4WMY6N.exe
C:\WINNT\system32\WvUW6h68.dll
C:\WINNT\tk58.exe
C:\WINNT\TTC-4444.exe
C:\wndyoir.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.
2007-11-15 13:20 184,320 --a------ C:\WINNT\system32\mhP4I77I.dll
2007-11-14 18:17 51,200 --a------ C:\WINNT\NirCmd.exe
2007-11-13 14:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 09:53 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2007-11-11 09:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-09 15:04 549,720 --a------ C:\WINNT\system32\wuapi.dll
2007-11-09 15:04 325,976 --a------ C:\WINNT\system32\wucltui.dll
2007-11-09 15:04 43,352 --a------ C:\WINNT\system32\wups2.dll
2007-11-09 15:04 33,624 --a------ C:\WINNT\system32\wups.dll
2007-11-09 14:32 <DIR> d-------- C:\WINNT\system32\ie_de
2007-11-09 14:32 <DIR> d-------- C:\WINNT\system32\CertSrv
2007-11-09 08:18 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-06-25 01:32 62,592 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2002-03-21 08:05 271 ---h--w C:\Program Files\desktop.ini
2002-03-21 08:05 21,952 ---h--w C:\Program Files\folder.htt
2000-07-26 13:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((( snapshot@Wed 2007-11-14_18.27.34.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 18:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tourpath"="regedit /s c:\winnt\tour.reg" []
"Synchronization Manager"="mobsync.exe" [03-06-19 11:05 C:\WINNT\system32\mobsync.exe]
"Smapp"="Smtray.exe" [01-04-13 11:26 C:\WINNT\system32\SMTray.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 01:11 ]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [03-10-14 10:22 ]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [05-02-27 15:01 ]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [05-02-27 15:02 ]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [07-01-31 19:52 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-12-08 18:40 ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" []
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AUTOCHK.LNK - C:\CFGSAFE\AUTOCHK.EXE [1980-01-01]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
R0 NaiFsRec;NaiFsRec;C:\WINNT\system32\drivers\NaiFsRec.sys
R2 AvSynMgr;AVSync Manager;C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
R2 NMSSvc;NMS Service;C:\WINNT\System32\NMSSvc.exe
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINNT\system32\drivers\NMSCFG.SYS
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys
S3 ichaud;Service for AC'97 Driver (WDM);C:\WINNT\system32\drivers\ichaud.sys
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 15:36:43
Windows 5.0.2195 Service Pack 4 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-15 15:37:29 - machine was rebooted
C:\ComboFix2.txt ... 07-11-14 18:28
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:19 PM, on 11/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted IP range: 199.194.219.124
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://199.194.219.124/reports/cr/activexviewer92.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194649378140
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B6A8CCA-DE3C-4EE1-893E-2D7421B719C9}: NameServer = 199.194.219.150,199.194.219.147
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
--
End of file - 4826 bytes
Hi :)
Looks so much better now...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
dilan_thomas
2007-11-15, 21:31
Thank you for your help. My computer is running much better.
I ran Dr. Web but was unable to save a log. During the initial scan phase no files were found. I ran the second scan by pressing the green play button before I selected drives. It found one file it was a C:\\Winn.something. I'm sure that really helps...I selected Move incurable.
I failed to save the log and when I went to do a complete scan I got an error message, and it wouldn't do that scan. I ran another scan but it wouldn't give me the option to save a log. This selection is grayed out in the menu bar.
I'm sorry I botched this part. I should have wrote down the file name.... Here is HiJackThis.
Thank you so much.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:16:54 PM, on 11/16/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\QuickTime\qttask.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\wuauclt.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted IP range: 199.194.219.124
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2DEF4530-8CE6-41C9-84B6-A54536C90213} (Crystal Report Viewer Control 9) - http://199.194.219.124/reports/cr/activexviewer92.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194649378140
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B6A8CCA-DE3C-4EE1-893E-2D7421B719C9}: NameServer = 199.194.219.150,199.194.219.147
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\Mcshield.exe
O23 - Service: NMS Service (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
--
End of file - 4857 bytes
Hi :)
The DrWeb thing is okay as you selected the "Move incurable"
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly. .
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
dilan_thomas
2007-11-16, 22:49
Thank you so much Mr_JAk3. I will follow the recommended steps.:D:
That's great news and you're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: