Is my system infected by virus?

P

prady

New member
Hi,
My comp is running very slow.. Some programs like yahoo messenger and

msn messenger abruptly stop. ?Yahoo messenger currently gives

messages memory could not be read etc and then ypager.exe has

generated errors and will have to be restarted..
I ran NAV with the latest updates and there were no viruses detected.

There is a file called folder.htt in the program files directory, Is this a indication of virus. When

i right click any file there is option shred file in the contextmenu . I

dont know from where this option came from.

Sometimes the system shuts down by itself after a popup comes up with

a message windows will shutdown in 60 seconds some message refereing

to lsass.exe.

Logfile for HijackThis is below

Logfile of HijackThis v1.99.1
Scan saved at 9:18:59 AM, on 10/11/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\loadqm.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\drwtsn32.exe
C:\WINNT\System32\taskmgr.exe
D:\spyware\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88}

- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program

Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE"

/STARTUP
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free

Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN

Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program

Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program

Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program

files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program

files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program

Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager

- file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download

Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download

Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager -

file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program

files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}

- C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology

Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program

Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) -

Symantec Corporation - C:\Program

Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Do let me know wat shd be done
Thanks
PRady
 
Hi,
Here is the fresh log of HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 7:42:09 AM, on 10/19/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\loadqm.exe
C:\Program Files\DAP\DAP.EXE
C:\WINNT\System32\bootwiz.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\spyware\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [Windows Update Manager] bootwiz.exe
O4 - HKLM\..\RunServices: [Windows Update Manager] bootwiz.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

Thanks
Prady
 
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
 
Hi LonnyRJones,
Sorry for the delay in posting .. I was down with a viral infection. HEre is the log of DrWebCureit log

netmon.exe;c:\program files\network monitor;Trojan.DnsChange;Deleted.;
bootwiz.exe;c:\winnt\system32;Win32.HLLW.MyBot;Deleted.;
lrsys.exe;c:\winnt\system32;Win32.HLLW.MyBot;Deleted.;
lviss.exe;c:\winnt\system32;BackDoor.IRC.Sdbot.694;Deleted.;
yayvv.dll;C:\!KillBox;Trojan.Virtumod;Deleted.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
fix[1].exe;C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\IJ2345O7;Adware.Zango;Incurable.Moved.;
Dc1.exe;C:\RECYCLER\S-1-5-21-854245398-1708537768-842925246-500;Adware.Zango;Incurable.Moved.;
setup_30556.exe;C:\WINNT\system32;BackDoor.IRC.Sdbot.694;Deleted.;
setup_64057.exe;C:\WINNT\system32;BackDoor.IRC.Sdbot.694;Deleted.;
setup_71854.exe;C:\WINNT\system32;Win32.HLLW.MyBot;Deleted.;
setup_77271.exe;C:\WINNT\system32;Win32.HLLW.MyBot;Deleted.;
win32.exe;C:\WINNT\system32;Trojan.Spambot;Deleted.;
backup-20060512-175510-200.dll;D:\spyware\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20060825-014337-252.dll;D:\spyware\hijackthis\backups;Adware.Softomate;Incurable.Moved.;
backup-20060914-235513-828.dll;D:\spyware\hijackthis\backups;Adware.Softomate;Incurable.Moved.;
backup-20060915-162000-521.dll;D:\spyware\hijackthis\backups;Adware.Softomate;Incurable.Moved.;
Process.exe;D:\spyware\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;D:\spyware\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Thanks
Prady
 
Start Hijackthis and place a check next to these items If there.
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [Windows Update Manager] bootwiz.exe
O4 - HKLM\..\RunServices: [Windows Update Manager] bootwiz.exe
Optional fix >
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.
 
Hi,
I fixed the following using hijackThis
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe

The logFile here
Logfile of HijackThis v1.99.1
Scan saved at 11:39:42 PM, on 10/23/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\spyware\hijackthis\HijackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINNT\system\winlogon.exe


The Problem with Lsas.exe still persists.. I still get the error memory could not be read click OK to terminate then another popup lsas.exe has generated error.Then the shutdown screen appears and the system has to be restarted..

Thanks
Prady
 
Other than the lsas.exe problemm There is also problem when i restart the system when i get the login screen, there is a popup with mstdc.exe Application error.. (This happens everytime we start the comp). Yahoo messenger also fails to run there is a popup with title YHiddenContentManagerWindow: Ypager.exe - Appklication error .. The instruction at o2XXXXXX referenced memory at oxfffff8. The memory could not be read

The applications sometimes dont respond, including the browsers
Not sure wats causing this
Thanks
Prady
 
Download SDFix and save it to your Desktop.
Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
 
Here are the logs
Logfile of HijackThis v1.99.1
Scan saved at 12:24:38 AM, on 10/25/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
D:\spyware\hijackthis\HijackThis.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe

======================

SDFix: Version 1.31
-------------------

Scan run on:
Tue 10/24/2006

Time:
5:25p


Microsoft Windows 2000 [Version 5.00.2195]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

DcmHlp
Debug Config System
DLLHOST
dsrss
Network Confg System
smsmanger
SMSS
WINLOGON

Path:
----

"C:\WINNT\dcmhelp.exe"
"C:\WINNT\system32\lrsys.exe"
"C:\WINNT\system\dllhost.exe"
"C:\WINNT\dsrss.exe"
"C:\WINNT\system32\lviss.exe"
"C:\WINNT\smsmanger.exe"
"C:\WINNT\smss.exe"
"C:\WINNT\system\winlogon.exe"


DcmHlp Deleted...
Debug Config System Deleted...
DLLHOST Deleted...
dsrss Deleted...
Network Confg System Deleted...
smsmanger Deleted...
SMSS Deleted...
WINLOGON Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINNT\system32\edfimg_00636.exe
C:\WINNT\system32\edfimg_05255.exe
C:\WINNT\system32\edfimg_07840.exe
C:\WINNT\system32\edfimg_34088.exe
C:\WINNT\system32\edfimg_41154.exe
C:\WINNT\system32\edfimg_68250.exe
C:\WINNT\system32\edfimg_72555.exe
C:\WINNT\system32\eraseme_45662.exe
C:\WINNT\system32\eraseme_54310.exe
C:\WINNT\system32\eraseme_68168.exe
C:\WINNT\system\winlogon.exe
C:\WINNT\system32\i

Backing Up and Removing any Files Found...

Final Check:

Services:
---------




Files:
------



Any files removed are saved to the SDFix\backups Folder

FINISHED
=============

Thanks
Prady
 
Hi LonnyRJones,
The problemwith lsas.exe stil exists.. i stil get error lsas.exe has generated error and system shuts down
thanks
Prady
 
Lets get a look at recently created files with this tool.

Post a combofix log
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
 
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\taskmgr.com
C:\WINNT\uninstall_nmon.vbs
C:\Documents and Settings\Default User\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\network monitor


((((((((((((((((((((((((((((((( Files Created from 2006-09-27 to 2006-10-27 ))))))))))))))))))))))))))))))))))


2006-10-24 14:26 60,593 --a------ C:\WINNT\system32\x.exe
2006-10-24 00:08 0 --a------ C:\WINNT\system32\taskmgr32.exe
2006-10-23 11:22 0 --a------ C:\WINNT\system32\winwiz.exe
2006-10-11 09:11 0 --a------ C:\WINNT\system32\f.exe
2006-10-10 09:53 61,440 --a------ C:\WINNT\system32\dbnetlib.dll
2006-10-10 09:53 45,632 --a------ C:\WINNT\system32\cliconfg.exe
2006-10-10 09:53 44,032 --a------ C:\WINNT\system32\msxml3r.dll
2006-10-10 09:53 4,656 --a------ C:\WINNT\system32\ds16gt.dll
2006-10-10 09:53 385,024 --a------ C:\WINNT\system32\sqlsrv32.dll
2006-10-10 09:53 36,864 --a------ C:\WINNT\system32\mscpxl32.dll
2006-10-10 09:53 28,672 --a------ C:\WINNT\system32\dbnmpntw.dll
2006-10-10 09:53 26,224 --a------ C:\WINNT\system32\odbc16gt.dll
2006-10-10 09:53 24,576 --a------ C:\WINNT\system32\odbcbcp.dll
2006-10-10 09:53 24,576 --a------ C:\WINNT\system32\dbmsvinn.dll
2006-10-10 09:53 24,576 --a------ C:\WINNT\system32\dbmsrpcn.dll
2006-10-10 09:53 24,576 --a------ C:\WINNT\system32\dbmsgnet.dll
2006-10-10 09:53 20,480 --a------ C:\WINNT\system32\msorc32r.dll
2006-10-10 09:53 20,480 --a------ C:\WINNT\system32\dbmsadsn.dll
2006-10-10 09:53 180,800 --a------ C:\WINNT\system32\sqlunirl.dll
2006-10-10 09:53 131,072 --a------ C:\WINNT\system32\msorcl32.dll
2006-10-10 09:53 127,552 --a------ C:\WINNT\system32\cliconfg.dll
2006-10-10 09:53 1,122,304 --a------ C:\WINNT\system32\msxml3.dll
2006-10-10 09:52 94,208 --a------ C:\WINNT\system32\odbccp32.dll
2006-10-10 09:52 90,112 --a------ C:\WINNT\system32\odbcint.dll
2006-10-10 09:52 61,440 --a------ C:\WINNT\system32\odbccu32.dll
2006-10-10 09:52 61,440 --a------ C:\WINNT\system32\odbccr32.dll
2006-10-10 09:52 32,768 --a------ C:\WINNT\system32\odbcad32.exe
2006-10-10 09:52 200,704 --a------ C:\WINNT\system32\odbc32.dll
2006-10-10 09:52 16,384 --a------ C:\WINNT\system32\odbc32gt.dll
2006-10-10 09:52 16,384 --a------ C:\WINNT\system32\ds32gt.dll
2006-10-10 09:52 147,456 --a------ C:\WINNT\system32\odbctrac.dll
2006-10-10 09:52 126,976 --a------ C:\WINNT\system32\msdart.dll
2006-10-10 09:44 68,608 --a------ C:\WINNT\system32\logagent.exe
2006-10-10 09:44 498,960 --a------ C:\WINNT\system32\dxmasf.dll
2006-10-10 09:44 28,160 --a------ C:\WINNT\system32\laprxy.dll
2006-10-10 09:44 251,904 --a------ C:\WINNT\system32\strmdll.dll
2006-10-10 09:31 7,952 --a------ C:\WINNT\system32\snprfdll.dll
2006-10-10 09:31 6,416 --a------ C:\WINNT\system32\adsiisex.dll
2006-10-10 09:31 44,816 --a------ C:\WINNT\system32\fcachdll.dll
2006-10-10 09:31 24,336 --a------ C:\WINNT\system32\regtrace.exe
2006-10-10 09:31 15,632 --a------ C:\WINNT\system32\dt_ctrl.dll
2006-10-10 09:31 13,584 --a------ C:\WINNT\system32\smtpctrs.dll
2006-10-10 09:31 11,024 --a------ C:\WINNT\system32\smtpapi.dll
2006-10-10 09:31 11,024 --a------ C:\WINNT\system32\rwnh.dll
2006-10-10 09:29 9,488 --a------ C:\WINNT\system32\aspperf.dll
2006-10-10 09:29 8,464 --a------ C:\WINNT\system32\ftpctrs2.dll
2006-10-10 09:29 7,440 --a------ C:\WINNT\system32\wamregps.dll
2006-10-10 09:29 6,928 --a------ C:\WINNT\system32\w3svapi.dll
2006-10-10 09:29 6,928 --a------ C:\WINNT\system32\ftpsapi2.dll
2006-10-10 09:29 6,416 --a------ C:\WINNT\system32\iisrstap.dll
2006-10-10 09:29 57,616 --a------ C:\WINNT\system32\iismap.dll
2006-10-10 09:29 42,768 --a------ C:\WINNT\system32\iisext.dll
2006-10-10 09:29 32,528 --a------ C:\WINNT\system32\admwprox.dll
2006-10-10 09:29 32,016 --a------ C:\WINNT\system32\pwstray.exe
2006-10-10 09:29 244,496 --a------ C:\WINNT\system32\adsiis.dll
2006-10-10 09:29 20,752 --a------ C:\WINNT\system32\inetsloc.dll
2006-10-10 09:29 15,632 --a------ C:\WINNT\system32\w3ctrs.dll
2006-10-10 09:29 14,608 --a------ C:\WINNT\system32\iisreset.exe
2006-10-10 09:29 14,096 --a------ C:\WINNT\system32\exstrace.dll
2006-10-10 09:29 123,664 --a------ C:\WINNT\system32\iisRtl.dll
2006-10-10 09:29 12,560 --a------ C:\WINNT\system32\infoadmn.dll
2006-10-10 09:28 9,488 --a------ C:\WINNT\system32\infoctrs.dll
2006-10-10 09:28 8,464 --a------ C:\WINNT\system32\staxmem.dll
2006-10-10 09:28 67,856 --a------ C:\WINNT\system32\convlog.exe
2006-10-10 09:28 6,928 --a------ C:\WINNT\system32\admxprox.dll
2006-10-09 18:55 50,688 --a------ C:\WINNT\system32\wbhelp2.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-27 09:03 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Free Download Manager
2006-10-27 08:48 -------- d-a------ C:\Program Files\Mozilla Firefox
2006-10-27 08:09 -------- d-------- C:\Program Files\Yahoo!
2006-10-26 15:16 -------- d-------- C:\Program Files\Microsoft Visual Studio .NET
2006-10-26 15:16 -------- d-------- C:\Program Files\Common Files\Crystal Decisions
2006-10-26 15:15 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-10-26 14:56 -------- d-------- C:\Program Files\Common Files\Merge Modules
2006-10-26 14:53 -------- d-a------ C:\Program Files\Common Files
2006-10-26 14:53 -------- d-------- C:\Program Files\Microsoft.NET
2006-10-18 16:31 -------- d-a------ C:\Program Files\Google
2006-10-14 22:58 -------- d-------- C:\Program Files\Terminal Services Client
2006-10-14 22:58 -------- d-------- C:\Program Files\CMAK
2006-10-11 08:10 75776 --a------ C:\WINNT\system32\VundoFix.exe
2006-10-10 17:48 -------- d-a------ C:\Program Files\Free Download Manager
2006-10-10 10:01 -------- d-a------ C:\Program Files\Internet Explorer
2006-10-10 09:53 -------- d--h----- C:\Program Files\Uninstall Information
2006-10-10 09:44 -------- d-a------ C:\Program Files\Outlook Express
2006-10-10 09:44 -------- d-a------ C:\Program Files\Common Files\System
2006-10-10 09:44 -------- d-a------ C:\Program Files\Common Files\Services
2006-10-09 18:58 -------- d-------- C:\Program Files\DAP
2006-10-08 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-10-08 10:37 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-08 09:35 -------- d-a------ C:\Program Files\Common Files\Adobe
2006-10-08 09:35 -------- d-a------ C:\Program Files\Adobe
2006-10-08 09:32 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-08 09:19 -------- d-------- C:\Program Files\Macromedia
2006-10-08 09:18 -------- d-a------ C:\Program Files\Common Files\InstallShield
2006-09-28 08:44 -------- d-------- C:\Program Files\WinRAR
2006-09-19 15:52 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-09-08 23:20 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-29 19:45 0 --a------ C:\WINNT\system32\setup_58358.exe
2006-08-24 20:39 0 ---h----- C:\CONFIG.SYS
2006-08-24 20:39 0 ---h----- C:\AUTOEXEC.BAT
2006-08-24 20:38 271 ---h----- C:\Program Files\desktop.ini
2006-08-24 20:38 21952 ---h----- C:\Program Files\folder.htt


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Free Download Manager"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"EnsoniqMixer"="C:\\WINNT\\system32\\starter.exe"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"CARPService"="carpserv.exe"
"Anti-Virus Update Scheduler"=""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"DownloadAccelerator"="\"C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Windows installer"="C:\\winstall.exe"
"eventwvr"="C:\\WINNT\\System32\\eventwvr.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"ntdll.dll"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
 
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061023-233430-158
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
backup-20061023-233430-710
F2 - REG:system.ini: UserInit=userinit.exe
backup-20061015-125552-925
O23 - Service: Debug Config System - Unknown owner - C:\WINNT\system32\lrsys.exe
backup-20061010-182903-223
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20061010-182903-322
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20061010-174838-151
O2 - BHO: WgBHO Class - {67E9834D-B226-49E6-B6F6-85AA64E14BA3} - C:\Program Files\Free Download Manager\iefdm.dll
backup-20061009-112024-551
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20061009-104135-103
O23 - Service: Network Confg System - Unknown owner - C:\WINNT\system32\lviss.exe
backup-20061008-231335-726
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20061008-100142-682
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
backup-20061008-100027-310
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
backup-20061005-004541-552
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe (file missing)
backup-20061005-002552-554
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20061004-231740-683
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe
backup-20061004-161707-154
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINNT\system\dllhost.exe
backup-20060915-162000-521
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060915-161936-286
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_18.exe
backup-20060915-161936-688
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e2.exe
backup-20060915-161936-986
O4 - HKLM\..\Run: [newname] C:\\nwnmff_18.exe
backup-20060915-161936-335
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060914-235534-841
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\cHI\command.exe
backup-20060914-235534-971
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
backup-20060914-235513-313
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20060914-235513-828
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060914-235513-505
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060910-233204-434
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20060910-002140-108
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20060901-130025-161
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
backup-20060827-005346-784
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20060826-005406-771
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
backup-20060825-014337-252
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060825-014254-867
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060825-014231-456
O16 - DPF: {BADA82CB-BF48-4D76-9611-78E2C6F49F03} (BolDownloader Control) - http://messenger.rediff.com/newbol/Bol.CAB
backup-20060825-014231-590
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
backup-20060825-014032-880
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20060825-014032-495
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
backup-20060825-014032-497
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
backup-20060824-210226-887
O4 - HKLM\..\Run: [defender] C:\\dfndrff_12.exe
backup-20060824-210226-818
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_12.exe
backup-20060824-210226-121
O4 - HKLM\..\Run: [newname] C:\\nwnmff_11.exe
backup-20060822-021621-849
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060822-021621-152
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060816-001009-128
O4 - HKLM\..\Run: [keyboard] C:\\kybrdfh_10.exe
backup-20060816-001009-582
O4 - HKLM\..\Run: [defender] C:\\dfndrfh_10.exe
backup-20060816-001009-848
O4 - HKLM\..\Run: [newname] C:\\nwnmfh_10.exe
backup-20060814-111221-379
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_9.exe
backup-20060814-111221-412
O4 - HKLM\..\Run: [newname] C:\\nwnmff_9.exe
backup-20060814-111221-781
O4 - HKLM\..\Run: [defender] c:\\dfndrff_9.exe
backup-20060812-112607-424
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_8.exe
backup-20060812-112607-453
O4 - HKLM\..\Run: [newname] C:\\nwnmff_9.exe
backup-20060812-112607-208
O4 - HKLM\..\Run: [defender] C:\\dfndrff_8.exe
backup-20060729-095801-131
O4 - HKLM\..\Run: [defender] C:\\dfndref_7.exe
backup-20060729-022659-172
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\cHI\command.exe
backup-20060728-101402-989
O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe
backup-20060728-101402-441
O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe
backup-20060728-101402-400
O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe
backup-20060721-105338-916
O4 - HKLM\..\Run: [newname] c:\\nwnmac_6.exe
backup-20060721-105338-843
O4 - HKLM\..\Run: [keyboard] c:\\kybrdaca_6.exe
backup-20060721-105338-809
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060721-105338-734
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060719-010718-718
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
backup-20060719-010718-930
O4 - HKLM\..\Run: [keyboard] C:\\kybrdaca_6.exe
backup-20060719-010718-339
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00013.exe"
backup-20060719-010718-937
O4 - HKLM\..\Run: [newname] C:\\nwnmac_6.exe
backup-20060719-010718-909
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060719-010718-626
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://(null)/
backup-20060719-010718-642
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060719-010718-189
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
backup-20060719-010718-337
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
backup-20060719-010718-732
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060719-010718-962
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
backup-20060719-010718-402
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
backup-20060719-004817-865
O4 - HKLM\..\Run: [keyboard] c:\\kybrdaca_6.exe
backup-20060719-004817-907
O4 - HKLM\..\Run: [defender] c:\\dfndrac_6.exe
backup-20060719-004817-654
O4 - HKLM\..\Run: [newname] c:\\nwnmac_6.exe
backup-20060719-004817-497
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060719-004817-507
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060719-003621-714
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\cHI\command.exe
backup-20060718-163631-767
O4 - HKLM\..\Run: [keyboard] C:\\kybrdaca_6.exe
backup-20060718-163631-944
O4 - HKLM\..\Run: [defender] C:\\dfndrac_6.exe
backup-20060718-163631-130
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060718-163631-358
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060718-163631-578
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060718-163631-317
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060717-160443-735
F2 - REG:system.ini: UserInit=userinit.exe
backup-20060717-160443-955
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060717-160443-379
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060715-092231-741
O4 - HKLM\..\Run: [defender] C:\\dfndrad_5.exe
backup-20060715-092231-464
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
backup-20060715-092231-961
O4 - HKLM\..\Run: [newname] C:\\nwnmad_5.exe
backup-20060715-092150-119
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
backup-20060715-092150-608
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
backup-20060514-010431-845
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
backup-20060513-094713-839
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll (file missing)
backup-20060513-094713-711
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
backup-20060513-094713-964
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
backup-20060513-094713-719
O2 - BHO: (no name) - {34F41E65-9C7E-4156-BC57-156D4233970E} - C:\WINNT\System32\yayvv.dll (file missing)
backup-20060512-175510-290
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll
backup-20060512-175510-620
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\paytime.exe
backup-20060512-175510-798
O4 - HKLM\..\Run: [Windows Task Manager] c:\winnt\system32\taskmgn.exe
backup-20060512-175510-200
O2 - BHO: (no name) - {B37FCBBF-2F5F-405D-BB6D-9EECDB1A1315} - C:\WINNT\System32\yayvv.dll
backup-20060512-175510-726
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
backup-20060512-175510-947
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
Completion time: Fri 2006-10-27 9:05:33.02
C:\ComboFix.txt ... 06-10-27 09:05
 
How old is your symantect virus program ?
Perhaps it is time to replace it with another less common program.

Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINNT\system32\x.exe
C:\WINNT\system32\taskmgr32.exe
C:\WINNT\system32\winwiz.exe
C:\WINNT\system32\f.exe
C:\WINNT\system32\setup_58358.exe
C:\WINNT\System32\eventwvr.exe

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
Uninstall your Yahoo messenger program then redownload and install if you intend to use it in the furture
If you still see the errors you mentioned when the PC is starting(or otherwise) let me know and quote them word for word
 
I am using symantec antivirus corporate edition 2002, with the latest updates...
Which AV program would u suggest?

The following error i get just before the login screen comes
Application popup: msdtc.exe - Application Error : The instruction at "0x69a2ecba" referenced memory at "0x6b58648c". The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

I tried removing and reinstalling afresh but i still get the same error
Application popup: YHiddenContentManagerWindow: YPager.exe - Application Error : The instruction at "0x02437251" referenced memory at "0xfffffff8". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

Ran Killbox as instructed

Thanks
Prady
 
"Which AV program would u suggest?"
Praticly anything besides norton/symantec or mcafee

If your willing to uninstall it reboot and install another do so, there are three free programs to choose from mentioned here
http://forums.spybot.info/showthread.php?t=279
If you can afford to pay id suggest either Kaspersky Nod32 or avg pro

Are you having any internet connection problems ?
these should not have been fixed
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5


Zip up the files killbox deleted, c:\!killbox and attach it here
http://www.thespykiller.co.uk/forum/index.php?board=1.0


Do you have the windows 2000 instalation cd ?
 
Hi,
Thanks for the info abt the AV's..

Are you having any internet connection problems ?
No, there is no problem with internet connection

YEs, i have win2k installion cd

Even after reinstalling yahoo the problem error still exists
Application popup: YHiddenContentManagerWindow: YPager.exe - Application Error : The instruction at "0x02437251" referenced memory at "0xfffffff8". The memory could not be "read".

Thanks
Prady
 
You must log in or register to reply here.
Back
Top