Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Facebook Aim virus [CLOSED]


  • This topic is locked This topic is locked

#1
nicole1788

nicole1788

    New Member

  • Member
  • Pip
  • 5 posts
I ran the aimfix, adaware, avast antivirus, another antivirus.restarted the computer after them. I cant find anything that fixes this. :whistling: so heres the log TIA.

Logfile of HijackThis v1.99.1
Scan saved at 12:38:00 AM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ntsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by epix®
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NT Workstation SysFile (NTSYS) - Unknown owner - C:\WINDOWS\system32\ntsvc.exe
  • 0

Advertisements


#2
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi nicole1788,

Yes you have a pretty nasty trojan. Please post this next log and a new HijackThis log. After posting the logs please don't reboot or shut down the computer as there is the possibility that is may change name.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#3
nicole1788

nicole1788

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
user - 06-08-22 10:55:00.06
ComboFix 06.08.18 - Running from: C:\Documents and Settings\user\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-22 to 2006-08-22 ))))))))))))))))))))))))))))))))))


2006-08-21 00:02 682 C:\dhcp.com
2006-08-19 22:46 2,292 C:\regfile.pif
2006-08-18 22:48 96,800 C:\WINDOWS\system32\mlsdf8hdxph.exe
2006-08-18 22:48 89,088 C:\WINDOWS\system32\cjnr4r4cumew.exe
2006-08-18 20:44 96,800 C:\WINDOWS\system32\nlkfev7pjbtlewpia.exe
2006-08-18 20:44 89,088 C:\WINDOWS\system32\sklrr7yyphz.exe
2006-08-18 20:32 96,800 C:\WINDOWS\system32\mlsdf8hbumewphatm.exe
2006-08-18 20:32 89,088 C:\WINDOWS\system32\cjnr4r4jask.exe
2006-08-18 20:32 83,968 C:\regedit.pif
2006-08-18 19:31 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-18 19:31 635,520 C:\WINDOWS\system32\aswBoot.exe
2006-08-18 19:31 499,712 C:\WINDOWS\system32\MSVCP71.dll
2006-08-18 19:31 1,060,864 C:\WINDOWS\system32\MFC71.dll
2006-08-18 15:43 88,576 C:\WINDOWS\system32\sklrr7yphzrjbumf.exe
2006-08-04 11:37 73,728 C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196,608 C:\WINDOWS\system32\dtu100.dll
2006-08-02 14:41 53,693 C:\WINDOWS\UNDPX2A.sys
2006-08-02 14:41 135,168 C:\WINDOWS\UNDPX2A.exe
2006-07-29 19:32 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-07-26 22:05 3,596,288 C:\WINDOWS\system32\qt-dx331.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 11:40 682 --a------ C:\dhcp.com
2006-08-21 00:37 -------- d-------- C:\Program Files\HijackThis 1.99.1
2006-08-20 22:53 2292 --a------ C:\regfile.pif
2006-08-20 07:02 -------- d-------- C:\Program Files\Google
2006-08-19 11:25 83968 --a------ C:\regedit.pif
2006-08-18 22:48 96800 --a------ C:\WINDOWS\system32\mlsdf8hdxph.exe
2006-08-18 22:48 89088 --a------ C:\WINDOWS\system32\cjnr4r4cumew.exe
2006-08-18 22:38 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-18 20:44 96800 --a------ C:\WINDOWS\system32\nlkfev7pjbtlewpia.exe
2006-08-18 20:44 89088 --a------ C:\WINDOWS\system32\sklrr7yyphz.exe
2006-08-18 20:32 96800 --a------ C:\WINDOWS\system32\mlsdf8hbumewphatm.exe
2006-08-18 20:32 89088 --a------ C:\WINDOWS\system32\cjnr4r4jask.exe
2006-08-18 19:31 -------- d-------- C:\Program Files\Alwil Software
2006-08-18 17:24 -------- d-------- C:\Program Files\Winamp
2006-08-18 16:21 -------- d-------- C:\Program Files\DivX
2006-08-18 15:43 88576 --a------ C:\WINDOWS\system32\sklrr7yphzrjbumf.exe
2006-08-17 01:02 -------- d-------- C:\Program Files\Internet Explorer
2006-08-16 15:09 -------- d-------- C:\Program Files\MSN Messenger
2006-08-08 12:53 635520 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-08-05 11:25 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-08-05 11:25 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2006-08-05 11:24 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-08-05 11:22 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-08-05 11:20 24304 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-08-05 02:18 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-29 19:32 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 109568 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-07-03 17:40 778240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-07-03 17:40 761856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-07-03 17:40 620180 --a------ C:\WINDOWS\system32\DivX.dll
2006-06-21 06:49 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-06-21 06:43 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-06-21 06:42 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-06-21 06:42 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-06-21 06:34 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-06-21 06:34 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-06-21 06:34 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-06-21 06:34 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-06-21 06:34 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-06-21 06:33 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-06-21 06:33 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"LXSUPMON"="C:\\WINDOWS\\system32\\LXSUPMON.EXE RUN"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,d2,03,00,00,23,00,00,00,1c,01,00,00,27,01,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Tue 08/22/2006 10:57:39.61
ComboFix.txt





Logfile of HijackThis v1.99.1
Scan saved at 10:59:12 AM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.epix.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.epix.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by epix®
O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
  • 0

#4
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please download the Killbox.
Unzip it to the desktop. Do not run it yet.

Please save these instructions on Notepad, as you will have to do some copying/pasting in safe mode.

Please boot into safe mode by tapping the F8 key just before Windows starts to load.

Open a command prompt, (Start > Run > CMD)

Type these and press enter after each line,

SC DELETE SPOOLSVC2** (Replace ** with the number thats showing)
Press Enter
SC DELETE TIME
press Enter
SC DELETE WTIME
Press enter
SC DELETE NTSYS
Press enter
EXIT
Press enter

1) Please run Killbox.

2) Select "Delete on Reboot". Click on "All Files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\dhcp.com
C:\regfile.pif
C:\WINDOWS\system32\mlsdf8hdxph.exe
C:\WINDOWS\system32\cjnr4r4cumew.exe
C:\WINDOWS\system32\nlkfev7pjbtlewpia.exe
C:\WINDOWS\system32\sklrr7yyphz.exe
C:\WINDOWS\system32\mlsdf8hbumewphatm.exe
C:\WINDOWS\system32\cjnr4r4jask.exe
C:\regedit.pif


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Do You Want to Reboot Now prompt.

Reboot back to normal mode.

Now please copy the following text in the code box to Notepad. In Notepad go to File > Save As. Name it SDCheck.bat, in the drop down box at the bottom choose "All Files", and save it on your desktop. Then double click on SDCheck.bat

@echo off
echo CHECKING FOR SDBOT CHANGES....PLEASE WAIT..........................

if exist C:\Report.txt del /q C:\Report.txt
if exist check*.txt del /q check*.txt
echo.>>C:\Report.txt
regedit /e check1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile"
if exist check1.txt find /v "Windows Registry Editor Version 5.00" < check1.txt >> C:\Report.txt
regedit /e check2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile"
if exist check2.txt find /v "Windows Registry Editor Version 5.00" < check2.txt >> C:\Report.txt
regedit /e check3.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
if exist check3.txt find /v "Windows Registry Editor Version 5.00" < check3.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check4.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >> C:\Report.txt
find "restrictanonymous" < check4.txt | find /v "restrictanonymoussam" >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check5.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole] >> C:\Report.txt
find "EnableDCOM" < check5.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check6.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] >> C:\Report.txt
find "Notify" < check6.txt >> C:\Report.txt
find "Override" < check6.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check7.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr"
if exist check7.txt echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]>> C:\Report.txt
if exist check7.txt find "Start" < check7.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check8.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc"
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc] >>C:\Report.txt
find "Start" < check8.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check9.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry"
if exist check9.txt echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]>> C:\Report.txt
if exist check9.txt find "Start" < check9.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check10.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control"
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] >>C:\Report.txt
find "WaitToKillServiceTimeout" < check10.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check11.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters"
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters] >>C:\Report.txt
find "AutoShare" < check11.txt >> C:\Report.txt
echo.>>C:\Report.txt
regedit /e check12.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters"
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters] >>C:\Report.txt
find "AutoShare" < check12.txt >> C:\Report.txt
echo.>>C:\Report.txt
del /q check*.txt

notepad C:\Report.txt

A Notepad will open with some text in it, please copy/paste it into here along with a new HijackThis log.
  • 0

#5
nicole1788

nicole1788

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
SC DELETE SPOOLSVC2** (Replace ** with the number thats showing)

What number or where is it suppose to show a number?
  • 0

#6
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Sorry, that's what happens when you do too much copying/pasting..my bad..you don't have the SPOOLSVC. So your commands will be,

SC DELETE TIME
press Enter
SC DELETE WTIME
Press enter
SC DELETE NTSYS
Press enter
EXIT
Press enter
  • 0

#7
nicole1788

nicole1788

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Its not working it says it doesnt exist
  • 0

#8
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
That's good, pass on to the rest of the instructions.
  • 0

#9
Armodeluxe

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP