Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible Trojan infection [RESOLVED]


  • This topic is locked This topic is locked

#31
SNOWHITE

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
Hello maze7817,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Your computer is very infected, and your antivirus program doesn't help us much. You will need to uninstall McAfee and then we will try with another antivirus which is free and very good. Also you will need to install firewall too. Please follow the steps bellow:

First go HERE and download Comodo Firewall Pro, double click the setup icon and install the program, after your done with the installation click on the Security tab, then in the right corner down click on Scan for known applications. Comodo will scan for known applications, after its done with scanning click the Finish button you will be asked to restart Comodo Firewall, click on OK button and restart Comodo.

Next, please go HERE and download avast! 4 Home Edition to your desktop.

Next, uninstall McAfee from ADD/Remove Programs, reboot your computer, after you are done with uninstalling McAfee, locate the file that you downloaded before, double-click on the file to launch the installation of avast!

Click Next on the avast! Setup window and on the next window with the ReadMe File.
Now you will see the Legal Agreement, just click I agree, and then click Next to continue.

You will be prompted with Configuration window, make sure that you choose Typical configuration and then click Next. Click Next to the windows that will follow, when the installation will finish, you will be given an option to schedule a boot time scan, select No

Now you have to restart your machine, select Restart and then click Finish.

After you restart you will get a message about avast! it will give you the general "Hello and Thank you for choicing our Product." Also after you restart you will notice 2 new icons in the bottom right corner of the screen.

VERY IMPORTANT - after restarting, you will see two new tray icons Posted Image right click on the a icon in the taskbar and select Updating, then highlight and click Program.

You will get a warning from your firewall that avast! needs connection to internet please allow it.

You will get popup after its done updating. If avast! had to download anything for your computer you may get a message asking you to restart.

After you have updated avast! right click the small icon a in task bar and click Start Avast! AntiVirus

Click Program Registration and you will be taken to their website. Fill out the form and then check you e-mail. Once you get an e-mail from them (usually about 1 minute after submitting the form) copy and paste the serial they provided into the highlighted box. Then click ok.

After this, you will need to Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan.
Posted Image

Next, choose
  • Scan all local disks
  • scan archive files
    Posted Image
  • click on Schedule
On the next dialog Operating system restart needed select Yes

Posted Image

Now avast! will restart your computer and start to scan before Windows fully loads. If detects infections while boot time scaning, you will be given choices for actions, choose move to chest actions and don't delete anything.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

Finally when the scan will finish the computer will boot in Normal Mode, then using Windows Explorer navigate to C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt double click on aswBoot.txt it will open Notepad with report of the scan, please copy and paste the report in this thread.

Please post back to tell me how the things went, also include the report from avast scan, and new HijackThis log.

Regards,
  • 0

Advertisements


#32
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
ive gotten up to the point where avast is installed & i can see the tray icons when i boot up in normal mode but my system crashes shortly after & i have to reboot in safe mode in order to do anything. but while in safe mode i dont see any new tray icons where they should be. any suggestions?

Edited by maze7817, 16 March 2007 - 08:27 PM.

  • 0

#33
SNOWHITE

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
Hello maze7817

ive gotten up to the point where avast is installed & i can see the tray icons when i boot up in normal mode but my system crashes shortly after & i have to reboot in safe mode in order to do anything. but while in safe mode i dont see any new tray icons where they should be. any suggestions?


Did you manage to update avast! to the latest definitions? If you haven't boot to Safe Mode with Networking (do NOT surf the internet just update avast) double click the icon of avast! it should be on the desktop Posted Image the antivirus will start, click on the menu icon in the left corner up, highlight Updating and click on Program. Now avast! will download packages and if it had something to install will ask you to restart the computer. Restart it again then boot to Safe Mode start avast! again and this time follow this steps:

Schedule Boot-Time Scan with avast! Click on the little button placed up in the left corner, and select Schedule Boot-Time Scan.
Posted Image

Next, choose
  • 1. Scan all local disks
  • 2. scan archive files
    3. Select "Advanced Options"
  • 4. Under Advanced Options select "Move infected file to Chest"
  • 5. Under the selection for system files choose "Ignore delete or move for system files"
    Posted Image
  • 6. Click on Schedule
On the next dialog Operating system restart needed select Yes

Posted Image

Now avast! will restart your computer and start to scan before Windows fully loads. If detects infections while boot time scaning, you will be given choices for actions, choose Move to Chest actions and don't delete anything.

IMPORTANT NOTE since your system has infections on it, avast! will give you dialog box with recommended actions, and options, please make sure if this happens, to click the Move to Chest button, and not to delete any reported files.

Finally when the scan will finish the computer will boot in Normal Mode, then using Windows Explorer navigate to C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt double click on aswBoot.txt it will open Notepad with report of the scan, please copy and paste the report in this thread. Also include new HiJackThis log.

If your computer still crashes in Normal Mode, boot to Safe Mode again and using Windows Explorer find aswBoot.txt following the same instructions and post the contents of the scan report here.

Please post back to tell me how the things went.

Regards,
  • 0

#34
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
03/17/2007 12:47
Scan of all local drives
File C:\!KillBox\inet20126\killer.exe is infected by Win32:Trojan-gen. {Other}, Moved to chest
File C:\!KillBox\inet20126\killer.exe.bak is infected by Win32:Trojan-gen. {Other}, Moved to chest
File C:\Documents and Settings\Allen\ie_updater.exe\[FSG] is infected by Win32:Murlo-AD [Trj], Moved to chest
File C:\Documents and Settings\Allen\Local Settings\Temporary Internet Files\Content.IE5\K52N8XYV\ieupdater[1].exe\[FSG] is infected by Win32:Murlo-AD [Trj], Moved to chest
File C:\pagefile.sys is infected by Win32:DNSChanger-BA [Trj], Move to chest: Error 0xC000007F {An operation failed because the disk was full.}
File C:\Program Files\Video ActiveX Object\iesplugin.dll is infected by Win32:Zlob-OO [Trj], Moved to chest
File C:\Program Files\Video ActiveX Object\iesuninst.exe is infected by Win32:Zlob-TC [Trj], Moved to chest
File C:\Program Files\Video ActiveX Object\pmunst.exe is infected by Win32:Zlob-TC [Trj], Moved to chest
File C:\WINNT\Media\dbmmgr32.dll\[UPX] is infected by Win32:SpyBot-A1888 [Trj]
File C:\WINNT\ServicePackFiles\31623131.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\316231741.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\316232228.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31623278.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\316233148.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\316233621.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31623417.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31623418.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\316234546.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\316235029.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31623558.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31623821.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31641325.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31641727.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31642212.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\31715034.dll is infected by Win32:Agent-CPH [Trj]
File C:\WINNT\ServicePackFiles\mm.exe.bak\[UPX] is infected by Win32:Delf-CFI [Trj]
File C:\WINNT\system32\arcac.exe is infected by Win32:Trojan-gen. {UPX!}
File C:\WINNT\system32\arcac.exe.bak is infected by Win32:Trojan-gen. {UPX!}
File C:\WINNT\system32\kdlww.exe is infected by Win32:DNSChanger-BA [Trj]
File C:\WINNT\system32\update6.exe\[UPX] is infected by Win32:Small-ECW [Trj]
File C:\WINNT\system32\vcodec.exe is infected by Win32:Trojan-gen. {UPX!}
File C:\WINNT\temp1.exe is infected by Win32:DNSChanger-BA [Trj]

Number of searched folders: 3463
Number of tested files: 112065
Number of infected files: 32
  • 0

#35
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:02:41 PM, on 03/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F3 - REG:win.ini: run=C:\WINNT\ServicePackFiles\services.exe
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINNT\ServicePackFiles\31715034.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [xp_system] C:\WINNT\ServicePackFiles\services.exe
O4 - HKLM\..\Run: [xp_sys] C:\WINNT\ServicePackFiles\mm.exe 20000
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [xp_system] C:\WINNT\ServicePackFiles\services.exe
O4 - HKCU\..\Run: [xp_sys] C:\WINNT\ServicePackFiles\mm.exe 20000
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1165361061335
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8D601A-6780-442D-A1A3-2D09D8A106F4}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0CFD05D-E045-4EA1-9D33-723CFB5D8847}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDEE367A-0847-43D8-9172-9299FDE8619D}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Allen\ie_updater.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#36
SNOWHITE

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
Hi maze7817

Can you work in Normal Mode now, or the computer is still crashing?

I will come back as soon as possible with new instructions, please stay with me until i tell you that the computer is clean :whistling:

Regards,
  • 0

#37
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
i still cant use normal mode without it crashing but so far i've been able to follow the new instructions without any new problems
  • 0

#38
SNOWHITE

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
maze7817,

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINNT\system32\WINLOGON.EXE
  • Click on the submit button
  • Please post the results in your next reply.
Next,

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F3 - REG:win.ini: run=C:\WINNT\ServicePackFiles\services.exe
O2 - BHO: edit_html Class - {14D1A72D-8705-11D8-B120-0040F46CB696} - C:\WINNT\ServicePackFiles\31715034.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video ActiveX Object\isadd.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [xp_system] C:\WINNT\ServicePackFiles\services.exe
O4 - HKLM\..\Run: [xp_sys] C:\WINNT\ServicePackFiles\mm.exe 20000
O4 - HKCU\..\Run: [xp_system] C:\WINNT\ServicePackFiles\services.exe
O4 - HKCU\..\Run: [xp_sys] C:\WINNT\ServicePackFiles\mm.exe 20000
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B8D601A-6780-442D-A1A3-2D09D8A106F4}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0CFD05D-E045-4EA1-9D33-723CFB5D8847}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\..\{FDEE367A-0847-43D8-9172-9299FDE8619D}: NameServer = 85.255.116.173,85.255.112.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.173 85.255.112.72
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\Documents and Settings\Allen\ie_updater.exe (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot your computer.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.
OK, Post back with Jotti scan results, FixWareout report.txt, SDFix report.txt and new HijackThis log. Let me know how the things went :whistling:

Regards,
  • 0

#39
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Scanner results
Scan taken on 20 Mar 2007 00:25:49 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Win32/PEPatch.U
BitDefender
Found Trojan.Keylogger.iOpus.A
ClamAV
Found nothing
Dr.Web
Found Trojan.Starter.170
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
  • 0

#40
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other
C:\WINNT\temp\kdlww.ren 63370 06/19/03



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"SDFix"="C:\\SDFix\\RunThis.bat /second"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=""
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Edited by maze7817, 19 March 2007 - 07:40 PM.

  • 0

Advertisements


#41
SNOWHITE

SNOWHITE

    Trusted Helper

  • Retired Staff
  • 1,327 posts
Hello maze7817

I will need a second opinion on the winlogon.exe

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINNT\system32\WINLOGON.EXE
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Let me know when you do this, don't forget to post the results of SDFix and new HijackThis log, also Fixwareout report doesn't look like its whole, can you post the whole report, or scan again and post me the entire report? Let me know if you are having problems with running Fixwareout :whistling:

EDIT Ok i see that you have edited your post.

Edited by SNOWHITE, 19 March 2007 - 07:46 PM.

  • 0

#42
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
i've submitted the file like u asked & i'll post the logs shortly.
  • 0

#43
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:57:04 PM, on 03/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by America Online
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program

Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol

toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by18fd.bay18....es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros...6/client/wuweb_

site.cab?1165361061335
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online,

Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner -

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. -

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program

Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner -

C:\Documents and Settings\Allen\ie_updater.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America

Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#44
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
SDFix: Version 1.73

Run by Allen - Mon 03/19/2007 - 18:17:58.73

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
kprof
poof
Runtime

Path:
\??\C:\WINNT\system32\main.sys
\??\C:\WINNT\system32\kprof
\??\C:\WINNT\system32\poof
\??\C:\WINNT\System32\drivers\runtime.sys

EXAMPLE Deleted
kprof Deleted
poof Deleted
Runtime Deleted


Killing PID 116 'smss.exe'
Killing PID 140 'winlogon.exe'

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
C:\WINNT\system32\runtime.sys - Deleted
C:\Program Files\Common Files\dbmio32.dll - Deleted
C:\as.txt - Deleted
C:\WINNT\ServicePackFiles\mm.pidar - Deleted
C:\WINNT\ServicePackFiles\services.exe - Deleted
C:\WINNT\system32\koos.exe - Deleted
C:\WINNT\system32\kprof - Deleted
C:\WINNT\system32\main.sys - Deleted
C:\WINNT\system32\mm.ini - Deleted
C:\WINNT\system32\poof - Deleted
C:\WINNT\winvip.exe - Deleted
C:\DOCUME~1\Allen\LOCALS~1\Temp\tmp*.tmp - Deleted



ADS Check:

C:\WINNT\system32
No streams found.


Final Check:

Remaining Services:
------------------
  • 0

#45
maze7817

maze7817

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
i still cant boot up normally but i havent encountered any new problems. im still seeing an error message about something misplaced or missing when i boot up in normal mode before it crashes. i'll write down exactly what it says & post in my next reply
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP