View Full Version : spykiller, sdvhost, and gebba.dll still haunting me!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:59 PM, on 4/8/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\WINNT\explorer.exe
C:\Program Files\Dell TrueMobile 1150\Client Manager\CMDEL.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8689] command /c del "C:\WINNT\SYSTEM32\gebba.dll"
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\RunOnce: [SpybotDeletingD8697] cmd /c del "C:\WINNT\SYSTEM32\gebba.dll" (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)
--
End of file - 4202 bytes
Hi
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Thanks, Blade. Here is the combofix logfile.
ComboFix 08-04-11.5 - Administrator 04/11/2008 17:22:58.5 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\SLMSS
C:\Program Files\Common Files\SLMSS\acp1.dat
C:\WINNT\system32\csrs.exe
C:\WINNT\system32\explorer.exe
C:\WINNT\system32\iexplore.exe
C:\WINNT\system32\isass.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.
2008-03-29 17:26 . 03/29/08 05:34p 132,096 -ra------ C:\WINNT\SYSTEM32\sdhost.exe
2008-03-27 19:08 . 03/27/08 07:08p 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-27 19:08 . 03/27/08 07:08p 1,409 --a------ C:\WINNT\QTFont.for
2008-03-25 21:02 . 03/25/08 09:03p 38,912 --a------ C:\WINNT\SYSTEM32\lzkjst.exe
2008-03-25 20:42 . 03/25/08 08:42p 45,056 --a------ C:\WINNT\SYSTEM32\gsknuhbl.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 06:24 --------- d-----w C:\Program Files\BillP Studios
2008-02-25 06:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-02-25 06:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-24 07:04 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-15 01:40 --------- d-----w C:\Program Files\Trend Micro
2008-02-12 16:38 --------- d-----w C:\Program Files\Yahoo!
2008-02-10 23:59 691,545 ----a-w C:\WINNT\unins000.exe
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/26/08 10:38p 316728]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Synchronization Manager"="mobsync.exe" [05/08/01 05:00a 111376 C:\WINNT\SYSTEM32\MOBSYNC.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 21:42:40 40960]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"Protected system files1"= avgupsvc.exe
"Protected system files2"= avgamsvr.exe
"Protected system files3"= avgcc.exe
"Protected system files4"= nod32kui.exe
"Protected system files5"= nod32krn.exe
"Protected system files6"= ccSetMgr.exe
"Protected system files7"= ccEvtMgr.exe
"Protected system files8"= DefWatch.exe
"Protected system files9"= SavRoam.exe
"Protected system files10"= Rtvscan.exe
"Protected system files11"= VPTray.exe
"Protected system files12"= ccApp.exe
"Protected system files13"= AluSchedulerSvc.exe
"Protected system files14"= nod32.exe
"Protected system files15"= nod32ra.exe
"Protected system files16"= UpdaterUI.exe
"Protected system files17"= tbmon.exe
"Protected system files18"= Mcshield.exe
"Protected system files19"= SHSTAT.exe
"Protected system files20"= ashMaiSv.exe
"Protected system files21"= ashServ.exe
"Protected system files22"= ashWebSv.exe
"Protected system files23"= aswUpdSv.exe
"Protected system files24"= AVGUARD.exe
"Protected system files25"= AVWUPSRV.exe
"Protected system files26"= avscan.exe
"Protected system files27"= guardgui.exe
"Protected system files28"= VxMon.exe
"Protected system files29"= AVGNT.exe
"Protected system files30"= avgemc.exe
"Protected system files31"= avp.exe
"Protected system files32"= avp.com
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"Protected system files1"= avgupsvc.exe
"Protected system files2"= avgamsvr.exe
"Protected system files3"= avgcc.exe
"Protected system files4"= nod32kui.exe
"Protected system files5"= nod32krn.exe
"Protected system files6"= ccSetMgr.exe
"Protected system files7"= ccEvtMgr.exe
"Protected system files8"= DefWatch.exe
"Protected system files9"= SavRoam.exe
"Protected system files10"= Rtvscan.exe
"Protected system files11"= VPTray.exe
"Protected system files12"= ccApp.exe
"Protected system files13"= AluSchedulerSvc.exe
"Protected system files14"= nod32.exe
"Protected system files15"= nod32ra.exe
"Protected system files16"= UpdaterUI.exe
"Protected system files17"= tbmon.exe
"Protected system files18"= Mcshield.exe
"Protected system files19"= SHSTAT.exe
"Protected system files20"= ashMaiSv.exe
"Protected system files21"= ashServ.exe
"Protected system files22"= ashWebSv.exe
"Protected system files23"= aswUpdSv.exe
"Protected system files24"= AVGUARD.exe
"Protected system files25"= AVWUPSRV.exe
"Protected system files26"= avscan.exe
"Protected system files27"= guardgui.exe
"Protected system files28"= VxMon.exe
"Protected system files29"= AVGNT.exe
"Protected system files30"= avgemc.exe
"Protected system files31"= avp.exe
"Protected system files32"= avp.com
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 17:25:03
Windows 5.0.2195 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 04/11/2008 17:25:52
ComboFix-quarantined-files.txt 2008-04-12 00:25:31
ComboFix2.txt 2008-02-21 03:37:57
Pre-Run: 14,787,532,288 bytes free
Post-Run: 14,781,155,328 bytes free
Hi
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINNT\SYSTEM32\sdhost.exe
C:\WINNT\SYSTEM32\lzkjst.exe
C:\WINNT\SYSTEM32\gsknuhbl.exe
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"DisallowRun"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
Save this as
CFScript
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
I see you have Kaspersky online scanner installed. Please run a full scan with it and post back its report and a fresh hjt log among ComboFix resultant log asked above.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings and select the following:
Scan using the following Anti-Virus database:
Extended (If available, otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK.
Under
select a target to scan
, select My Computer.
The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.Once the scan is complete:
Click on the Save as Text button.
Save the file to your desktop.
Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log too.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.
If having a problme doing the above
Make sure that your Internet security settings are set to default values.
To set default security settings for Internet Explorer:
* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
Hello,
Here is the new Combo fix log. I was unable to run Kapernsky because i do not run IE.
ComboFix 08-04-11.5 - Administrator 04/13/2008 12:59:45.6 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINNT\SYSTEM32\gsknuhbl.exe
C:\WINNT\SYSTEM32\lzkjst.exe
C:\WINNT\SYSTEM32\sdhost.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINNT\SYSTEM32\gsknuhbl.exe
C:\WINNT\SYSTEM32\lzkjst.exe
C:\WINNT\SYSTEM32\sdhost.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-03-27 19:08 . 03/27/08 07:08p 54,156 --ah----- C:\WINNT\QTFont.qfn
2008-03-27 19:08 . 03/27/08 07:08p 1,409 --a------ C:\WINNT\QTFont.for
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 04:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-25 06:24 --------- d-----w C:\Program Files\BillP Studios
2008-02-25 06:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\WinPatrol
2008-02-25 06:15 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-24 07:04 --------- d-----w C:\Program Files\SpywareGuard
2008-02-15 04:34 --------- d---a-w C:\Program Files\ewido anti-malware
2008-02-15 04:34 --------- d-----w C:\Program Files\WinZip Self-Extractor
2008-02-15 04:28 --------- d-----w C:\Program Files\Common Files\Real
2008-02-15 04:23 --------- d-----w C:\Program Files\Network Associates
2008-02-15 01:40 --------- d-----w C:\Program Files\Trend Micro
2008-02-10 23:59 691,545 ----a-w C:\WINNT\unins000.exe
2007-07-25 07:36 5,435,269 ----a-w C:\Program Files\Ben Harper - 06 - Ground On Down.mp3
2001-06-19 18:05 271 ---ha-w C:\Program Files\DESKTOP.INI
2001-06-19 18:05 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2001-05-08 12:00 32,528 ----a-w C:\WINNT\INF\WBFIRDMA.SYS
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
------- Sigcheck -------
Cryptography Services Error !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpyKiller"="C:\Program Files\SpyKiller\spykiller.exe" [ ]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD8697"="cmd /c del C:\WINNT\SYSTEM32\gebba.dll" [ ]
"SpybotDeletingB8689"="command /c del C:\WINNT\SYSTEM32\gebba.dll" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [01/26/08 10:38p 316728]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless Configuration Utility HW.32.lnk - C:\WINNT\Installer\{BDC88E5A-F47B-4314-AB38-994592E32C95}\NewShortcut1.exe [2006-10-11 21:42:40 40960]
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 13:01:45
Windows 5.0.2195 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 04/13/2008 13:02:36
ComboFix-quarantined-files.txt 2008-04-13 20:02:15
ComboFix2.txt 2008-04-12 00:25:53
ComboFix3.txt 2008-02-21 03:37:57
Pre-Run: 14,811,221,504 bytes free
Post-Run: 14,805,015,040 bytes free
here is the fresh HJT log.
Take care,
Caddy
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:30 PM, on 4/13/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\WINNT\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKUS\S-1-5-21-1330325420-1700743666-749098738-500\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)
--
End of file - 3718 bytes
Well, okay. We'll replace Kaspersky part with Malwarebytes' Anti-Malware then :)
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply.
I downloaded and installed the program, but when i try to run it it gives me an error message: run time error vbalsgrid6.ocx version might be outdated. Could this be because i have windows 2000?
Malwarebytes' Anti-Malware supports Win2000 so that shouldn't be a problem here.
Let's try Dr.Web CureIt.
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the
Scan
-tab, remove the mark at
Heuristic analysis
.
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.
Blade,
I have installed Dr.Cure it and it removed 2 viruses: Rundll.exe and qjpnheed.dll, which i had never seen before. It named them virtumonde trojans, which is what i was dealing with before. When i attempted to uncheck heuristic analysis and do a complete scan or a scan of particular drives a received a run time error reading "program:C:\DOCUME~ADMIN|~LOCALS~|TEMP|RARSFX01\setup.exe
Also, i am now receiving messages from winpatrol aboout xxyrttu.dll and qjpnheed.dll. Rundll is also now showing up on my active tasks list which has never happened before. It has practically shutdown my computer.
First of all you run Setup.exe from temporary place without copying it to desktop as instructed.
Post a fresh hjt log, please.
Blade,
I was able to run the Dr.web cure it and produce a log, somehow. This is the fresh HJT log, and Dr. Cure-it log, as well.
Thank you for your assistance
Brannon
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:23 PM, on 4/18/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)
--
End of file - 2975 bytes
It would not allow me to run the scan with heuristic analysis unchecked; so i ran it checked.
Dr. Cure-it log
awtqqron.dll.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Virtumod.287;Deleted.;
csrs.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;BackDoor.IRC.Sdbot.945;Deleted.;
gsknuhbl.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Proxy.2364;Deleted.;
iexplore.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;BackDoor.IRC.Sdbot.2665;Deleted.;
lzkjst.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Packed.142;Deleted.;
sdhost.exe.vir;C:\QooBox\Quarantine\C\WINNT\SYSTEM32;Trojan.Inject.251;Deleted.;
Process.exe;C:\SDFix\SDFix\apps;Tool.Prockill;Incurable.Moved.;
spoolsvc.exe;C:\WINNT\SYSTEM32;BackDoor.IRC.Sdbot.945;Deleted.;
TFTP1008;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1012;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1060;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1064;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1112;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1120;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1128;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1168;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1176;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP1296;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP400;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP512;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP524;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP792;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP828;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP884;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP908;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
TFTP920;C:\WINNT\SYSTEM32;Win32.Virut.5;Cured.;
win_20283.exe;C:\WINNT\SYSTEM32;BackDoor.IRC.Sdbot.1419;Deleted.;
Hi
Those look ok. :) How's your system running now?
blade,
Things are definitely running much better. I am no longer receiving any messages from winpatrol; however, spykiller and qjpnheed.dll are still on my winpatrol startup list where i disabled them long ago. Is there any freeware or shareware firewall or other protective software that you would suggest to avoid future infection.
Thank you again for all of your help it is much appreciated.
Caddy
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
Now lets uninstall ComboFix:
Click START then RUN
Now type Combofix /u in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. See here (http://www.freebyte.com/antivirus/#scanners) to choose one
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this (http://www.bleepingcomputer.com/forums/tutorial60.html) webpage out.
See here (http://www.freebyte.com/antivirus/#firewalls) to choose one
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Blade,
I am now having something called nod64.exe attempting to start and access the internet. I will post a hjt log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:30 PM, on 4/20/2008
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Wireless Configuration Utility HW.32.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\WlanCU.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A71E2042-6CC6-4EBC-860E-C060D0972899}: NameServer = 208.19.107.240 216.163.120.19
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.10\SiSWLSvc.exe
O23 - Service: Windows Management Instrumentation (WinMgmt) - Unknown owner - C:\WINNT\System32\WBEM\WinMgmt.exe (file missing)
--
End of file - 2688 bytes
First of all, please install anti virus protection & a software firewall thru the links I posted in my previous post. Then run a scan with the program you chose.
I can't see anything in your hjt log so we have to make some investigation.
Download GMER (http://www.gmer.net/gmer.zip) and save it your desktop:
Extract it to your desktop and double-click GMER.exe
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log in your reply.
Due to inactivity, this thread will now be closed.
Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.