continous attack on my pc .. please help

W

wickedsunny

New member
I strongly believe some one is continuously hacking my pc..

I tried most of antivirus softwares but they all work only once...:mad:

Now heres the hijack this log file -

Logfile of HijackThis v1.99.1
Scan saved at 10:05:46 AM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\ashServ.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\Prevx1\PXConsole.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\RunServices: [Microsoft Telecoms Center] expfix.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe


avast is the antivirus I am using, wwsecure is a software which i deleted by mistake and now its not getting removed from my pc and boots up on every startup.

Prevx I am using for having close watch on background programs running and to remove malwares, but even now it has got disabled. Dap I use for downloading big files... license manager runs with one of my 3d softwares..

I have deleted after seeing this log the registry entry of svcchost.exe and epifix.exe


while using prevx I had frequent attacks of a malware ".EXE" which got created when lsass.exe started listening to server..

also before that svchost was creating file with the help of tftp and my cmd and ftp use to open automatically the moment i connected to internet.

I could not figure out a solution so i simply renamed the ftp.exe and cmd.exe to avoid hacking.

Please let me know if there is more problems here and also please tell me which antivirals removal softwares should I keep- I mean set of firewall, spyware remover and antivirus softwares...

Do help me out

Thank you.
 
and before you ask me heres the scanner.exe result of hijackthis.exe

Logfile of HijackThis v1.99.1
Scan saved at 11:27:54 AM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
K:\avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A074769-CAB9-4F39-9C13-450EB8BE3F5F}: NameServer = 218.248.255.145 61.1.96.71
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\System32\wwSecure.exe
 
Hi wickedsunny and welcome to Safer Networking Forums :)

One or more of the identified infections is a backdoor trojan.:eek:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post :bigthumb:
 
Thank you:heart:

That is what I was expecting:spider:

I don't use it for banking currently but I am bothered about my passwords.

Also if someone is controlling my pc will he be able to copy files from my pc of size over 30 mb ?

I cannot reinstall right now , I need to complete one work so need time of a week.

Please help me remove it in the current state.

I have applied for the MR university, in last one year I have been continuously attacked by hackers and I need to learn how to protect myself and others from it

Is there a way to even find out who is hacking me ? if not at least his location in the world?

I forgot to mention that I stop few processes after boot up, so heres a log of processes right after boot up.

Logfile of HijackThis v1.99.1
Scan saved at 9:21:54 PM, on 11/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
K:\avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\ashServ.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)
 
Hi again, I respect you decision to continue :)

You're getting infected because you're not protected....We'll get you protected but first we'll do some cleaning...

You are using DAP which is not technically malware, but it may include malware and allow it into your system. You can find Safer Alternatives. We'll remove it.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.

Disable PrevX realtime protection
  • Right click on the Prevx icon in your system tray at the bottom-right corner of your screen and choose Show Management Console..
  • On the Management Console click the Protection Level drop-down menu. You will see three levels:
    • Maximum
    • Off
    • User Defined
  • Disable all protection by setting the level to Off. You will receive a prompt asking "You are about to change your security settings. Do you wish to continue?" Click Yes.
  • Click the X on the upper right hand corner to exit the Management console.
==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

DAP

and any other programs you didn't install or don't recognize - if your not sure please ask first

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\Program Files\DAP

Use the Windows search
  • Start
  • Search
  • All files and folders
  • More advanced options
Checkmark these options:
  • "Search system folders"
  • "Search hidden files and folders"
  • "Search subfolders"
  • Search for this and delete if found: srvc.dll
Run ATF Cleaner
  • Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- nally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum
 
Well first few steps went smoothly, but when I am trying to enter safe mode, its taking very long time- longer then usual and when i manage to enter safemode and try running the sdfix bat file its giving me this error

34j2gxt.jpg


what should I do now ?
 
Well Jak

I realized what was giving the error...

I had renamed my cmd.exe so thats why the bat file was not working...

Well after 2 hrs of avg scan here are the results.....

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:42:41 AM 11/30/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/TFTP2840 -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/TFTP1964 -> Backdoor.Rbot.bdu : Cleaned with backup (quarantined).
D:\My Documents\AGE OF MYTHOLOGY\New Folder\Grand_Theft_Auto_GTA_4_Vice_City_Full_Crack.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\My Documents\warcraft3reignofchaosv1.0nocdpatchjoj.zip/Warcraft 3.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GTA_4_Vice_city_CD-Check_by_CrackMe.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GrandTheftAutoViceCityTrainer.zip/PATCH.EXE -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
D:\backup 2\cracks\Adobe_Creative_Suite_Premiu.zip/NFO/adobe_cs_keygen.exe -> Worm.Delf.bd : Cleaned with backup (quarantined).


::Report end

I did not quarantined the tftp ones as avg was saying it will quarantine the whole back up archive of sdfix, if thats ok to be deleted then I will again go to safe mode and quarantine it

Logfile of HijackThis v1.99.1
Scan saved at 6:48:01 AM, on 11/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)


SDFix: Version 1.44
-------------------

Thu 11/30/2006 - 3:57:44.31


Microsoft Windows XP [Version 5.1.2600]

Running from C:\SDFix

Stage One - Safe Mode
Service Check...

Service Name:
------------
msidll

FilePath:
--------
"C:\WINDOWS\system\msidll.exe"

msidll Deleted...

Starting Registry Repairs...


Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\WINDOWS\system32\i
C:\WINDOWS\system32\TFTP1964
C:\WINDOWS\system32\TFTP1512
C:\WINDOWS\system32\TFTP3452
C:\WINDOWS\system32\TFTP2840
C:\WINDOWS\system32\TFTP1428
C:\WINDOWS\system32\TFTP3540

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Authorized Applications Export:

Files:
------

Checking For Hidden Files:

C:\Program Files\Messenger\msmsgs.exe
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\WINDOWS\system32\1404D17E30.dll
C:\WINDOWS\system32\config\system.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\LastGood.Tmp\INF\oem1.inf
C:\WINDOWS\LastGood.Tmp\INF\oem1.PNF


Backups folder: - C:\SDFix\backups\backups.zip

FINISHED!

Please let me know what to do next now and how to protect my computer

Thank you very much for all the help...:angel: ;)
 
Hi again :)

We're propably on different timezones -> some delay

Usage of cracks is illegal and get's you infected :sick:
D:\My Documents\AGE OF MYTHOLOGY\New Folder\Grand_Theft_Auto_GTA_4_Vice_City_Full_Crack.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\My Documents\warcraft3reignofchaosv1.0nocdpatchjoj.zip/Warcraft 3.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GTA_4_Vice_city_CD-Check_by_CrackMe.zip/Gta4 anti cd check crack by crackme.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
D:\desktop back up\GrandTheftAutoViceCityTrainer.zip/PATCH.EXE -> Trojan.Proxcrak.A : Cleaned with backup (quarantined).
D:\backup 2\cracks\Adobe_Creative_Suite_Premiu.zip/NFO/adobe_cs_keygen.exe -> Worm.Delf.bd : Cleaned with backup (quarantined).
Click to expand...

Go to virustotal.com
Click on the Browse button
Browse to the following file: C:\WINDOWS\system32\1404D17E30.dll
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

:bigthumb:
 
Yes Jack I will never download a crack again in my life...:lip:

After cleaning yesterday my pc was attacked again twice - first by Isass.exe (not Lsass.exe)

which i deleted and removed also from the registry and then i scanned my pc with avg again to find this trojan...

4ftk6rt.jpg


The highlighted one... should I delete all these now ?

Here is the Virus total result

Complete scanning result of "1404D17E30.dll", received in VirusTotal at 11.30.2006, 17:01:58 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.46 11.30.2006 no virus found
Authentium 4.93.8 11.30.2006 no virus found
Avast 4.7.892.0 11.30.2006 no virus found
AVG 386 11.30.2006 no virus found
BitDefender 7.2 11.30.2006 no virus found
CAT-QuickHeal 8.00 11.30.2006 no virus found
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.30.2006 no virus found
eSafe 7.0.14.0 11.30.2006 no virus found
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3223 11.30.2006 no virus found
Ewido 4.0 11.30.2006 no virus found
Fortinet 2.82.0.0 11.30.2006 no virus found
F-Prot 3.16f 11.30.2006 no virus found
F-Prot4 4.2.1.29 11.30.2006 no virus found
Ikarus 0.2.65.0 11.30.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 no virus found
McAfee 4907 11.29.2006 no virus found
Microsoft 1.1804 11.30.2006 no virus found
NOD32v2 1892 11.30.2006 no virus found
Norman 5.80.02 11.30.2006 no virus found
Panda 9.0.0.4 11.29.2006 no virus found
Prevx1 V2 11.30.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 no virus found
VirusBuster 4.3.15:9 11.30.2006 no virus found
Aditional Information
File size: 8 bytes
MD5: 30d5858eefb0b40b95b9a0d12f8e6837
SHA1: 40da095d5294f889f10e645ac4274acf39121d47

Now I am not able to scan with Kaspersky.com also -

47x2qmb.jpg


When I click the button nothing happens. Its saying there I need administrator rights, I need to mention again for some reason I am not able to login into my my user accounts, it is inaccessible. Quite possible someone has hacked it as well..

What should I do next ?
 
Hi again :)

OK clean the findings with AVG.

Then we'll run one other scanner....

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run a can with Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, you should now mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable
  • After the scan, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot the computer in Normal Mode,
  • Post the Cure-it report and a fresh HijackThis log

:bigthumb:
 
Hey Jak here is a big surprise, it treated sdfix's process.exe as trojan ?

I am shocked with it..:eek:

It also caught window washer as trojan, I though webroot was a reputable company..:oops:

Well I always hate yahoo and it caught another crack files as well, I haven't touched yahoo files in D drive and those crack files for over a year, i doubt they have infected my pc, but sdfix one is quite a surprise to me.

Also one more porb - it happened yesterday as well and today also, I was working and suddenly it gave me an error " system shutting down"
Rpc failure or it was closed or something like that. and my pc did shutdown.

This is drweb report


Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
wwsetup1_1807707288.exe;D:\backup 2\spysweeper;Trojan.MulDrop.4262;Deleted.;
vixenpatch.exe;D:\backup 2\Adobe Premier Plugin\XENTRIK VIXEN Video Enhance v1.03.05\crack;Tool.GameCrack;Incurable.Moved.;
ycomp.dll;D:\Yahoo!\Messenger;Probably DLOADER.Trojan;Incurable.Moved.;

Logfile of HijackThis v1.99.1
Scan saved at 1:57:38 AM, on 12/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
K:\avast\aswUpdSv.exe
K:\avast\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
K:\avast\ashDisp.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
K:\avast\ashWebSv.exe
K:\avast\ashMaiSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Sunny\Desktop\Hijack this\Scanner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://housecall60.trendmicro.com/en/start_corp.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avast!] K:\avast\ashDisp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{C5D455FF-9650-4565-BD2F-BC08C38ED79F}: NameServer = 172.16.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1E12167B-19BE-4667-9A8C-7896B7BD509D}: NameServer = 172.16.0.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - K:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NT Online Protection - Unknown owner - C:\PROGRA~1\QUICKH~1\ONLNSVC.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quick Heal Helper Service WSC (ScanWscS) - Unknown owner - C:\PROGRA~1\QUICKH~1\scanwscs.exe (file missing)
O23 - Service: Washer Security Access (wwSecSvc) - Unknown owner - C:\WINDOWS\System32\wwSecure.exe (file missing)

What next ?
 
Hi again :)

The SDFix's process.exe is not really a trojan. The file has the ability to stop processes (it needs that when it cleans you) and the file gets flagged because of that ability. So don't worry about that.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.
 
Hey Jak first please do something abt "rpc unexpectedly terminated" error

I know there is a command when run to stop the pc from shutting down....

My computer again restarted...:sick:

heres the combofix log file -

Sunny - 06-12-01 16:32:23.51 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Sunny\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-01 to 2006-12-01 ))))))))))))))))))))))))))))))))))


2006-12-01 00:39 <DIR> d-------- C:\Documents and Settings\Sunny\DoctorWeb
2006-11-30 08:37 117 --a------ C:\WINDOWS\system32\sxizsoi.bat
2006-11-30 00:23 <DIR> d-------- C:\SDFix
2006-11-29 23:36 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-29 23:36 <DIR> d-------- C:\Program Files\Grisoft
2006-11-24 02:15 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-11-24 02:15 87,424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-11-24 02:15 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-11-24 02:15 666,240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-11-24 02:15 36,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-11-24 02:15 24,560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-11-24 02:15 16,352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-11-22 14:09 <DIR> d-------- C:\Program Files\Sierra
2006-11-21 22:51 53,299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2006-11-21 22:51 <DIR> d-------- C:\Program Files\YafRay
2006-11-21 22:38 <DIR> d-------- C:\Program Files\Blender Foundation
2006-11-21 10:40 <DIR> d--hs---- C:\FOUND.001
2006-11-20 23:27 90,112 --a------ C:\WINDOWS\unvise32.exe
2006-11-20 23:11 <DIR> d--hs---- C:\FOUND.000
2006-11-20 22:55 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Strata 3D CX
2006-11-20 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Strata 3D CX
2006-11-18 20:16 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Sonic Foundry
2006-11-18 20:15 <DIR> d-------- C:\Program Files\Sonic Foundry
2006-11-17 20:56 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Moi
2006-11-16 12:30 <DIR> d-------- C:\AITEMP
2006-11-12 15:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2006-11-12 14:59 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2006-11-12 14:59 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-11-12 14:59 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2006-11-12 14:59 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2006-11-12 14:59 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2006-11-12 14:59 381,952 --a------ C:\WINDOWS\system32\dsound.dll
2006-11-12 14:59 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2006-11-12 14:59 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2006-11-12 14:59 230,400 --a------ C:\WINDOWS\system32\dplayx.dll
2006-11-12 14:59 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2006-11-12 14:59 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2006-11-12 14:59 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2006-11-12 12:29 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Image Zone Express
2006-11-11 06:20 69,632 -ra------ C:\WINDOWS\system32\xmltok.dll
2006-11-11 06:20 36,864 -ra------ C:\WINDOWS\system32\xmlparse.dll
2006-11-11 06:20 26,096 -ra------ C:\WINDOWS\system32\xmlinst.exe
2006-11-11 06:20 24,576 -ra------ C:\WINDOWS\system32\msxml3a.dll
2006-11-11 06:01 <DIR> d-------- C:\Program Files\Common Files\EasyInfo
2006-11-11 05:46 <DIR> d-------- C:\Program Files\GameSpy Arcade
2006-11-10 22:08 21,840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2006-11-10 22:08 17,212 --a------ C:\WINDOWS\system32\SIntf32.dll
2006-11-10 22:08 12,067 --a------ C:\WINDOWS\system32\SIntf16.dll
2006-11-10 13:00 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\CyberLink
2006-11-08 23:38 0 --a------ C:\WINDOWS\system32\x.exe
2006-11-08 04:55 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\Microsoft Games
2006-11-08 04:41 <DIR> d-------- C:\game
2006-11-08 04:36 <DIR> d-------- C:\Program Files\VUGames
2006-11-07 12:16 <DIR> dr-h----- C:\Documents and Settings\Sunny\Recent
2006-11-07 11:59 90,112 --a------ C:\WINDOWS\SOUNDMAN.EXE
2006-11-07 11:59 9,697,280 --a------ C:\WINDOWS\RTLCPL.EXE
2006-11-07 11:59 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2006-11-07 11:59 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-07 11:59 2,951,680 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2006-11-07 11:59 2,805,248 --a------ C:\WINDOWS\ALCWZRD.EXE
2006-11-07 11:59 156,672 --a------ C:\WINDOWS\system32\RTLCPAPI.dll
2006-11-07 11:59 14,396,416 --a------ C:\WINDOWS\RTHDCPL.EXE
2006-11-07 11:59 136,960 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-11-07 11:58 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-11-07 11:55 36,864 --a------ C:\WINDOWS\system32\igfxexps.dll
2006-11-07 11:55 110,592 --a------ C:\WINDOWS\system32\igfxext.exe
2006-11-07 11:23 8 -r-hs---- C:\WINDOWS\system32\1404D17E30.dll
2006-11-07 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2006-11-07 07:10 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\SiteAdvisor
2006-11-07 06:41 <DIR> d-------- C:\Documents and Settings\Sunny\Application Data\McAfee
2006-11-07 06:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2006-11-06 05:38 <DIR> d-------- C:\Program Files\Dark Basic Software
2006-11-06 05:10 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-06 04:44 <DIR> d-------- C:\Documents and Settings\Sunny\.housecall6.6
2006-11-02 12:40 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-11-02 12:37 32,768 -ra------ C:\WINDOWS\system32\XSIChooser.exe
2006-11-02 12:35 <DIR> d-------- C:\XSI
2006-11-02 02:15 <DIR> d-------- C:\XSI 5.1
2006-11-01 17:19 154 --a------ C:\WINDOWS\Vue 5 Infinite.reg
2006-11-01 17:16 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2006-11-01 17:16 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2006-11-01 17:16 286 --a------ C:\WINDOWS\Vue 5 Infinite Trial.reg
2006-11-01 17:14 <DIR> d-------- C:\Program Files\e-on software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-29 23:28 -------- d-------- C:\Documents and Settings\Sunny\Application Data\Atari
2006-10-24 16:34 -------- d-------- C:\Program Files\Common Files\Webroot Shared
2006-10-24 12:02 -------- d-------- C:\Program Files\ASUSTeK
2006-10-24 10:56 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-24 10:53 -------- d-------- C:\Program Files\HP
2006-10-20 15:03 11648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-10-19 10:49 9840 --a------ C:\WINDOWS\system32\pfplgprx.dll
2006-10-19 10:49 16272 --a------ C:\WINDOWS\system32\pfplgflt.dll
2006-10-19 10:48 5360 --a------ C:\WINDOWS\system32\pfplgnfo.dll
2006-10-18 16:53 -------- d-------- C:\Program Files\Kundli
2006-10-11 09:02 -------- d-------- C:\Program Files\Microsoft Games
2006-10-10 21:27 -------- d-------- C:\Program Files\Shepherd's Worlds, Inc
2006-10-05 15:15 -------- d-------- C:\Program Files\Huawei
2006-10-05 12:07 0 --a------ C:\AUTOEXEC.BAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"RemoteControl"="\"C:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe\""
"avast!"="K:\\avast\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,c0
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="http://www.rentacoder.com/RentACoder/misc/LinkToUs/ScrollingBidRequests.asp?blnHideChannelSubscribe=true&blnLaunchLinkInNewWindow=true&blnFullTitle=true"
"SubscribedURL"="http://www.rentacoder.com/RentACoder/misc/LinkToUs/Channel/NewBidRequests.cdf"
"FriendlyName"="New Bid Requests"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,00,00,ea,\
03,00,00,00,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a2,01,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,44,03,00,00,59,00,00,00,c9,00,00,00,08,02,\
00,00,01,00,00,40

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^24Online Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\24Online Client.lnk"
"backup"="C:\\WINDOWS\\pss\\24Online Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ELITEC~1\\CYBERO~1\\CYBERO~1.EXE "
"item"="24Online Client"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCWZRD"
"hkey"="HKLM"
"command"="ALCWZRD.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\Huawei\\MT841\\dslagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HDAShCut"
"hkey"="HKLM"
"command"="HDAShCut.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
??? ???
?
? ?????"
"hkey"="HKCU"
"command"="???
??? ???
?
? ?????"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft System Checkup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="libsys32"
"hkey"="HKLM"
"command"="libsys32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msvcc25]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svcchost"
"hkey"="HKLM"
"command"="svcchost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NT Logging Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syslog32"
"hkey"="HKLM"
"command"="syslog32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
??? ???
?
? ?????"
"hkey"="HKCU"
"command"="???
??? ???
?
? ?????"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wwDisp"
"hkey"="HKCU"
"command"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows ASN3 Services]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wdza"
"hkey"="HKLM"
"command"="wdza.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\{234EBBDA-41AF-4724-AD61-3D2FB71AE794}_RAJKUMAR_Sunny.job
C:\WINDOWS\tasks\{7FEB295D-241F-4140-BCD6-EE30D1ED5E24}_RAJKUMAR_Sunny.job
C:\WINDOWS\tasks\{57F0898F-7DC5-42B2-9E26-119400CE7CA6}_RAJKUMAR_Sunny.job

Completion time: 06-12-01 16:32:45.87
C:\ComboFix.txt ... 06-12-01 16:32


Root kit one-

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2006-12-01 16:39:49
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

INT 0x06 \??\C:\WINDOWS\System32\drivers\Haspnt.sys AA6D116D
INT 0x0E \??\C:\WINDOWS\System32\drivers\Haspnt.sys AA6D0FC2

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804E423C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 8050C770 4 Bytes [ AC, 58, A9, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 8050C98C 4 Bytes [ 12, 58, A9, F7 ]
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72033FC8

---- EOF - GMER 1.0.12 ----
 
meanwhile I am again attacked this time by IRDvxc.exe

I removed it with avg but I also found .exe again in windows/system 32 which avg over looked.

You think someone is purposely hacking my pc ?
 
Hey Jak where are you man ?

I am attacked three more times.

First by iexplore.exe
2nd by spoolsvc.exe
3rd by crss.exe

and avg also caught these cookies, though I have deleted them now.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:54:16 AM 12/2/2006

+ Scan result:

:mozilla.35:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.36:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.37:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.38:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.42:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.39:C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\dfch4x3o.default\cookies.txt -> TrackingCookie.Hitslink : No action taken.


::Report end


Please help me out man, Now seriously someone is trying to hack my pc for sure,, is there any tool to locate him ?
 
Hi there and sorry for the long delay.

I have to do some more research but I promise to get back to you as soon as possible. Please try to keep the computer offline if possible.

:bigthumb:
 
Hi again :)

May I ask you that where do you live (in India maybe) ?

Let's try this:

Make a new folder in the c:\drive called silentrunners
Download 'silent runners" from here: (direct download)
http://www.silentrunners.org/Silent Runners.vbs
Save it to your silentrunners folder.

Click start> run> type cmd and hit enter
Type the following exactly and hit enter after each line.
cd c:\silentrunners and hit enter
"silent runners.vbs" -all and hit enter

Wait until it pops up saying its completed, then post the resulting logfile here
It will be very large. You may need several posts to include everything
 
You must log in or register to reply here.
Back
Top