i can't intall any anti virus program... can anyone help me plzz??

[cluless21]

hello all. The problem is, I can't install his antivirus. The installation process always stop before the processes completed, and some elements always mising (Example: .exe file). Maybe someone here can help, so I post HijackThis's log file from my computer.

Thanks!

my log file:
-----------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:42 AM, on 4/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system\msddll.exe
C:\WINDOWS.0\system\msile.exe
C:\WINDOWS.0\system32\msr.exe
C:\WINDOWS.0\system\VMwareService.exe
C:\WINDOWS.0\system\VMwareService.exe
C:\WINDOWS.0\system\svhost.exe
C:\WINDOWS.0\system32\imapi.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\wscntfy.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system\msile.exe
C:\WINDOWS.0\TEMP\05.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Documents and Settings\Erwin\Desktop\HijacktThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Service Pack 3 Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Microsoft(R) System Manager] C:\WINDOWS.0\system32\sysmgr.exe
O4 - HKLM\..\Run: [netmon] C:\WINDOWS.0\system\netmon.exe
O4 - HKLM\..\Run: [WSSVC] C:\WINDOWS.0\system\smsc.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [msnsc] C:\WINDOWS.0\system32\msnsc.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc] C:\WINDOWS.0\system32\msnsc.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msnsc] C:\WINDOWS.0\system32\msnsc.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnsc] C:\WINDOWS.0\system32\msnsc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: DfLogon - C:\WINDOWS.0\SYSTEM32\LogonDll.dll
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: msddll - Unknown owner - C:\WINDOWS.0\system\msddll.exe
O23 - Service: microsoft install le (msile) - Unknown owner - C:\WINDOWS.0\system\msile.exe
O23 - Service: Microsoft Reverse Proxy Service (msrpxy) - Unknown owner - C:\WINDOWS.0\system32\msr.exe
O23 - Service: VMwareService - Unknown owner - C:\WINDOWS.0\system\VMwareService.exe
O23 - Service: Windows Telephony (WindowsTelephony) - Unknown owner - C:\WINDOWS.0\system\svhost.exe

--
End of file - 4414 bytes

 

[shelf life]

What is that, a honey pot your running?
You have some serious malware on board.
I suggest that you reformat and reinstall Windows.

Or we can attempt to clean it up. up to you. In any case I would use the machine as little as possible and no personal/financial use. when not in use pull the plug so you have no internet or local connectivity. Let me know how you want to proceed.

 

[cluless21]

Tnx for ur answer sir, can you please help me clean this up sir? If we can't clean this up, mybe I must really reformat this.

 

[shelf life]

Ok we will start with combofix to see what it can clean up.

1) There is a guide to read first. Read the guide, download combofix to your desktop, but before you save it to your desktop: rename it to scanme then save it to your desktop. Double click the scanme icon and follow the prompts. Post the log in your reply.

The guide to read:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

2) After combofix is finished running see if you can install your Antivirus. Update and scan with it.

3) For another check for malware we will use MBAM. link and directions:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click **Remove Selected.**

**A restart of your computer most likely will be required to remove some items.**

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt Post the log in your reply

Post the combofix log and the MBAM log in your reply.

 

[cluless21]

hellow, ive done all what you have told me. But still whenever I try to install anti-virus programs the installation process still stops before the process is completed. And here is the logfile.

combofix log:
____________________________________________________________________

ComboFix 09-04-16.02 - Erwin 04/16/2009 18:57.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.689 [GMT 8:00]
Running from: c:\documents and settings\Erwin\Desktop\scanme.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows.0\IE4 Error Log.txt
c:\windows.0\system\msddll.exe
c:\windows.0\system\smsc.exe
c:\windows.0\system\svhost.exe
c:\windows.0\system32\AutoRun.inf
c:\windows.0\system32\drivers\sysdrv32.sys
c:\windows.0\system32\logondll.dll
c:\windows.0\system32\lx.exe.exe
c:\windows.0\system32\sysmgr.exe
c:\windows.0\system32\x.exe
c:\windows.0\Temp\02.exe
c:\windows.0\Temp\05.exe
c:\windows.0\Temp\21.exe
c:\windows.0\Temp\35.exe
c:\windows.0\Temp\38.exe
c:\windows.0\Temp\52.exe
c:\windows.0\Temp\70.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASC3360PR
-------\Legacy_MSDDLL
-------\Legacy_SYSDRV32
-------\Service_asc3360pr
-------\Service_msddll
-------\Service_sysdrv32


((((((((((((((((((((((((( Files Created from 2009-03-16 to 2009-04-16 )))))))))))))))))))))))))))))))
.

2009-04-15 12:34 . 2005-01-04 18:43 4682 ----a-w c:\windows.0\system32\npptNT2.sys
2009-04-15 12:34 . 2003-07-21 03:17 5174 ----a-w c:\windows.0\system32\nppt9x.vxd
2009-04-15 03:04 . 2009-04-15 03:04 42499 ----a-w c:\windows.0\system32\80.scr
2009-04-15 02:58 . 2009-04-15 02:58 42499 ----a-w c:\windows.0\system32\68.scr
2009-04-11 16:30 . 2009-04-11 16:30 16299862 ------w C:\Persi0.sys
2009-04-11 16:08 . 2009-04-11 16:08 47755 ----a-w c:\windows.0\system32\44.scr
2009-04-06 09:19 . 2009-04-11 16:07 47755 --sh--r c:\windows.0\system\netmon.exe
2009-04-06 09:08 . 2009-04-15 12:33 -------- d---a-w c:\documents and settings\All Users.WINDOWS.0\Application Data\TEMP
2009-04-06 09:06 . 2009-04-06 09:06 2560 ----a-w c:\windows.0\_MSRSTRT.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 16:30 . 2009-02-08 03:48 0 ----a-w C:\dfinstall.log
2009-04-11 16:11 . 2009-02-08 03:26 2048 --s-a-w c:\windows.0\bootstet.dat
2009-03-28 15:42 . 2009-02-07 19:28 -------- d-----w c:\program files\Common Files\Adobe
2009-03-11 05:54 . 2009-03-11 00:54 41987 --sh--r c:\windows.0\system\msile.exe
2009-03-11 05:50 . 2009-03-11 05:50 41987 ----a-w c:\windows.0\system32\42.scr
2009-03-11 05:35 . 2009-03-11 05:35 52736 --sh--r c:\windows.0\system\VMwareService.exe
2009-03-11 05:29 . 2009-03-11 05:29 119811 ----a-w c:\documents and settings\Erwin\12367493871920.exe
2009-02-27 15:30 . 2009-02-27 15:30 -------- d-----w c:\program files\Level Up
2009-02-27 15:29 . 2009-02-27 15:29 142830 ----a-w c:\documents and settings\Erwin\12357485401948.exe
2009-02-21 13:01 . 2009-02-21 13:01 134638 ----a-w c:\documents and settings\Erwin\12352212721940.exe
2009-02-21 12:24 . 2009-02-21 12:24 142830 ----a-w c:\documents and settings\Erwin\12352190501964.exe
2009-02-21 12:19 . 2009-02-08 03:47 15768 ----a-w c:\documents and settings\Erwin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-21 12:19 . 2009-02-21 12:15 -------- d-----w c:\documents and settings\All Users.WINDOWS.0\Application Data\FLEXnet
2009-02-21 12:14 . 2009-02-21 12:14 142830 ----a-w c:\documents and settings\Erwin\12352184851964.exe
2009-02-21 11:50 . 2009-02-21 11:50 167406 ----a-w c:\documents and settings\Erwin\12352170422024.exe
2009-02-20 13:55 . 2009-02-20 13:55 134638 ----a-w c:\documents and settings\Erwin\1235138140232.exe
2009-02-20 13:50 . 2009-02-20 13:50 142830 ----a-w c:\documents and settings\Erwin\1235137853272.exe
2009-02-20 13:30 . 2009-02-20 13:30 138734 ----a-w c:\documents and settings\Erwin\1235136650200.exe
2009-02-20 13:03 . 2009-02-20 13:03 102400 ----a-w c:\windows.0\system32\msvcrt2.dll
2009-02-20 13:01 . 2009-02-20 13:01 9728 --sh--r c:\windows.0\system32\msr.exe
2009-02-20 13:01 . 2009-02-20 13:01 9728 --sh--r c:\windows.0\system32\msr.exe
2009-02-08 16:36 . 2009-02-08 16:36 134646 ----a-w c:\documents and settings\Erwin Velasquez\12341109941944.exe
2009-02-08 04:36 . 2006-01-13 02:02 146 ----a-w C:\desktop.ini
2009-02-08 03:47 . 2009-02-08 03:41 137607 ----a-w c:\windows.0\HPHins15.dat
2009-02-08 03:39 . 2009-02-07 20:25 522 ----a-w C:\RHDSetup.log
2009-02-08 03:38 . 2009-02-08 03:38 315392 ----a-w c:\windows.0\HideWin.exe
2009-02-08 03:34 . 2009-02-08 03:24 86339 ----a-w c:\windows.0\pchealth\helpctr\OfflineCache\index.dat
2009-02-08 03:25 . 2009-02-08 03:25 107132 ----a-w c:\windows.0\UninstallFirefox.exe
2009-02-08 03:25 . 2009-02-08 03:25 2293 ----a-w c:\windows.0\mozver.dat
2009-02-08 03:21 . 2009-02-08 03:21 21640 ----a-w c:\windows.0\system32\emptyregdb.dat
2009-02-08 02:58 . 2009-02-08 02:58 134646 ----a-w c:\documents and settings\Erwin Velasquez\12340619082036.exe
2009-02-08 02:56 . 2009-02-08 02:56 138742 ----a-w c:\documents and settings\Erwin Velasquez\12340617672016.exe
2009-02-08 02:55 . 2009-02-08 02:55 138742 ----a-w c:\documents and settings\Erwin Velasquez\12340617061976.exe
2009-02-08 02:42 . 2009-02-08 02:42 138742 ----a-w c:\documents and settings\Erwin Velasquez\12340609532012.exe
2009-02-08 02:31 . 2009-02-08 02:31 208374 ----a-w c:\documents and settings\Erwin Velasquez\12340602772012.exe
2009-02-08 02:24 . 2009-02-08 02:24 138742 ----a-w c:\documents and settings\Erwin Velasquez\12340598512024.exe
2009-02-08 01:35 . 2009-02-08 01:35 134646 ----a-w c:\documents and settings\Erwin Velasquez\12340569042756.exe
2009-02-08 01:29 . 2009-02-08 01:29 142838 ----a-w c:\documents and settings\Erwin Velasquez\12340565831920.exe
2009-02-08 01:26 . 2009-02-08 01:26 208374 ----a-w c:\documents and settings\Erwin Velasquez\12340564071868.exe
2009-02-08 01:02 . 2009-02-08 01:02 212470 ----a-w c:\documents and settings\Erwin Velasquez\12340549691836.exe
2009-02-08 00:52 . 2009-02-08 00:52 134646 ----a-w c:\documents and settings\Erwin Velasquez\12340543421936.exe
2009-02-08 00:20 . 2009-02-08 00:20 224372 ----a-w c:\documents and settings\Erwin Velasquez\12340524161840.exe
2009-02-08 00:18 . 2009-02-08 00:18 228468 ----a-w c:\documents and settings\Erwin Velasquez\12340523391832.exe
2009-02-08 00:07 . 2009-02-07 19:54 15928 ----a-w c:\documents and settings\Erwin Velasquez\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-08 03:2009-02-07 19:28 25:27 . c:\program files\mozilla firefox\components\jar50.dll
2009-02-08 03:2009-02-07 19:28 25:29 . c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-08 03:2009-02-07 19:28 25:27 . c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2006-01-13 02:03 360448 2A4818AEA80ACD2C95D7D92D2F3155F8 c:\windows.0\system32\drivers\tcpip.sys

[-] 2006-01-13 02:04 2187904 C3B84871DECE94E335B96FAFD756316C c:\windows.0\system32\ntoskrnl.exe

[-] 2006-01-13 01:46 1157120 162C99978D999B6722D1DB61DA136C19 c:\windows.0\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-04 4433136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"netmon"="c:\windows.0\system\netmon.exe" [2009-04-11 47755]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows.0\RTHDCPL.exe [2007-10-16 16855552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="c:\windows.0\system32\msnsc.exe" [2006-01-13 62054]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows.0\system32\tscupgrd.exe" [2006-01-13 44544]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /k:C /k *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msile]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSNETDED]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows.0\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-04-16 12:51 155648 ----a-w c:\windows.0\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2009-04-15 12:02 151552 ----a-w c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-04-16 12:51 135168 ----a-w c:\windows.0\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-04-15 12:06 7197744 ----a-w c:\program files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 237568 ----a-w c:\windows.0\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-04-16 12:51 131072 ----a-w c:\windows.0\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2009-04-15 05:36 135168 ----a-w c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ----a-w c:\windows.0\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-10-11 03:04 1900544 ----a-w c:\windows.0\SkyTel.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS.0\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\WINDOWS.0\\system\\svhost.exe"=
"c:\\WINDOWS.0\\system32\\wuauclt.exe"=
"c:\\WINDOWS.0\\system32\\cmd.exe"=
"c:\\WINDOWS.0\\system\\msile.exe"=
"c:\\Documents and Settings\\Erwin\\12367493871920.exe"=
"c:\\WINDOWS.0\\system\\VMwareService.exe"=
"c:\\WINDOWS.0\\System32\\42.scr"=
"c:\\WINDOWS.0\\system\\netmon.exe"=
"c:\\WINDOWS.0\\System32\\44.scr"=
"c:\\WINDOWS.0\\system32\\userinit.exe"=
"c:\\WINDOWS.0\\RTHDCPL.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS.0\\system32\\Macromed\\Flash\\NPSWF32_FlashUtil.exe"=
"c:\\WINDOWS.0\\System32\\80.scr"=
"c:\\WINDOWS.0\\system32\\dwwin.exe"=
"c:\\Program Files\\Faronics\\Deep Freeze\\Install C-0\\_$Df\\FrzState2k.exe"=
"c:\\Program Files\\e-Games\\CABAL Online (PH)\\update.exe"=
"c:\\WINDOWS.0\\system32\\CF12161.exe"=
"c:\\DOCUME~1\\Erwin\\LOCALS~1\\Temp\\34.exe"=
"c:\\DOCUME~1\\Erwin\\LOCALS~1\\Temp\\winpchj.exe"=
"c:\\DOCUME~1\\Erwin\\LOCALS~1\\Temp\\wingpkeu.exe"=
"c:\\DOCUME~1\\Erwin\\LOCALS~1\\Temp\\qunp.exe"=

R2 msile;microsoft install le;c:\windows.0\system\msile.exe [2009-03-11 41987]
R2 WindowsTelephony;Windows Telephony;c:\windows.0\system\svhost.exe [2009-04-16 42523]
S0 DeepFrz;DeepFrz; [x]
S1 BIOS;BIOS;c:\windows.0\system32\drivers\BIOS.sys [2005-03-16 13696]
S2 msrpxy;Microsoft Reverse Proxy Service;c:\windows.0\system32\msr.exe [2009-02-20 9728]
S2 VMwareService;VMwareService;c:\windows.0\system\VMwareService.exe [2009-03-11 52736]
S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows.0\system32\DRIVERS\l251x86.sys [2007-07-03 29696]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MSNETDED

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft(R) System Manager - c:\windows.0\system32\sysmgr.exe
HKLM-Run-WSSVC - c:\windows.0\system\smsc.exe
Notify-DfLogon - LogonDll.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Erwin\Application Data\Mozilla\Firefox\Profiles\noouy53z.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-16 19:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

c:\windows.0\system\netmon.exe [1216] 0x8338A580

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-725345543-1284227242-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
c:\program files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
c:\windows.0\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\windows.0\temp\67.exe
c:\docume~1\Erwin\LOCALS~1\temp\winpchj.exe
c:\docume~1\Erwin\LOCALS~1\temp\wingpkeu.exe
.
**************************************************************************
.
Completion time: 2009-04-16 19:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-16 11:05

Pre-Run: 28,933,816,320 bytes free
Post-Run: 29,728,370,688 bytes free

253



MBAM log:
_________________________________________________________________

Malwarebytes' Anti-Malware 1.36
Database version: 1989
Windows 5.1.2600 Service Pack 2

4/16/2009 7:56:22 PM
mbam-log-2009-04-16 (19-56-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 148142
Time elapsed: 35 minute(s), 16 second(s)

Memory Processes Infected: 8
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 60

Memory Processes Infected:
C:\WINDOWS.0\system\msile.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS.0\system\svhost.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS.0\system32\msr.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS.0\system\svhost.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS.0\system\msile.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS.0\system\msile.exe (Trojan.Dropper) -> Unloaded process successfully.
C:\WINDOWS.0\temp\46.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS.0\system\VMwareService.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msile (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msile (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msile (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msnetded (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msnetded (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msnetded (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\windowstelephony (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\windowstelephony (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windowstelephony (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msrpxy (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\msrpxy (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msrpxy (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32 (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vmwareservice (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\vmwareservice (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netmon (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msnsc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS.0\system\msile.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS.0\system\svhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.0\system32\msr.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS.0\temp\46.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS.0\system\netmon.exe (Trojan.Dropper) -> Delete on reboot.
C:\WINDOWS.0\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\01234567\e2p[1].exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\system32\x.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\system32\drivers\sysdrv32.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\02.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\05.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\21.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\35.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\38.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\52.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS.0\Temp\70.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0006768.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0007770.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0007785.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0008015.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0009022.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0010015.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0011015.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0012015.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0013015.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0013025.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0013038.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0014031.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0014032.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0014044.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0015149.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0015050.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0015109.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0015124.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0015136.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0016142.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0017142.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{65EE7E90-4F5A-4CE3-8688-65984C12125D}\RP4\A0018141.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020203.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020204.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020205.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020206.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020301.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020648.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020792.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C7223A61-4D51-42A5-B143-1C253FE2CD90}\RP4\A0020891.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system\VMwareService.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msnsc.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\x.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\11.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\38.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\56.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\67.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\88.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\WINDOWS.0\system32\44.scr (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS.0\system32\drivers\sysdrv32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS.0\temp\55.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS.0\temp\67.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS.0\system\VMwareService.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

 

[cluless21]

what should we do next sir??? tnx agen sir for helping me.....

 

[shelf life]

I still say it would be wise to format/reinstall Windows.

For now we will get another download to use. Its called SDfix. It only runs in SAFE MODE.

To help show all files you can do this first:

On the desktop double click my computer,go to tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

First you can download/install SDfix, but dont run it until your in safe mode.
directions for SDfix:

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe


Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

After you are done with SDfix, back in "normal" mode you can do this:

navigate to the Erwin folder:
c:\documents and settings\Erwin\

delete all those numbered .exe
for example:
12357485401948.exe
1235138140232.exe

next navigate to:
c:\documents and settings\Erwin Velasquez\

delete all those numbered .exe

------------------------------
now we will use combofix:

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

File::
c:\windows.0\system32\80.scr
c:\windows.0\system32\68.scr
c:\windows.0\system32\44.scr
c:\windows.0\system32\42.scr
c:\windows.0\HideWin.exe
c:\windows.0\system32\msvcrt2.dll
c:\docume~1\Erwin\LOCALS~1\temp\winpchj.exe
c:\docume~1\Erwin\LOCALS~1\temp\wingpkeu.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"netmon"="-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnsc"="-

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

--------------------------
See if you can do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
--------------------------------
Check MBAM for updates, then do another full system scan and post the log.