I am here again

Status
Not open for further replies.
M

mightyuselessone

New member
hey guys;

unfortunatley i am back once again :sad:. i have no idea y this is here again (CONINE.INI):scratch:. this is really disturbing to me. the only use this computer gets is a game called conqueronline, e-mail checking and our son playing at nick games and other childrens sites. no real surfing, no porn and we have not downloaded any music in sometime. i don't know if this is a left over from the last time i posted or a new infection but i would like to get to the bottom of it.

thanking you in advance
mightyuselessone



Home > Support > Security Advisor View my documents (0)



Start Scan


Stop Scan


Cure Files


Delete Files


Reply email address for the file submission: Scanner Help


Virus scan finished. 1 virus found.
Scan Results: 24670 files scanned. 1 virus was detected.

File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07, on 2007-08-20
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159897217328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159897265265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 5411 bytes


Previous topic: http://forums.spybot.info/showthread.php?p=110582
 
Last edited by a moderator:
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

It seems you post more than I do and Mr_JAk3 sent you home with a clean computer on 8/10/2007? He also posted information to help you avoid infections, did you review and use that information?

You may have a rootkit infection? Let's proceed like this:

1) TeaTimer <<< turn off TeaTimer until you finish:
http://russelltexas.com/malware/teatimer.htm

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
ComboFix 07-08-25.2 - "Administrator" 2007-08-24 23:55:03.4 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.669 [GMT -6:00]


((((((((((((((((((((((((( Files Created from 2007-07-25 to 2007-08-25 )))))))))))))))))))))))))))))))


2007-08-24 23:55 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_31c.dat
2007-08-23 12:58 <DIR> d-------- C:\Program Files\Messenger
2007-08-23 12:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InstallShield
2007-08-23 11:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DMCache
2007-08-22 09:07 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-08-20 20:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-20 15:36 64,512 --a------ C:\WINNT\system32\PTPITCP.dll
2007-08-20 15:36 307,200 --a------ C:\WINNT\system32\KPDPM.dll
2007-08-20 15:36 229,376 --a------ C:\WINNT\system32\KPDPMUI.dll
2007-08-20 15:36 <DIR> d-------- C:\WINNT\Downloaded Installations
2007-08-20 15:35 <DIR> d-------- C:\WINNT\system32\BWKDLogs
2007-08-20 15:34 <DIR> d-------- C:\Program Files\Common Files\Kodak
2007-08-20 15:33 <DIR> d-------- C:\WINNT\system32\color
2007-08-20 15:33 <DIR> d-------- C:\KPCMS
2007-08-20 15:32 <DIR> d-------- C:\Program Files\Kodak
2007-08-20 15:32 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-08-20 15:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-08-08 18:26 1,156 --a------ C:\WINNT\mozver.dat
2007-08-08 15:16 0 --a------ C:\WINNT\nsreg.dat
2007-08-06 14:56 75,932 --a------ C:\WINNT\system32\drivers\klick.dat
2007-08-06 14:56 75,248 --a------ C:\WINNT\zllsputility.exe
2007-08-06 14:56 74,396 --a------ C:\WINNT\system32\drivers\klin.dat
2007-08-06 14:56 24,608 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2007-08-06 14:56 110,360 --a------ C:\WINNT\system32\drivers\kl1.sys
2007-08-06 14:56 1,824 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2007-08-06 14:56 1,086,952 --a------ C:\WINNT\system32\zpeng24.dll
2007-08-06 14:56 <DIR> d-------- C:\WINNT\system32\ZoneLabs
2007-08-03 20:46 11,264 --a------ C:\WINNT\system32\SpOrder.dll
2007-08-03 20:46 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-02 13:52 <DIR> d-------- C:\WINNT\ERUNT
2007-08-01 23:27 <DIR> d--hs---- C:\WINNT\system32\inf
2007-07-30 20:21 279,552 --a------ C:\WINNT\swreg.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

07-08-24 20:06 --------- d-------- C:\Program Files\SpywareBlaster
07-08-24 20:01 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
07-08-23 12:58 --------- d-------- C:\Program Files\MSN Messenger
07-08-20 15:37 --------- d--h----- C:\Program Files\InstallShield Installation Information
07-08-20 15:36 --------- d-------- C:\Program Files\Common Files\InstallShield
07-08-07 00:12 --------- d-------- C:\Program Files\Soulseek
07-08-06 15:00 2408 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
07-08-06 15:00 2288 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
07-08-06 14:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
07-08-01 23:38 27 --a------ C:\Program Files\paramstr.txt
07-07-30 21:24 --------- d-------- C:\Program Files\CCleaner
07-07-23 12:30 124416 --a------ C:\WINNT\swsc.exe
07-07-19 15:26 --------- d-------- C:\Program Files\Online Services
07-07-03 16:48 92944 --------- C:\WINNT\system32\services.exe
07-06-26 15:27 235280 --a------ C:\WINNT\system32\GDI32.DLL
07-06-17 00:11 51200 --a------ C:\WINNT\nircmd.exe
07-06-13 19:45 2368 --a------ C:\WINNT\system32\SVKP.sys
07-06-07 12:20 1119232 --a------ C:\WINNT\system32\msxml3.dll
06-10-02 20:01 271 ---h----- C:\Program Files\desktop.ini
06-10-02 20:01 21952 ---h----- C:\Program Files\folder.htt
03-07-04 06:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-07-04 06:00 C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [07-08-16 22:27 ]
"ZoneAlarm Client"="D:\Program Files\ZoneAlarm\zlclient.exe" [07-06-21 21:54 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07-07-12 04:00 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05-05-31 00:04 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 DcCam;Kodak Camera Proxy;C:\WINNT\system32\DRIVERS\DcCam.sys
R2 DCFS2K;Kodak DCFS2K Driver;C:\WINNT\system32\drivers\dcfs2k.sys
R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys
S1 Exportit;Exportit;C:\WINNT\system32\DRIVERS\exportit.sys
S3 DcFpoint;DcFpoint;C:\WINNT\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINNT\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINNT\system32\DRIVERS\DcPTP.sys
S3 moufiltr;Mouse Filter Driver;C:\WINNT\system32\DRIVERS\moufiltr.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-25 00:00:36
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-25 0:03:07

--- E O F ---

3D Groove Playback Engine
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Shockwave Player
ATI Display Driver
AVG Free Edition
Bonjour
CCleaner (remove only)
CCScore
Conquer 2.0
Digital Camera Driver
Diskeeper Lite
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Foxit Reader
HijackThis 2.0.2
HLPPDOCK
Hotfix for MDAC 2.53 (KB911562)
Hotfix for MDAC 2.53 (KB927779)
Java(TM) 6 Update 2
kgcbase
Kodak EasyShare software
KSU
Mozilla Firefox (2.0.0.6)
MSN Messenger 7.0
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Realtek AC'97 Audio
SFR
SHASTA
SKIN0001
SKINXSDK
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
staticcr
Update Rollup 1 for Windows 2000 SP4
VIA Rhine-Family Fast Ethernet Adapter
Virtools 3D Life Player
VPRINTOL
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip 11.1
WIRELESS
World of Warcraft
ZoneAlarm
 
No problems there that I can see, run a Kaspersky scan to see what it finds:


Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
 
Well hello and yeah it seems that i am posting alot.:laugh: But i can't help it unfortunately i have read and instrumented all the things that Mr.Jak3 asked of me. I am running firefox now, installed a firewall, the system is not used for surfing porn or downloading music(well the music hasn't been for 3+months), I also downloaded and ran the host file list that he gave me link to, use spyware blaster, spybot teatimer and run avg(all updated daily). The only one that i don't do is ATF Cleaner i use CCleaner. So i am at a loss maybe there is something that I am over looking:banghead:

hope to here from you soon
(I am off work for some time with injury so am able to look at this at just about anytime expect quick responses:D:
mightyuselessone

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:53, on 2007-08-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159897217328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159897265265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4730 bytes
 
Thanks...nothing has changed, read my last post and run the Kaspersky scan, then post the results.

Thanks
 
Here you go the log from kaspersky. is there a reason all these items are locked?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-08-25 12:38
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 25/08/2007
Kaspersky Anti-Virus database records: 365662
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 26059
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:57:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007082520070826\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\THEBIGBA-E2C4A7.ldb Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINNT\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\drivers\fidbox.dat Object is locked skipped
C:\WINNT\system32\drivers\fidbox.idx Object is locked skipped
C:\WINNT\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINNT\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINNT\system32\Perflib_Perfdata_31c.dat Object is locked skipped
C:\WINNT\temp\ZLT03545.TMP Object is locked skipped
C:\WINNT\temp\ZLT0356f.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
D:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
D:\System Volume Information\catalog.wci\00010005.ci Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
D:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
D:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
D:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
D:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped

Scan process completed.
 
The only ones we are concerned with as far as malware goes are not locked and your computer is scanning clean.

Before we run System File Checker, let's check that file you reported to see if it is infected.

These are the scanners you can use, use one or more until you get results to post.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

You will probably need to show all files and folders to see the file: Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Here is the file you want to scan:

C:\WINNT\system32\dllcache\CONINE.INI

I do not have that file on my computer with Windows XP but it may belong to a program you run and I do not.

This is important...I can only depend on the information you provide me and this is what you posted:

File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\

If you did not spell that file correct you may not find it, if you did and it is there, scan it to find out if it is infected or not, and post that information for me.

Thanks
 
here are the results from all 3 of the scan links u sent me i hope this helps to determine weather or not i am infected. all i know is that my system has been right bogged down and hardly moves at times. as you can see i am not running top of the line machine but it is not a piece of crap either. i cannot access add/remove programs nor will it access internet update(automatic or not) i need to go and find updates and manually down load them.

Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File CONINE.INI received on 08.25.2007 20:42:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 5/32 (15.63%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.8.25.0 2007.08.24 -
AntiVir 7.4.1.63 2007.08.25 -
Authentium 4.93.8 2007.08.25 -
Avast 4.7.1029.0 2007.08.25 -
AVG 7.5.0.484 2007.08.25 -
BitDefender 7.2 2007.08.25 Generic.Hacdef.INI.69CA5102
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.25 -
DrWeb 4.33 2007.08.25 -
eSafe 7.0.15.0 2007.08.23 -
eTrust-Vet 31.1.5085 2007.08.24 Win32/HacDef!INI
Ewido 4.0 2007.08.25 -
FileAdvisor 1 2007.08.25 -
Fortinet 2.91.0.0 2007.08.25 -
F-Prot 4.3.2.48 2007.08.25 -
F-Secure 6.70.13030.0 2007.08.24 -
Ikarus T3.1.1.12 2007.08.25 -
Kaspersky 4.0.2.24 2007.08.25 -
McAfee 5105 2007.08.24 HackerDefender.ini
Microsoft 1.2803 2007.08.25 -
NOD32v2 2484 2007.08.25 -
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.25 Bck/Hacdef.gen
Prevx1 V2 2007.08.25 -
Rising 19.37.42.00 2007.08.24 -
Sophos 4.21.0 2007.08.25 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.25 -
TheHacker 6.1.8.172 2007.08.25 Trojan/HackerDefender.INI
VBA32 3.12.2.3 2007.08.24 -
VirusBuster 4.3.26:9 2007.08.25 -
Webwasher-Gateway 6.0.1 2007.08.25 -


You're clean!

Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

* Download a trial version of Kaspersky Anti-Virus
* Purchase Kaspersky Anti-Virus in our E-Store
* Purchase Kaspersky Anti-Virus from a certified partner



Scanned file: CONINE.INI

Statistics:
Known viruses: 389807 Updated: 25-08-2007
File size (Kb): 2 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: CONINE.INI
Status:
INFECTED/MALWARE
MD5: 6ca84e3cd8b1b825d2f08d12752e33f0
Packers detected:
-
Bit9 reports: File not found
Scanner results
Scan taken on 25 Aug 2007 18:37:16 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Hacdef.INI.69CA5102
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found Bck/Hacdef.gen
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
 
here are the results from all 3 of the scan links u sent me i hope this helps to determine weather or not i am infected. all i know is that my system has been right bogged down and hardly moves at times. as you can see i am not running top of the line machine but it is not a piece of crap either. i cannot access add/remove programs nor will it access internet update(automatic or not) i need to go and find updates and manually down load them.
Click to expand...
Let me first say I went back and read what you posted so far, and you never once mentioned any of this information I have posted above as your quote???

This tool is supposed to remove this rootkit infection, let's see what happens. Please follow the instructions caredfully:

Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

After you post that information, I would like you to go here: http://www.pcpitstop.com/
Run the free diagnostic (you will need to register free for them to save your information) then post the link from results of the report in this topic.

Thanks
 
Last edited:
sorry for not mentioning all the probs right off i get a little side tracked sometimes i will try to keep my mind a little more focused on the issues with the system. I have also noticed that it seems to take forever for the system to bring up avg, tea timer and zone alarm when the system starts up.

SDFix: Version 1.100

Run by Administrator on Sat 2007-08-25 at 14:39

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------


Files with Hidden Attributes:

C:\Program Files\Common Files\Microsoft Shared\MSInfo\_winsys.exe
C:\Program Files\Outlook Express\MSIMN.EXE

Finished

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:32, on 2007-08-25
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159897217328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159897265265
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.0/installer.exe
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712....akamai.com/6712/player/install/installer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 4873 bytes
 
Thanks, by now you should have reviewed the information you received from the diagnostic report.
You have a problem with your hard disk, it is performing very poorly and that can cause the problems you are having. Click on the word DISK near the yellow flag to see these details. I personally do not suggest purchasing products, I believe if the disk can not be defragged to where the performance is acceptable, that it should be replaced.

Unusually low performance (Drive C) <<< click this link and see this:
TIP > Unusually low disk performance
Drive C has an uncached speed of 2 megabytes per second. For comparison, systems with the same CPU and clock speed as this one have a speed of 41.26 MB/s.
Click to expand...
You should read all of the information but basically you can see how poorly your hard drive is performing.

You have adequate RAM, that is not an issue, from what I can see, the problem is the hard drive. Follow the directions under Solutions (I am not suggesting you purchase any programs) Under Performance-Related Windows Settings
I suggest you turn off Sleep/Resume policy in use <<< this feature to see if there is an improvement.

Here is some good information to help you with maintenance:
http://www.microsoft.com/technet/prodtechnol/windows2000pro/proddocs/probook/prof09.mspx

________________________________________________

You are showing Junk files 6 MB (0%) stored on the computer, let's download a tool to clean good, and remove some junk from the HJT log:

Here are links to ideas that may help improve your computers overall performance, keep in mind they all may not work on your operating system:
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b

Here is a link to the Windows Updates troubleshooter: http://v4.windowsupdate.microsoft.com/troubleshoot/
If you can not resolve that issue using the troubleshooter, then you need to contact Microsoft Support for help:
http://support.microsoft.com/

________________________________________________

1) Start by running System File Checker, I believe it is installed on your system: Click Start > Run, type in sfc /scannow, hit Enter.
Note: there is a space between sfc and /scannow This should replace any corrupted/missing system files. You may need your XP disc in your CD drive for this.
tutorials:
http://dwightblackburn.com/winxp/
http://www.updatexp.com/scannow-sfc.html

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Use these instructions to turn off TeaTimer, it will block changes HJT needs to make:
http://russelltexas.com/malware/teatimer.htm

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(NOT malware, just leftover junk)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log.

What program did you run that identifed this item?
Virus scan finished. 1 virus found.
Scan Results: 24670 files scanned. 1 virus was detected.
File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\
Click to expand...
I see no mention of the program that identified it. Please mention the name of that program and then run it again, post the results.

Thanks
 
United States - English [Change]
Search Form

All of CA About Us Education Insights News and Events Partners Products Security Advisor Small and Medium Business Solutions
How to Buy Insights
Thought Leadership Success Stories White Papers On-Demand Webcasts Blogs Podcasts Partners
Channel Partners Service & Consulting Partners OEM Partners Strategic Alliances Partner Locator Partner Portal Support
Technical Support Service Center User Groups Security Advisor Education
Courses Learning Options Learning Paths Business Solutions Certification Policies Promotions Partners Solutions
ITIL EITM Capability Solutions Industry Solutions Services Products
Product Categories
Application Development & Databases Application Performance Management Database Management Infrastructure & Operations Management IT Service & Asset Management Mainframe Project, Portfolio & Financial Management Security Management Storage & Information Governance Product List Trials Demos Special Offers
Home > Support View my documents (0)



Start Scan


Stop Scan


Cure Files


Delete Files


Reply email address for the file submission: Scanner Help


Virus scan finished. 1 virus found.
Scan Results: 25732 files scanned. 1 virus was detected.

File Infection Status Path
CONINE.INI Win32/HacDef!INI infected C:\WINNT\system32\dllcache\



http://www.ca.com/us/securityadvisor

this is the scan results and part of their header on that page also a link to the page if u want it i don't know. i will post a hjt in a hr or 2 i started this then needed to go do something else sorry but ty for your patience
 
Thanks for returning the information, as a result so this:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=38058
Win32.HacDef is a "rootkit", sometimes called "hacker defender" or "hxdef". It acts as a backdoor that allows an intruder to control an infected system remotely, as well as hide the presence of itself and other malicious files and processes.
and you should read all of that information, I need to post this information for you:

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Please let us know what you have decided to do in your next post.

Thanks
 
Well we took your advise as i probably should have with Mr.Jak3 and bought a new hard drive last night.(groan) think we got the OS installed ok but we are getting pounded with ZoneAlarm warnings of things trying to access the internet [NetBIOS Session] from 24.77.86.60[TCP Port 20107][TCP Flags: S] when this comes up there are 3 or 4 that come in rapid sucsession. all with different IP addresses of course. are they to be worried about or should i allow them through? if you would like a new HJT or any scans let me know i plan on going and doing a few scans being as we had to google richard the lion heart to get HJT something was stopping us from down loading it what i don't know yet.(groan) ty for all your help thus far.
mightyuselessone
 
Assuming you just installed a new Zone Alarm, outgoing requests are not as dangerous as incoming requests until you get the firewall configured. If you don't recognize what is requesting access to the internet, block it in the beginning to give you time to find out.
Use Google to see what it is: http://www.google.com/search?hl=en&q=NetBIOS+Session&btnG=Google+Search
You can also scan the IP number with various tools, here is one:
http://www.whois.sc/ >> 24.77.86.60 = http://whois.domaintools.com/24.77.86.60
Take the time to review the tutorial for Zone Alarm: Right click the Z and choose
"Restore Zone Alarm Control Center" the tutorial is to the upper right.

If you have done a reformat, you won't be infected, when you need HJT get it here:
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe

That's a self-installer, just follow the prompts and it will install in the correct place.
All of your programs will be hollerring about going oneline in the beginning, until you get control, block them. You will need to allow your ISP access, Zone Alarm and your antivirus. Most of the rest can wait until you can control ZA after you view the tutorial.

More IP lookup sites if needed.
http://www.google.com/search?hl=en&q=IP+lookup&btnG=Google+Search

Good luck...Phil
 
Status
Not open for further replies.
Back
Top