Control Panel gone, trojan viruses

Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

Control Panel gone, trojan viruses

Options

dantran63 View Member Profile	Dec 21 2007, 01:43 PM Post #1
New Member Posts: 4 OS: XP	Somehow, my Control Panel has disappeared. I have quite a number of Trojan viruses on my laptop and I can't seem to remove them. The viruses that I see are: Trojan.WinSys32.spoolvs Trojan.WinSys32.mgrs Trojan.WinSys32.C1EF7 Trojan.WinSys32.avp Trojan.shellworm Trojan.SecCenter Trojan.Metamorf.E Trojan.Metamorf.D Trojan.findfast Trojan.Double-Rand Trojan.autorun and there are a lot more besides the trojans Here is a HiJackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:42:57 AM, on 12/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\regsvr32.exe C:\Program Files\SecCenter\scprot4.exe C:\WINDOWS\mgrs.exe C:\Program Files\Outerinfo\Outerinfo.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\servermon.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\hostmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Owner\Application Data\printer.exe C:\Program Files\Ultimate Defender\UltimateDefender.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe O4 - HKLM\..\Run: [smgr] mgrs.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe O4 - Startup: findfast.exe O4 - Global Startup: autorun.exe O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- End of file - 4001 bytes This post has been edited by dantran63: Dec 21 2007, 01:53 PM

Fredil View Member Profile	Dec 21 2007, 02:52 PM Post #2
Trusted Helper Posts: 1,983 From: Wait, wait, I know this! OS: Windows XP Professional SP2	Hello dantran63, and welcome to Geeks to Go! I'm Fredil. I'm currently reading over your log right now and I'll do my best to try to get your system clean Since I'm still in training, there may be a slight delay between my posts because they must be checked by an expert. We'll get your problem solved eventually though

dantran63 View Member Profile	Dec 21 2007, 03:47 PM Post #3
New Member Posts: 4 OS: XP	Hello, and thank you for taking your time to help me =]. Let's begin.

Fredil View Member Profile	Dec 21 2007, 09:15 PM Post #4
Trusted Helper Posts: 1,983 From: Wait, wait, I know this! OS: Windows XP Professional SP2	Hello dantran63, you have a bit on there. Yes, let's begin! 1. Run ComboFix ------------------------------------------------ Download ComboFix from one of the locations below, and save it to your Desktop. Link 1 Link 2 Link 3 Double click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall

dantran63 View Member Profile	Dec 23 2007, 01:30 PM Post #5
New Member Posts: 4 OS: XP	Hello, here is the Combofix log: ComboFix 07-12-21.4 - Owner 2007-12-23 10:53:47.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.676 [GMT -8:00] Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\.protected C:\Documents and Settings\All Users\Application Data.\ihmhavkv.dll C:\Documents and Settings\All Users\Start Menu\Programs.\Ultimate Defender C:\Documents and Settings\All Users\Start Menu\Programs.\Ultimate Defender\Ultimate Defender Uninstall.lnk C:\Documents and Settings\All Users\Start Menu\Programs.\Ultimate Defender\Ultimate Defender.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Ultimate Defender\Ultimate Defender Uninstall.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Ultimate Defender\Ultimate Defender.lnk C:\Documents and Settings\Owner\Application Data.\Ultimate Defender C:\Documents and Settings\Owner\Application Data.\Ultimate Defender\logs\1198264276.log C:\Documents and Settings\Owner\Application Data\antivirus.exe C:\Documents and Settings\Owner\Application Data\printer.exe C:\Documents and Settings\Owner\Application Data\trant.exe C:\Documents and Settings\Owner\Application Data\Ultimate Defender\logs\1198264276.log C:\Documents and Settings\Owner\Application Data\ultra C:\Documents and Settings\Owner\Application Data\ultra\uninstall.bat C:\Documents and Settings\Owner\Desktop\Find Spyware Remover.lnk C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk C:\Program Files\3269.exe C:\Program Files\avirapgl C:\Program Files\avirapgl\sbgxutcp.dll C:\Program Files\Helper C:\Program Files\Helper\ifastseek.dll C:\Program Files\outerinfo C:\Program Files\outerinfo\FF\chrome.manifest C:\Program Files\outerinfo\FF\components\FF.dll C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt C:\Program Files\outerinfo\FF\install.rdf C:\Program Files\outerinfo\OinUninstall.exe C:\Program Files\outerinfo\OiUninstaller.exe C:\Program Files\outerinfo\Outerinfo.dll C:\Program Files\outerinfo\Outerinfo.exe C:\Program Files\outerinfo\outerinfo.ico C:\Program Files\outerinfo\Terms.rtf C:\Program Files\Rktpsnwy C:\Program Files\Rktpsnwy\lrmtgqbq.dll C:\Program Files\SecCenter C:\Program Files\SecCenter\scprot4.exe C:\Program Files\spoolsv.exe C:\Program Files\ucleaner_setup.exe C:\Program Files\Ultimate Cleaner C:\Program Files\Ultimate Defender C:\Program Files\Ultimate Defender\program.info C:\Program Files\Ultimate Defender\UltimateDefender.db C:\Program Files\Ultimate Defender\UltimateDefender.exe C:\Program Files\Ultimate Defender\UltimateDefender.pkg C:\Program Files\Ultimate Defender\Uninstall.exe C:\WINDOWS\Casino.ico C:\WINDOWS\cookies.ini C:\WINDOWS\Free Online Dating.ico C:\WINDOWS\inf\ultra.inf C:\WINDOWS\lsass.exe C:\WINDOWS\Spyware Remover.ico C:\WINDOWS\system32\aaakxitq.dll C:\WINDOWS\system32\awtqn.dll C:\WINDOWS\system32\bkanffdo.dll C:\WINDOWS\system32\bmtfokyl.ini C:\WINDOWS\system32\caarhpsb.dll C:\WINDOWS\system32\dnijfvhu.dll C:\WINDOWS\system32\drivers\etc\.protected C:\WINDOWS\system32\drvbod.dll C:\WINDOWS\system32\drvbodr.dll C:\WINDOWS\system32\eykyekkd.dll C:\WINDOWS\system32\fbdsqaab.dll C:\WINDOWS\system32\fbxidfvk.ini C:\WINDOWS\system32\fgrqmlya.dll C:\WINDOWS\system32\fiysugds.dll C:\WINDOWS\system32\frhuvvta.dll C:\WINDOWS\system32\fwrqlnna.dll C:\WINDOWS\system32\gckbnbap.ini C:\WINDOWS\system32\ibppiaou.dll C:\WINDOWS\system32\ivjsfrcl.dll C:\WINDOWS\system32\joqdgeip.dll C:\WINDOWS\system32\kvfdixbf.dll C:\WINDOWS\system32\kxahadss.dll C:\WINDOWS\system32\lblxaumq.dll C:\WINDOWS\system32\lcrfsjvi.ini C:\WINDOWS\system32\ljsnjort.dll C:\WINDOWS\system32\lykoftmb.dll C:\WINDOWS\system32\mbkojxfm.dll C:\WINDOWS\system32\mopmdkbp.ini C:\WINDOWS\system32\nippvjin.dll C:\WINDOWS\system32\njprckha C:\WINDOWS\system32\njprckha\bg1.gif C:\WINDOWS\system32\njprckha\bgtop.gif C:\WINDOWS\system32\njprckha\bottom1.gif C:\WINDOWS\system32\njprckha\essentials.gif C:\WINDOWS\system32\njprckha\icon1.ico C:\WINDOWS\system32\njprckha\install1.gif C:\WINDOWS\system32\njprckha\left1.gif C:\WINDOWS\system32\njprckha\li.gif C:\WINDOWS\system32\njprckha\logo.gif C:\WINDOWS\system32\njprckha\main.htm C:\WINDOWS\system32\njprckha\mainframe.htm C:\WINDOWS\system32\njprckha\njprckha1.exe C:\WINDOWS\system32\njprckha\njprckha2.exe C:\WINDOWS\system32\njprckha\njprckha3.exe C:\WINDOWS\system32\njprckha\reinstall1.gif C:\WINDOWS\system32\njprckha\right1.gif C:\WINDOWS\system32\njprckha\s1.htm C:\WINDOWS\system32\njprckha\s2.htm C:\WINDOWS\system32\njprckha\s3.htm C:\WINDOWS\system32\njprckha\SMTop1.gif C:\WINDOWS\system32\njprckha\SMTop2.gif C:\WINDOWS\system32\njprckha\SMTop3.gif C:\WINDOWS\system32\njprckha\SMTop4.gif C:\WINDOWS\system32\njprckha\soft1_off.gif C:\WINDOWS\system32\njprckha\soft1_off_ext.gif C:\WINDOWS\system32\njprckha\soft1_on.gif C:\WINDOWS\system32\njprckha\soft1_on_ext.gif C:\WINDOWS\system32\njprckha\soft2_off.gif C:\WINDOWS\system32\njprckha\soft2_off_ext.gif C:\WINDOWS\system32\njprckha\soft2_on.gif C:\WINDOWS\system32\njprckha\soft2_on_ext.gif C:\WINDOWS\system32\njprckha\soft3_off.gif C:\WINDOWS\system32\njprckha\soft3_off_ext.gif C:\WINDOWS\system32\njprckha\soft3_on.gif C:\WINDOWS\system32\njprckha\soft3_on_ext.gif C:\WINDOWS\system32\njprckha\softbottom_off.gif C:\WINDOWS\system32\njprckha\softbottom_on.gif C:\WINDOWS\system32\njprckha\softleft_off.gif C:\WINDOWS\system32\njprckha\softleft_on.gif C:\WINDOWS\system32\njprckha\top1.gif C:\WINDOWS\system32\njprckha\top2.gif C:\WINDOWS\system32\njprckha\turnoff1.gif C:\WINDOWS\system32\njprckha\turnon1.gif C:\WINDOWS\system32\nnnkhhf.dll C:\WINDOWS\system32\noiyfdho.dll C:\WINDOWS\system32\nqtwa.bak1 C:\WINDOWS\system32\nqtwa.bak2 C:\WINDOWS\system32\nqtwa.ini C:\WINDOWS\system32\nwhgkwyv.dll C:\WINDOWS\system32\ohdfyion.ini C:\WINDOWS\system32\pabnbkcg.dll C:\WINDOWS\system32\pbkdmpom.dll C:\WINDOWS\system32\sdvrbdpj.dll C:\WINDOWS\system32\tfwyghws.dll C:\WINDOWS\system32\tuvtrpm.dll C:\WINDOWS\system32\tvjbfswq.dll C:\WINDOWS\system32\uoaippbi.ini C:\WINDOWS\system32\vplnrdbm.dll C:\WINDOWS\system32\vtwefign.dll C:\WINDOWS\system32\winbug32.dll C:\WINDOWS\system32\wowfx.dll C:\WINDOWS\system32\xlibgfl254.dll C:\WINDOWS\system32\xofvemuw.dll C:\WINDOWS\system32\yuntyrfd.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\nm ((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 ))))))))))))))))))))))))))))))) . 2007-12-21 15:36 . 2007-12-21 15:46 1,226 --a------ C:\WINDOWS\system32\tmp.reg 2007-12-21 15:35 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe 2007-12-21 15:35 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-12-21 15:35 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe 2007-12-21 15:35 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-12-21 15:35 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-12-21 15:35 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe 2007-12-21 11:40 . 2007-12-21 11:40 <DIR> d-------- C:\Program Files\Trend Micro 2007-12-21 11:12 . 2007-12-21 11:12 <DIR> d-------- C:\Program Files\EliteProtector 2007-12-20 08:59 . 2007-12-20 08:59 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico 2007-12-19 13:42 . 2007-12-19 13:42 26,112 -r-hs---- C:\Program Files\lsass.exe 2007-12-19 13:40 . 2007-12-19 13:40 0 --a------ C:\Install 2007-12-19 10:22 . 2007-12-21 11:00 991,842 --ahs---- C:\WINDOWS\system32\abvcqexj.ini 2007-12-17 10:06 . 2007-12-18 10:06 985,722 --ahs---- C:\WINDOWS\system32\oqadqsjh.ini 2007-12-15 12:19 . 2007-12-17 10:05 970,734 --ahs---- C:\WINDOWS\system32\uklwkwjo.ini 2007-12-14 19:41 . 2007-12-14 19:41 <DIR> d-------- C:\Program Files\HyCam2 2007-12-13 22:40 . 2007-12-15 12:16 970,674 --ahs---- C:\WINDOWS\system32\psderteh.ini 2007-12-12 11:07 . 2007-12-12 11:07 118 --a------ C:\WINDOWS\system32\MRT.INI 2007-12-12 10:20 . 2007-12-13 22:37 937,441 --ahs---- C:\WINDOWS\system32\roffedee.ini 2007-12-04 23:25 . 2007-12-08 08:13 834,400 --ahs---- C:\WINDOWS\system32\gmepvqsq.ini 2007-12-02 21:55 . 2007-12-04 23:25 669,052 --ahs---- C:\WINDOWS\system32\uwrcrhhy.ini 2007-11-27 17:13 . 2007-11-29 08:34 869,966 --ahs---- C:\WINDOWS\system32\yjflyqtn.ini 2007-11-24 07:51 . 2007-11-27 17:13 694,930 --ahs---- C:\WINDOWS\system32\ctmhhjll.ini 2007-11-24 07:49 . 2007-11-24 07:49 836,405 --ahs---- C:\WINDOWS\system32\xuufrfch.ini . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys 2007-11-03 20:12 --------- d-----w C:\Program Files\Java 2007-11-03 20:10 --------- d-----w C:\Program Files\Common Files\Java 2007-10-25 06:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-25 05:37 --------- d-----w C:\Program Files\GetRight 2007-09-20 04:52 54 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat 2004-09-16 16:10 15,360 --sha-w C:\WINDOWS\system32\si.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\si] si.dll 2004-09-16 08:10 15360 C:\WINDOWS\system32\si.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected backup=C:\WINDOWS\pss\.protectedCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe backup=C:\WINDOWS\pss\autorun.exeCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk backup=C:\WINDOWS\pss\dlbcserv.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight - Tray Icon.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GetRight - Tray Icon.lnk backup=C:\WINDOWS\pss\GetRight - Tray Icon.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks 2002 Delivery Agent.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks 2002 Delivery Agent.lnk backup=C:\WINDOWS\pss\QuickBooks 2002 Delivery Agent.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^.protected] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\.protected backup=C:\WINDOWS\pss\.protectedStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^findfast.exe] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\findfast.exe backup=C:\WINDOWS\pss\findfast.exeStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^VZAccess Manager.lnk] path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\VZAccess Manager.lnk backup=C:\WINDOWS\pss\VZAccess Manager.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACU] C:\Program Files\Atheros\ACU.exe -nogui [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint] 2004-07-02 03:48 163840 -ra------ C:\Program Files\Apoint2K\Apoint.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA] 2004-06-24 20:10 339968 --a------ C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CICache] CICache.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive] rundll32.exe C:\WINDOWS\system32\drvbod.dll,startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector] DevDetect.exe -autorun [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisableWinXPWZCS] 2004-08-04 14:50 24576 --a------ C:\Program Files\Atheros\DisableWinXPWZCS.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit] Dit.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] 2006-04-19 08:30 728176 --a------ C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ferazwhe] rundll32.exe C:\Program Files\avirapgl\sbgxutcp.dll,Init [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FJUPDNV_Chitose] 2003-12-10 17:08 167936 --a------ C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] 2005-01-12 13:54 241664 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2005-02-16 22:11 49152 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ihmhavkv] regsvr32 /u C:\Documents and Settings\All Users\Application Data\ihmhavkv.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndicatorUtility] 2004-08-04 15:19 81920 --a------ C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IRRCManager] 2004-09-08 08:47 1773568 --a------ C:\Program Files\Fujitsu\Remote Control Manager\IRRCManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadBtnHnd] 2004-08-10 16:47 61440 --a------ C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LoadFujitsuQuickTouch] 2004-08-10 16:48 242688 --a------ C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo] C:\Program Files\Outerinfo\Outerinfo.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SC2] C:\Program Files\SecCenter\scprot4.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\si] C:\WINDOWS\system32\si.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG] 2004-07-06 02:23 106496 --a------ C:\WINDOWS\SiSUSBrg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\smgr] mgrs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Cleaner.install] C:\Program Files\ucleaner_setup.exe continue [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender] C:\Program Files\Ultimate Defender\UltimateDefender.exe hide [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VPSKEYS] 2003-03-29 11:52 102400 --a------ C:\Program Files\Vpskeys\vpskeys.exe R3 Px64Mc;PIX-MPEG/USB2.0 MCE;C:\WINDOWS\system32\DRIVERS\Px64Mc.sys [2004-08-04 13:38] S3 AIRPLUS;D-Link AirPlus Wireless Adapter;C:\WINDOWS\system32\DRIVERS\airplus.sys [2003-09-08 15:06] S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2007-08-13 08:35] S3 nwusbmdm;Novatel Wireless Merlin CDMA EV-DO Modem Driver;C:\WINDOWS\system32\DRIVERS\nwusbmdm.sys [2005-04-01 15:59] S3 nwusbser;Novatel Wireless Merlin CDMA EV-DO Status Port;C:\WINDOWS\system32\DRIVERS\nwusbser.sys [2005-04-01 15:59] S3 pwi_bus;Curitel PC Card Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\pwi_bus.sys [2005-05-04 08:59] S3 pwi_mdfl;Curitel PC Card Filter;C:\WINDOWS\system32\DRIVERS\pwi_mdfl.sys [2005-05-04 09:00] S3 pwi_mdm;Curitel PC Card Drivers;C:\WINDOWS\system32\DRIVERS\pwi_mdm.sys [2005-05-04 09:00] S3 pwi_oflt;Curitel PC Card OHCI Filter;C:\WINDOWS\system32\DRIVERS\pwi_oflt.sys [2005-05-04 09:01] S3 pwi_serd;Curitel PC Card Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\pwi_serd.sys [2005-05-04 09:01] S3 SMNDIS5;SMNDIS5 NDIS Protocol Driver;C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ffd64488-70ae-11dc-8f10-000b5d81009c}] \Shell\AutoRun\command - E:\LinksysConnectPC.exe . Contents of the 'Scheduled Tasks' folder "2007-12-23 19:18:00 C:\WINDOWS\Tasks\Symantec NetDetect.job" - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE "2007-12-15 00:03:00 C:\WINDOWS\Tasks\WebReg 20050408160326.job" - C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe`/TaskName 20050408160326 /N . ************************************************************************ catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-23 11:20:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\si.dll . Completion time: 2007-12-23 11:21:44 - machine was rebooted . 2007-12-22 10:23:41 --- E O F --- and here is the HiJackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:30:06 AM, on 12/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ACS.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/ O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab O20 - Winlogon Notify: si - C:\WINDOWS\SYSTEM32\si.dll O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing) O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- End of file - 3117 bytes This post has been edited by dantran63**: Dec 23 2007, 01:32 PM

Fredil View Member Profile	Dec 30 2007, 11:29 AM Post #6
Trusted Helper Posts: 1,983 From: Wait, wait, I know this! OS: Windows XP Professional SP2	Hello dantran63, apologies for the (very) late reply Before we start, however, I need you to restore all the startup entries you disabled in MSConfig. It would be better if you didn't mess around there while your computer is infected, or when it's not, because you could bork up some of the inner workings, and that could possibly be worse than malware. So just un-disable (i.e. restore) what you did before, and get out! Please read my entire post before commencing, and please follow my instructions in the order that they are given If you don't understand something, don't be afraid to ask! 1. Scan with SmitFraudFix ------------------------------------------------ Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click SmitfraudFix.exe Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm 2. Deckard's System Scanner ------------------------------------------------ Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan. Note: This program will clear your temporary files. On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan. The entire scanning process will take about five minutes, often less. During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so. Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction. Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply. On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt. 3. Scan with ActiveScan ------------------------------------------------ Please go HERE to run Panda's ActiveScan. Note:You must use Internet Explorer for this scan. Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button Enter your Country Enter your State/Province Enter your e-mail address and click send Select either Home User or Company Click the big Scan Now button If it wants to install an ActiveX component allow it It will start downloading the files it requires for the scan (It may take a couple of minutes) When download is complete, click on My Computer to start the scan When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report In your next post ------------------------------------------------ SmitFraudFix log DSS main.txt and extra.txt ActiveScan** log

« Next Oldest · Malware Removal - HijackThis� Logs Go Here · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Windows XP�, 2000, 2003, NT Virus/Control Panel Gone	2 / 2,204	3rd April 2008 - 09:29 AM NoobyNoobkins started - last by xmadsen
Malware Removal - HijackThis� Logs Go Here Control panel gone/Cannot update windows	0 / 1,001	19th December 2007 - 05:08 PM usmana86 started - last by usmana86
Malware Removal - HijackThis� Logs Go Here Control Panel Gone/Asking for System Administrator	0 / 326	25th December 2007 - 08:03 PM caloaks315 started - last by caloaks315
Malware Removal - HijackThis� Logs Go Here HELP! MALWARE, TROJAN VIRUSES, LOST CONTROL PANEL AND VIRTUAL MEMO	2 / 494	1st June 2008 - 06:22 AM icyaries started - last by koko_crunch