View Full Version : continous attack on my pc .. please help
wickedsunny
2006-11-29, 06:40
I strongly believe some one is continuously hacking my pc..
I tried most of antivirus softwares but they all work only once...:mad:
Now heres the hijack this log file -
Logfile of HijackThis v1.99.1
Scan saved at 10:05:46 AM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\ashServ.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\Prevx1\PXConsole.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] expfix.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe
avast is the antivirus I am using, wwsecure is a software which i deleted by mistake and now its not getting removed from my pc and boots up on every startup.
Prevx I am using for having close watch on background programs running and to remove malwares, but even now it has got disabled. Dap I use for downloading big files... license manager runs with one of my 3d softwares..
I have deleted after seeing this log the registry entry of svcchost.exe and epifix.exe
while using prevx I had frequent attacks of a malware ".EXE" which got created when lsass.exe started listening to server..
also before that svchost was creating file with the help of tftp and my cmd and ftp use to open automatically the moment i connected to internet.
I could not figure out a solution so i simply renamed the ftp.exe and cmd.exe to avoid hacking.
Please let me know if there is more problems here and also please tell me which antivirals removal softwares should I keep- I mean set of firewall, spyware remover and antivirus softwares...
Do help me out
Thank you.
wickedsunny
2006-11-29, 06:49
also I tried running combofix.exe
its starts and automatically gets terminated within 2 seconds.
wickedsunny
2006-11-29, 07:01
and before you ask me heres the scanner.exe result of hijackthis.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:27:54 AM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A074769-CAB9-4F39-9C13-450EB8BE3F5F}: NameServer = 218.248.255.145 61.1.96.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe
Hi wickedsunny and welcome to Safer Networking Forums :)
One or more of the identified infections is a backdoor trojan.:eek:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post :bigthumb:
wickedsunny
2006-11-29, 17:28
Thank you:heart:
That is what I was expecting:spider:
I don't use it for banking currently but I am bothered about my passwords.
Also if someone is controlling my pc will he be able to copy files from my pc of size over 30 mb ?
I cannot reinstall right now , I need to complete one work so need time of a week.
Please help me remove it in the current state.
I have applied for the MR university, in last one year I have been continuously attacked by hackers and I need to learn how to protect myself and others from it
Is there a way to even find out who is hacking me ? if not at least his location in the world?
I forgot to mention that I stop few processes after boot up, so heres a log of processes right after boot up.
Logfile of HijackThis v1.99.1
Scan saved at 9:21:54 PM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
K:\avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\ashServ.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
Hi again, I respect you decision to continue :)
You're getting infected because you're not protected....We'll get you protected but first we'll do some cleaning...
You are using DAP which is not technically malware, but it may include malware and allow it into your system. You can find Safer Alternatives (http://www.spywareinfo.com/downloads.php?cat=dlman#dlman). We'll remove it.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Disable PrevX realtime protection
Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
On the Management Console click the Protection Level drop-down menu. You will see three levels:
Maximum
Off
User Defined
Disable all protection by setting the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
Click the X on the upper right hand corner to exit the Management console.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
DAP
and any other programs you didn't install or don't recognize - if your not sure please ask first
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\DAP
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: srvc.dll
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- nally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum
wickedsunny
2006-11-29, 20:04
Well first few steps went smoothly, but when I am trying to enter safe mode, its taking very long time- longer then usual and when i manage to enter safemode and try running the sdfix bat file its giving me this error
http://i16.tinypic.com/34j2gxt.jpg
what should I do now ?
wickedsunny
2006-11-29, 23:05
Hey Jak please help me out, i am waiting... I wanna get rid of these Trojans soon enough...
wickedsunny
2006-11-30, 02:30
Well Jak
I realized what was giving the error...
I had renamed my cmd.exe so thats why the bat file was not working...
Well after 2 hrs of avg scan here are the results.....
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:42:41 AM 11/30/2006
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/TFTP2840 -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/TFTP1964 -> Backdoor.Rbot.bdu : Cleaned with backup (quarantined).
D:\My Documents\AGE OF MYTHOLOGY\New Folder\Grand_Theft_Auto_GTA_4_Vice_City_Full_Crack.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\My Documents\warcraft3reignofchaosv1.0nocdpatchjoj.zip/Warcraft 3.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GTA_4_Vice_city_CD-Check_by_CrackMe.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GrandTheftAutoViceCityTrainer.zip/PATCH.EXE -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
D:\backup 2\cracks\Adobe_Creative_Suite_Premiu.zip/NFO/adobe_cs_keygen.exe -> Worm.Delf.bd : Cleaned with backup (quarantined).
::Report end
I did not quarantined the tftp ones as avg was saying it will quarantine the whole back up archive of sdfix, if thats ok to be deleted then I will again go to safe mode and quarantine it
Logfile of HijackThis v1.99.1
Scan saved at 6:48:01 AM, on 11/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
SDFix: Version 1.44
-------------------
Thu 11/30/2006 - 3:57:44.31
Microsoft Windows XP [Version 5.1.2600]
Running from C:\SDFix
Stage One - Safe Mode
Service Check...
Service Name:
------------
msidll
FilePath:
--------
"C:\WINDOWS\system\msidll.exe"
msidll Deleted...
Starting Registry Repairs...
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two - Normal Mode
Checking For Malware:
--------------------
C:\WINDOWS\system32\i
C:\WINDOWS\system32\TFTP1964
C:\WINDOWS\system32\TFTP1512
C:\WINDOWS\system32\TFTP3452
C:\WINDOWS\system32\TFTP2840
C:\WINDOWS\system32\TFTP1428
C:\WINDOWS\system32\TFTP3540
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Authorized Applications Export:
Files:
------
Checking For Hidden Files:
C:\Program Files\Messenger\msmsgs.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\1404D17E30.dll
C:\WINDOWS\system32\config\system.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
Backups folder: - C:\SDFix\backups\backups.zip
FINISHED!
Please let me know what to do next now and how to protect my computer
Thank you very much for all the help...:angel: ;)
Hi again :)
We're propably on different timezones -> some delay
Usage of cracks is illegal and get's you infected :sick:
D:\My Documents\AGE OF MYTHOLOGY\New Folder\Grand_Theft_Auto_GTA_4_Vice_City_Full_Crack.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\My Documents\warcraft3reignofchaosv1.0nocdpatchjoj.zip/Warcraft 3.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GTA_4_Vice_city_CD-Check_by_CrackMe.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GrandTheftAutoViceCityTrainer.zip/PATCH.EXE -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
D:\backup 2\cracks\Adobe_Creative_Suite_Premiu.zip/NFO/adobe_cs_keygen.exe -> Worm.Delf.bd : Cleaned with backup (quarantined).
Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\WINDOWS\system32\1404D17E30.dll
Click Open and then on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
:bigthumb:
wickedsunny
2006-11-30, 17:26
Yes Jack I will never download a crack again in my life...:lip:
After cleaning yesterday my pc was attacked again twice - first by Isass.exe (not Lsass.exe)
which i deleted and removed also from the registry and then i scanned my pc with avg again to find this trojan...
http://i17.tinypic.com/4ftk6rt.jpg
The highlighted one... should I delete all these now ?
Here is the Virus total result
Complete scanning result of "1404D17E30.dll", received in VirusTotal at 11.30.2006, 17:01:58 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.46 11.30.2006 no virus found
Authentium 4.93.8 11.30.2006 no virus found
Avast 4.7.892.0 11.30.2006 no virus found
AVG 386 11.30.2006 no virus found
BitDefender 7.2 11.30.2006 no virus found
CAT-QuickHeal 8.00 11.30.2006 no virus found
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.30.2006 no virus found
eSafe 7.0.14.0 11.30.2006 no virus found
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3223 11.30.2006 no virus found
Ewido 4.0 11.30.2006 no virus found
Fortinet 2.82.0.0 11.30.2006 no virus found
F-Prot 3.16f 11.30.2006 no virus found
F-Prot4 4.2.1.29 11.30.2006 no virus found
Ikarus 0.2.65.0 11.30.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 no virus found
McAfee 4907 11.29.2006 no virus found
Microsoft 1.1804 11.30.2006 no virus found
NOD32v2 1892 11.30.2006 no virus found
Norman 5.80.02 11.30.2006 no virus found
Panda 9.0.0.4 11.29.2006 no virus found
Prevx1 V2 11.30.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 no virus found
VirusBuster 4.3.15:9 11.30.2006 no virus found
Aditional Information
File size: 8 bytes
MD5: 30d5858eefb0b40b95b9a0d12f8e6837
SHA1: 40da095d5294f889f10e645ac4274acf39121d47
Now I am not able to scan with Kaspersky.com also -
http://i16.tinypic.com/47x2qmb.jpg
When I click the button nothing happens. Its saying there I need administrator rights, I need to mention again for some reason I am not able to login into my my user accounts, it is inaccessible. Quite possible someone has hacked it as well..
What should I do next ?
Hi again :)
OK clean the findings with AVG.
Then we'll run one other scanner....
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a can with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
:bigthumb:
wickedsunny
2006-11-30, 21:40
Hey Jak here is a big surprise, it treated sdfix's process.exe as trojan ?
I am shocked with it..:eek:
It also caught window washer as trojan, I though webroot was a reputable company..:oops:
Well I always hate yahoo and it caught another crack files as well, I haven't touched yahoo files in D drive and those crack files for over a year, i doubt they have infected my pc, but sdfix one is quite a surprise to me.
Also one more porb - it happened yesterday as well and today also, I was working and suddenly it gave me an error " system shutting down"
Rpc failure or it was closed or something like that. and my pc did shutdown.
This is drweb report
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
wwsetup1_1807707288.exe;D:\backup 2\spysweeper;Trojan.MulDrop.4262;Deleted.;
vixenpatch.exe;D:\backup 2\Adobe Premier Plugin\XENTRIK VIXEN Video Enhance v1.03.05\crack;Tool.GameCrack;Incurable.Moved.;
ycomp.dll;D:\Yahoo!\Messenger;Probably DLOADER.Trojan;Incurable.Moved.;
Logfile of HijackThis v1.99.1
Scan saved at 1:57:38 AM, on 12/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
What next ?
Hi again :)
The SDFix's process.exe is not really a trojan. The file has the ability to stop processes (it needs that when it cleans you) and the file gets flagged because of that ability. So don't worry about that.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.gmer.net/gmer.zip
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
wickedsunny
2006-12-01, 12:26
Hey Jak first please do something abt "rpc unexpectedly terminated" error
I know there is a command when run to stop the pc from shutting down....
My computer again restarted...:sick:
heres the combofix log file -
Sunny - 06-12-01 16:32:23.51 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Sunny\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-01 to 2006-12-01 ))))))))))))))))))))))))))))))))))
2006-12-01 00:39 <DIR> d-------- C:\Documents and Settings\Sunny\DoctorWeb
2006-11-30 08:37 117 --a------ C:\WINDOWS\system32\sxizsoi.bat
2006-11-30 00:23 <DIR> d-------- C:\SDFix
2006-11-29 23:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-29 23:36 <DIR> d-------- C:\Program Files\Grisoft
2006-11-24 02:15 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-24 02:15 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-24 02:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-24 02:15 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-24 02:15 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-24 02:15 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-24 02:15 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-22 14:09 <DIR> d-------- C:\Program Files\Sierra
2006-11-21 22:51 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-11-21 22:51 <DIR> d-------- C:\Program Files\YafRay
2006-11-21 22:38 <DIR> d-------- C:\Program Files\Blender Foundation
2006-11-21 10:40 <DIR> d--hs---- C:\FOUND.001
2006-11-20 23:27 90,112 --a------ C:\WINDOWS\unvise32.exe
2006-11-20 23:11 <DIR> d--hs---- C:\FOUND.000
2006-11-20 22:55 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Strata 3D CX
2006-11-20 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Strata 3D CX
2006-11-18 20:16 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Sonic Foundry
2006-11-18 20:15 <DIR> d-------- C:\Program Files\Sonic Foundry
2006-11-17 20:56 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Moi
2006-11-16 12:30 <DIR> d-------- C:\AITEMP
2006-11-12 15:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2006-11-12 14:59 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-11-12 14:59 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-11-12 14:59 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-11-12 14:59 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2006-11-12 14:59 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-11-12 14:59 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2006-11-12 14:59 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2006-11-12 14:59 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2006-11-12 14:59 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2006-11-12 14:59 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-11-12 14:59 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2006-11-12 14:59 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2006-11-12 12:29 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Image Zone Express
2006-11-11 06:20 69,632 -ra------ C:\WINDOWS\system32\xmltok.dll
2006-11-11 06:20 36,864 -ra------ C:\WINDOWS\system32\xmlparse.dll
2006-11-11 06:20 26,096 -ra------ C:\WINDOWS\system32\xmlinst.exe
2006-11-11 06:20 24,576 -ra------ C:\WINDOWS\system32\msxml3a.dll
2006-11-11 06:01 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2006-11-11 05:46 <DIR> d-------- C:\Program Files\GameSpy Arcade
2006-11-10 22:08 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2006-11-10 22:08 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2006-11-10 22:08 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2006-11-10 13:00 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\CyberLink
2006-11-08 23:38 0 --a------ C:\WINDOWS\system32\x.exe
2006-11-08 04:55 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Microsoft Games
2006-11-08 04:41 <DIR> d-------- C:\game
2006-11-08 04:36 <DIR> d-------- C:\Program Files\VUGames
2006-11-07 12:16 <DIR> dr-h----- C:\Documents and Settings\Sunny\Recent
2006-11-07 11:59 90,112 --a------ C:\WINDOWS\SOUNDMAN.EXE
2006-11-07 11:59 9,697,280 --a------ C:\WINDOWS\RTLCPL.EXE
2006-11-07 11:59 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2006-11-07 11:59 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-07 11:59 2,951,680 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2006-11-07 11:59 2,805,248 --a------ C:\WINDOWS\ALCWZRD.EXE
2006-11-07 11:59 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2006-11-07 11:59 14,396,416 --a------ C:\WINDOWS\RTHDCPL.EXE
2006-11-07 11:59 136,960 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-11-07 11:58 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-11-07 11:55 36,864 --a------ C:\WINDOWS\system32\igfxexps.dll
2006-11-07 11:55 110,592 --a------ C:\WINDOWS\system32\igfxext.exe
2006-11-07 11:23 8 -r-hs---- C:\WINDOWS\system32\1404D17E30.dll
2006-11-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2006-11-07 07:10 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\SiteAdvisor
2006-11-07 06:41 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\McAfee
2006-11-07 06:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-06 05:38 <DIR> d-------- C:\Program Files\Dark Basic Software
2006-11-06 05:10 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-06 04:44 <DIR> d-------- C:\Documents and Settings\Sunny\.housecall6.6
2006-11-02 12:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-11-02 12:37 32,768 -ra------ C:\WINDOWS\system32\XSIChooser.exe
2006-11-02 12:35 <DIR> d-------- C:\XSI
2006-11-02 02:15 <DIR> d-------- C:\XSI 5.1
2006-11-01 17:19 154 --a------ C:\WINDOWS\Vue 5 Infinite.reg
2006-11-01 17:16 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2006-11-01 17:16 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2006-11-01 17:16 286 --a------ C:\WINDOWS\Vue 5 Infinite Trial.reg
2006-11-01 17:14 <DIR> d-------- C:\Program Files\e-on software
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-29 23:28 -------- d-------- C:\Documents and Settings\Sunny\Application Data\Atari
2006-10-24 16:34 -------- d-------- C:\Program Files\Common Files\Webroot Shared
2006-10-24 12:02 -------- d-------- C:\Program Files\ASUSTeK
2006-10-24 10:56 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-24 10:53 -------- d-------- C:\Program Files\HP
2006-10-20 15:03 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-19 10:49 9840 --a------ C:\WINDOWS\system32\pfplgprx.dll
2006-10-19 10:49 16272 --a------ C:\WINDOWS\system32\pfplgflt.dll
2006-10-19 10:48 5360 --a------ C:\WINDOWS\system32\pfplgnfo.dll
2006-10-18 16:53 -------- d-------- C:\Program Files\Kundli
2006-10-11 09:02 -------- d-------- C:\Program Files\Microsoft Games
2006-10-10 21:27 -------- d-------- C:\Program Files\Shepherd's Worlds, Inc
2006-10-05 15:15 -------- d-------- C:\Program Files\Huawei
2006-10-05 12:07 0 --a------ C:\AUTOEXEC.BAT
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"RemoteControl"="\"C:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe\""
"avast!"="K:\\avast\\ashDisp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.rentacoder.com/RentACoder/misc/LinkToUs/ScrollingBidRequests.asp?blnHideChannelSubscribe=true&blnLaunchLinkInNewWindow=true&blnFullTitle=true"
"SubscribedURL"="http://www.rentacoder.com/RentACoder/misc/LinkToUs/Channel/NewBidRequests.cdf"
"FriendlyName"="New Bid Requests"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ea,\
03,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,44,03,00,00,59,00,00,00,c9,00,00,00,08,02,\
00,00,01,00,00,40
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\24Online Client.lnk"
"backup"="C:\\WINDOWS\\pss\\24Online Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ELITEC~1\\CYBERO~1\\CYBERO~1.EXE "
"item"="24Online Client"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCWZRD"
"hkey"="HKLM"
"command"="ALCWZRD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\Huawei\\MT841\\dslagent.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAShCut"
"hkey"="HKLM"
"command"="HDAShCut.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
??? ???
?
?�?�????"
"hkey"="HKCU"
"command"="???
??? ???
?
?�?�????"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft System Checkup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="libsys32"
"hkey"="HKLM"
"command"="libsys32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svcchost"
"hkey"="HKLM"
"command"="svcchost.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NT Logging Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syslog32"
"hkey"="HKLM"
"command"="syslog32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
??? ???
?
?�?�????"
"hkey"="HKCU"
"command"="???
??? ???
?
?�?�????"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
wickedsunny
2006-12-01, 12:27
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wwDisp"
"hkey"="HKCU"
"command"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN3 Services]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wdza"
"hkey"="HKLM"
"command"="wdza.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{234EBBDA-41AF-4724-AD61-3D2FB71AE794}_RAJKUMAR_Sunny.job
C:\WINDOWS\tasks\{7FEB295D-241F-4140-BCD6-EE30D1ED5E24}_RAJKUMAR_Sunny.job
C:\WINDOWS\tasks\{57F0898F-7DC5-42B2-9E26-119400CE7CA6}_RAJKUMAR_Sunny.job
Completion time: 06-12-01 16:32:45.87
C:\ComboFix.txt ... 06-12-01 16:32
Root kit one-
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-01 16:39:49
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.12 ----
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys AA6D116D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys AA6D0FC2
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!KeInitializeInterrupt + B67 804E423C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 8050C770 4 Bytes [ AC, 58, A9, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 8050C98C 4 Bytes [ 12, 58, A9, F7 ]
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033FC8
---- EOF - GMER 1.0.12 ----
wickedsunny
2006-12-01, 13:26
meanwhile I am again attacked this time by IRDvxc.exe
I removed it with avg but I also found .exe again in windows/system 32 which avg over looked.
You think someone is purposely hacking my pc ?
wickedsunny
2006-12-02, 03:47
Hey Jak where are you man ?
I am attacked three more times.
First by iexplore.exe
2nd by spoolsvc.exe
3rd by crss.exe
and avg also caught these cookies, though I have deleted them now.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:54:16 AM 12/2/2006
+ Scan result:
:mozilla.35:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.36:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.37:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.38:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.42:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.39:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.
::Report end
Please help me out man, Now seriously someone is trying to hack my pc for sure,, is there any tool to locate him ?
Hi there and sorry for the long delay.
I have to do some more research but I promise to get back to you as soon as possible. Please try to keep the computer offline if possible.
:bigthumb:
Hi again :)
May I ask you that where do you live (in India maybe) ?
Let's try this:
Make a new folder in the c:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent%20Runners.vbs
Save it to your silentrunners folder.
Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter
Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything
wickedsunny
2006-12-02, 16:48
Jak
Yes I am from India.
I am having a error while trying to play that script, should I try in safe mode ?
http://i16.tinypic.com/2r7bj1y.jpg
Hi again :)
Download
http://www.dougknox.com/xp/fileassoc/xp_vbs_file_association.zip
Unzip to a convenient place, doubleclick vbd_file_fix.reg and allow the merge.
Run the SilentRunners again (follow the earlier instructions) and see if it works. If so, post the log to here.
===============
Then download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe) and save it to your desktop. This is different version than the previous one!
Boot into safe mode by tapping the F8 key just before Windows starts to load.
Double click combofix.exe.
When finished, it shall produce a log for you. Save it and post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
In your next post, please include
new hijackthis log
combofix log
*use separate posts to ensure the logs don't get cut off!
=======================
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.
cd %systemdrive%\
If not exist lsafiles MkDir lsafiles
regedit /a /e lsafiles\1.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
regedit /a /e lsafiles\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e lsafiles\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e lsafiles\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e lsafiles\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a lsafiles\6.txt HKEY_USERS\.DEFAULT\SYSTEM\CurrentControlSet\Control\Lsa
regedit /a /e lsafiles\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e lsafiles\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e lsafiles\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e lsafiles\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e lsafiles\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e lsafiles\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /a /e lsafiles\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit /a /e lsafiles\14.txt HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings
regedit /a /e lsafiles\15.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
regedit /a /e lsafiles\16.txt HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate
regedit /a /e lsafiles\17.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
regedit /a /e lsafiles\18.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
regedit /a /e lsafiles\19.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
Copy lsafiles\*.txt = %systemdrive%\lsa.txt
rmdir /s /q lsafiles
Notepad %systemdrive%\lsa.txt
del /q %systemdrive%\lsa.txt
Save it to your Desktop as inspect.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: inspect.bat
Locate inspect.bat on your Desktop and double-click it. When finished it will open a file in Notepad. That file will be named lsa.txt. Copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the new folder will be deleted.
:bigthumb:
wickedsunny
2006-12-02, 22:37
Jak i think I am struck by the most dangerous viruses of all...thats why its taking so much time ;).... i must be very important to someone who is continuously hacking me
Here are the result
First even after patching the registry it is giving an error.
http://i17.tinypic.com/2j3pqc2.jpg
wickedsunny
2006-12-02, 22:38
Heres the hijack list
Logfile of HijackThis v1.99.1
Scan saved at 2:57:06 AM, on 12/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
wickedsunny
2006-12-02, 22:39
Heres the combofix -
Sunny - 06-12-03 2:43:23.14 Service Pack 1
ComboFix 06.12.01W - Running from: "C:\Documents and Settings\Sunny\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\x.exe
((((((((((((((((((((((((((((((( Files Created from 2006-11-03 to 2006-12-03 ))))))))))))))))))))))))))))))))))
2006-12-02 20:55 <DIR> d-------- C:\Silentrunners
2006-12-01 16:34 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2006-12-01 00:39 <DIR> d-------- C:\Documents and Settings\Sunny\DoctorWeb
2006-11-30 08:37 117 --a------ C:\WINDOWS\system32\sxizsoi.bat
2006-11-30 00:23 <DIR> d-------- C:\SDFix
2006-11-29 23:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-29 23:36 <DIR> d-------- C:\Program Files\Grisoft
2006-11-24 02:15 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-24 02:15 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-24 02:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-24 02:15 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-24 02:15 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-24 02:15 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-24 02:15 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-22 14:09 <DIR> d-------- C:\Program Files\Sierra
2006-11-21 22:51 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-11-21 22:51 <DIR> d-------- C:\Program Files\YafRay
2006-11-21 22:38 <DIR> d-------- C:\Program Files\Blender Foundation
2006-11-21 10:40 <DIR> d--hs---- C:\FOUND.001
2006-11-20 23:27 90,112 --a------ C:\WINDOWS\unvise32.exe
2006-11-20 23:11 <DIR> d--hs---- C:\FOUND.000
2006-11-20 22:55 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Strata 3D CX
2006-11-20 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Strata 3D CX
2006-11-18 20:16 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Sonic Foundry
2006-11-18 20:15 <DIR> d-------- C:\Program Files\Sonic Foundry
2006-11-17 20:56 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Moi
2006-11-16 12:30 <DIR> d-------- C:\AITEMP
2006-11-12 15:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2006-11-12 14:59 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-11-12 14:59 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-11-12 14:59 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-11-12 14:59 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2006-11-12 14:59 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-11-12 14:59 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2006-11-12 14:59 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2006-11-12 14:59 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2006-11-12 14:59 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2006-11-12 14:59 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-11-12 14:59 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2006-11-12 14:59 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2006-11-12 12:29 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Image Zone Express
2006-11-11 06:20 69,632 -ra------ C:\WINDOWS\system32\xmltok.dll
2006-11-11 06:20 36,864 -ra------ C:\WINDOWS\system32\xmlparse.dll
2006-11-11 06:20 26,096 -ra------ C:\WINDOWS\system32\xmlinst.exe
2006-11-11 06:20 24,576 -ra------ C:\WINDOWS\system32\msxml3a.dll
2006-11-11 06:01 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2006-11-11 05:46 <DIR> d-------- C:\Program Files\GameSpy Arcade
2006-11-10 22:08 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2006-11-10 22:08 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2006-11-10 22:08 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2006-11-10 13:00 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\CyberLink
2006-11-08 04:55 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Microsoft Games
2006-11-08 04:41 <DIR> d-------- C:\game
2006-11-08 04:36 <DIR> d-------- C:\Program Files\VUGames
2006-11-07 12:16 <DIR> dr-h----- C:\Documents and Settings\Sunny\Recent
2006-11-07 11:59 90,112 --a------ C:\WINDOWS\SOUNDMAN.EXE
2006-11-07 11:59 9,697,280 --a------ C:\WINDOWS\RTLCPL.EXE
2006-11-07 11:59 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2006-11-07 11:59 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-07 11:59 2,951,680 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2006-11-07 11:59 2,805,248 --a------ C:\WINDOWS\ALCWZRD.EXE
2006-11-07 11:59 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2006-11-07 11:59 14,396,416 --a------ C:\WINDOWS\RTHDCPL.EXE
2006-11-07 11:59 136,960 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-11-07 11:58 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-11-07 11:55 36,864 --a------ C:\WINDOWS\system32\igfxexps.dll
2006-11-07 11:55 110,592 --a------ C:\WINDOWS\system32\igfxext.exe
2006-11-07 11:23 8 -r-hs---- C:\WINDOWS\system32\1404D17E30.dll
2006-11-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2006-11-07 07:10 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\SiteAdvisor
2006-11-07 06:41 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\McAfee
2006-11-07 06:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-06 05:38 <DIR> d-------- C:\Program Files\Dark Basic Software
2006-11-06 05:10 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-06 04:44 <DIR> d-------- C:\Documents and Settings\Sunny\.housecall6.6
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-02 12:30 286 --a------ C:\WINDOWS\Vue 5 Infinite Trial.reg
2006-11-02 12:30 154 --a------ C:\WINDOWS\Vue 5 Infinite.reg
2006-11-01 17:15 974848 --a------ C:\WINDOWS\system32\mfc70.dll
2006-11-01 17:15 487424 --a------ C:\WINDOWS\system32\msvcp70.dll
2006-11-01 17:14 -------- d-------- C:\Program Files\e-on software
2006-10-29 23:28 -------- d-------- C:\Documents and Settings\Sunny\Application Data\Atari
2006-10-24 16:34 -------- d-------- C:\Program Files\Common Files\Webroot Shared
2006-10-24 12:02 -------- d-------- C:\Program Files\ASUSTeK
2006-10-24 10:56 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-24 10:53 -------- d-------- C:\Program Files\HP
2006-10-20 15:03 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-19 10:49 9840 --a------ C:\WINDOWS\system32\pfplgprx.dll
2006-10-19 10:49 16272 --a------ C:\WINDOWS\system32\pfplgflt.dll
2006-10-19 10:48 5360 --a------ C:\WINDOWS\system32\pfplgnfo.dll
2006-10-18 16:53 -------- d-------- C:\Program Files\Kundli
2006-10-11 09:02 -------- d-------- C:\Program Files\Microsoft Games
2006-10-10 21:27 -------- d-------- C:\Program Files\Shepherd's Worlds, Inc
2006-10-05 15:15 -------- d-------- C:\Program Files\Huawei
2006-10-05 12:07 0 --a------ C:\AUTOEXEC.BAT
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"RemoteControl"="\"C:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe\""
"avast!"="K:\\avast\\ashDisp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.rentacoder.com/RentACoder/misc/LinkToUs/ScrollingBidRequests.asp?blnHideChannelSubscribe=true&blnLaunchLinkInNewWindow=true&blnFullTitle=true"
"SubscribedURL"="http://www.rentacoder.com/RentACoder/misc/LinkToUs/Channel/NewBidRequests.cdf"
"FriendlyName"="New Bid Requests"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ea,\
03,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,44,03,00,00,59,00,00,00,c9,00,00,00,08,02,\
00,00,01,00,00,40
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\24Online Client.lnk"
"backup"="C:\\WINDOWS\\pss\\24Online Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ELITEC~1\\CYBERO~1\\CYBERO~1.EXE "
"item"="24Online Client"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCWZRD"
"hkey"="HKLM"
"command"="ALCWZRD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\Huawei\\MT841\\dslagent.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAShCut"
"hkey"="HKLM"
"command"="HDAShCut.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
??? ???
?
?�?�????"
"hkey"="HKCU"
"command"="???
??? ???
?
?�?�????"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft System Checkup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="libsys32"
"hkey"="HKLM"
"command"="libsys32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svcchost"
"hkey"="HKLM"
"command"="svcchost.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NT Logging Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syslog32"
"hkey"="HKLM"
"command"="syslog32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
??? ???
?
?�?�????"
"hkey"="HKCU"
"command"="???
??? ???
?
?�?�????"
"inimapping"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wwDisp"
"hkey"="HKCU"
"command"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN3 Services]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wdza"
"hkey"="HKLM"
"command"="wdza.exe"
"inimapping"="0"
wickedsunny
2006-12-02, 22:40
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{234EBBDA-41AF-4724-AD61-3D2FB71AE794}_RAJKUMAR_Sunny.job
C:\WINDOWS\tasks\{7FEB295D-241F-4140-BCD6-EE30D1ED5E24}_RAJKUMAR_Sunny.job
C:\WINDOWS\tasks\{57F0898F-7DC5-42B2-9E26-119400CE7CA6}_RAJKUMAR_Sunny.job
Completion time: 06-12-03 2:45:49.46
C:\ComboFix3.txt ... 06-12-01 16:32
C:\ComboFix2.txt ... 06-12-03 02:38
C:\ComboFix.txt ... 06-12-03 02:45
wickedsunny
2006-12-02, 22:42
the lsa text
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\OLE]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"
REGEDIT4
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,65,72,62,65,72,6f,73,00,6d,73,76,31,5f,30,00,73,\
63,68,61,6e,6e,65,6c,00,77,64,69,67,65,73,74,00,00
"LsaPid"=dword:00000128
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000000
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
"enabledcom"="y"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,69,6e,64,6f,77,73,20,4e,54,20,41,63,63,65,73,73,20,\
50,72,6f,76,69,64,65,72,00,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,6e,74,6d,61,72,74,61,2e,64,6c,6c,00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:8e,ca,11,a4,4f,ac,a7,32,1a,8c,77,a1,c0,b4,fc,71,30,34,34,65,62,\
65,30,63,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\
5a,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,9f,ec,76,8e
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:08,41,84,5b,9f,9b,f2,9a,16
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:87,b1,f4,75,0d,29
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:2e,56,b9,cf,49,99,6f,87,60,fd,ab,44,43,e1,3b,3e
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:08,d2,7b,cb,2e,92,c1,01
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,e1,19,96,33,4f,c2,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,12,88,b0,04,4d,c1,01
"Type"=dword:00000031
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,49,a3,9f,33,4f,c2,01
"Type"=dword:00000031
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusDisableNotify"=dword:00000000
"FirewallDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,\
33,32,5c,69,70,6e,61,74,68,6c,70,2e,64,6c,6c,00
"SharedAutoDial"=dword:00000000
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000001
"CreateFirstRunRp"=dword:00000001
"DSMin"=dword:000000c8
"DSMax"=dword:00000190
"RPSessionInterval"=dword:00000000
"RPGlobalInterval"=dword:00015180
"RPLifeInterval"=dword:0076a700
"CompressionBurst"=dword:0000003c
"TimerInterval"=dword:00000078
"DiskPercent"=dword:0000000c
"ThawInterval"=dword:00000384
"RestoreDiskSpaceError"=dword:00000000
"RestoreStatus"=dword:00000001
"RestoreSafeModeStatus"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\Cfg]
"DiskPercent"=dword:0000000c
"MachineGuid"="{BFB237D7-C308-43FA-B4D7-11CF6CC82120}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\SnapshotCallbacks]
@=""
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Type"=dword:00000002
"Start"=dword:00000004
"ErrorControl"=dword:00000001
"Tag"=dword:00000004
"ImagePath"=hex(2):5c,53,79,73,74,65,6d,52,6f,6f,74,5c,53,79,73,74,65,6d,33,32,\
5c,44,52,49,56,45,52,53,5c,73,72,2e,73,79,73,00
"DisplayName"="System Restore Filter Driver"
"Group"="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters]
"FirstRun"=dword:00000001
"DontBackup"=dword:00000000
"MachineGuid"="{BFB237D7-C308-43FA-B4D7-11CF6CC82120}"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Enum]
"0"="Root\\LEGACY_SR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
�
wickedsunny
2006-12-02, 22:45
i remember removing libsys32.exe from my pc, but it is still there in the registry :sick:
wickedsunny
2006-12-03, 23:20
Hey Jak ? Any progress? I am seriously getting frustrated now:sad: , let me know if there is a fast solution or I will try formatting my pc. Then you can tell me how to protect it further.
Hi again, I'm terribly sorry for the delay. I've got some help from the experts.
If you don't want to format, we may finish our cleaning.
At first some protection, you don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
You got some infections there.
==================
Remove the old SDFix.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"MachineLaunchRestriction"=hex:01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,\
14,00,00,00,02,00,34,00,02,00,00,00,00,00,18,00,1f,00,00,00,01,02,00,00,00,\
00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,0b,00,00,00,01,01,00,00,00,00,\
00,01,00,00,00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,\
00,00,00,00,05,20,00,00,00,20,02,00,00
"MachineAccessRestriction"=hex:01,00,04,80,44,00,00,00,54,00,00,00,00,00,00,00,\
14,00,00,00,02,00,30,00,02,00,00,00,00,00,14,00,03,00,00,00,01,01,00,00,00,\
00,00,05,07,00,00,00,00,00,14,00,07,00,00,00,01,01,00,00,00,00,00,01,00,00,\
00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList]
"{A50398B8-9075-4FBF-A7A1-456BF21937AD}"="1"
"{AD65A69D-3831-40D7-9629-9B0B50A93843}"="1"
"{0040D221-54A1-11D1-9DE0-006097042D69}"="1"
"{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3}"="1"
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"enabledcom"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft System Checkup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NT Logging Service]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN3 Services]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\sxizsoi.bat
C:\WINDOWS\system32\pfplgprx.dll
C:\WINDOWS\system32\pfplgflt.dll
C:\WINDOWS\system32\pfplgnfo.dll
Use the Windows search Start
Search
All files and folders
More advanced options Checkmark these options: "Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: libsys32.exe
Search for this and delete if found: svcchost.exe <- Note the double C, the legitimate file is named as SVCHOST.exe
Search for this and delete if found: syslog32.exe
Search for this and delete if found: wdza.exe
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
wickedsunny
2006-12-04, 10:05
Jak
I am not using firewall because it blocks my broadband internet, so whats the sue of it, please can you show me how to configure zonealram with a broadband connection ?
avg report
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:55:58 PM 12/4/2006
+ Scan result:
C:\WINDOWS\system32\awtqnkh.dll -> Downloader.ConHook.ap : Cleaned with backup (quarantined).
::Report end
wickedsunny
2006-12-04, 10:06
SDFix: Version 1.44
****************
Mon 12/04/2006 - 13:18:46.03
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Sunny\Desktop\SDFix\SDFix\SDFix
Stage One - Safe Mode
Checking Services...
Service Name:
File Path:
Starting Registry Repairs...
Restoring Default Hosts File...
Stage One Complete
Rebooting...
Stage Two - Normal Mode
Checking For Malware:
--------------------
Backing Up and Removing any Files Found...
Final Check:
Services:
---------
Authorized Applications Export:
Files:
------
Backups Folder: - C:\DOCUME~1\Sunny\Desktop\SDFix\SDFix\SDFix\backups\backups.zip
Checking for files with Hidden Attributes:
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\1404D17E30.dll
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\Program Files\Messenger\msmsgs.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\config\system.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF
FINISHED!
wickedsunny
2006-12-04, 10:06
Logfile of HijackThis v1.99.1
Scan saved at 2:02:23 PM, on 12/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashMaiSv.exe
K:\avast\ashWebSv.exe
L:\spy remover tools\Hijack this\Scanner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {70DFC8A6-797D-4D40-9F47-AB73E5072E21} - C:\WINDOWS\System32\jkhhh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhh - C:\WINDOWS\System32\jkhhh.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
Hi again, it is starting to look better :)
You really MUST use a firewall, otherwise you WILL get infected. ZoneAlarm is a great one. Here is an excellent tutorial for ZoneAlarm (http://www.markusjansson.net/eza.html) (made by a Finn :D:)
Plase ask me if you got any questions.
Still something to clean...
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
wickedsunny
2006-12-04, 18:28
Jak I had problems with iexplore.exe when I first started today.
It was saying it is corrupted, but when I rebooted with vundofix.exe, then no problem.
Should I install a new Java ?
VundoFix V6.2.13
Checking Java version...
Java version is 1.5.0.6
Scan started at 10:42:57 PM 12/4/2006
Listing files found while scanning....
C:\WINDOWS\System32\jkhhh.dll
C:\WINDOWS\System32\hhhkj.ini
C:\WINDOWS\System32\hhhkj.bak1
C:\WINDOWS\System32\hhhkj.ini2
Beginning removal...
Attempting to delete C:\WINDOWS\System32\jkhhh.dll
C:\WINDOWS\System32\jkhhh.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\hhhkj.ini
C:\WINDOWS\System32\hhhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\hhhkj.bak1
C:\WINDOWS\System32\hhhkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\hhhkj.ini2
C:\WINDOWS\System32\hhhkj.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 10:50:36 PM, on 12/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
L:\spy remover tools\Hijack this\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3521989D-6DBE-47F8-A469-5E23354152F3} - C:\WINDOWS\System32\jkhhh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
Hi again, it is starting to look better :)
Fix the following leftover with HijackThis:
O2 - BHO: (no name) - {3521989D-6DBE-47F8-A469-5E23354152F3} - C:\WINDOWS\System32\jkhhh.dll (file missing)
Restart the computer.
Yes, you should update your Java to the latest version (5.0 update 9) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run PandaActiveScan...
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a one more HijackThis log :bigthumb:
wickedsunny
2006-12-05, 19:02
Jak
I am still not able to use firewall properly, I mean even when I have allowed firefox and loopback adapted to access internet, it is still blocking it..:sad:
Also i was not able to use panda because it does not support any other browser then IE ? any other softwares i can try ?
heres the hijack list -
Logfile of HijackThis v1.99.1
Scan saved at 11:25:38 PM, on 12/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
L:\spy remover tools\Hijack this\Scanner.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A074769-CAB9-4F39-9C13-450EB8BE3F5F}: NameServer = 218.248.255.145 61.1.96.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
Hi again :)
Are you sure you haven't blocked any essential windows components from having Internet Access. Like svchost.exe ?
You must use a firewall, otherwise you just won't stay clean. If you absolutely can't use ZoneAlarm, the last resort is to turn the Windows firewall on. That is something that I wouldn't use but I guess it is better than nothing.
Why didn't you use IE for scanning. You may of course update the definitions to your Avast! and run a full system scan wth it. Let it clean the possible findings...
How is the computer running now ?
wickedsunny
2006-12-05, 20:28
Jak I was using my windows firewall even then I was getting attacked by viruses continuously, so it is basically of no use.
here are my firewall settings, can you point out where I am doing something wrong, which is blocking my net( I have masked my ip settings and all for security) for the firewall log.
http://i11.tinypic.com/346srkg.jpg
http://i10.tinypic.com/2e376lx.jpg
http://i12.tinypic.com/2hggua0.jpg
http://i11.tinypic.com/4cb527a.jpg
I will check with avast, also should I check with trend micro on its site ?
Hi again :)
Hmm are you saying that even Firefox can't have access to the internet ?
You could try to change the "Loopback adapter" to the trusted zone from Firewall -> Zones -> Loopback Adapter -> Edit
Then you could allow Internet Explorer to act as a server (make all the IE's fields green)
Yes, it would be good to check with TrendMicro too :)
Reboot and see if you can connect. Let me know :bigthumb:
wickedsunny
2006-12-07, 09:00
Hey Jak thanks for all the help.
i was still having probs and even my drives were getting shared while I didn't choose to share so i went for formatting, and have now installed sp2 with all updates from Microsoft, all the vulnerabilities are removed ;)
Now can you please tell me how should I protect my pc properly?
Should I use sp2 firewall or try another firewall ?
thanks a lot for all help
Hi again :)
So you formatted, now you know that you got rid of the possible remainings.
You must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection. Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056) You can download all of those to your desktop and test them one by one. Just keep your computer offline when you don't have a firewall installed.
You must install one antivirus. Otherwise you'll get infected again.
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)