Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Worm.Win32.NetSky Infection [CLOSED]


  • This topic is locked This topic is locked

#1
Nippz12

Nippz12

    Member

  • Member
  • PipPip
  • 11 posts
Hi,

My machine has been infected by the Worm.Win32.NetSky virus and as a result the pc is very slow and sluggish. Programs regularly hang and the screen freezes. This never happened before and i suspect the virus is consuming a lot of resources. I have followed your advice and have removed all temporary files and set a restore point. I have installed AVG antispyware but it cannot connect to the AVG site to receive updates. Since there is no other way to update AVG, this is a dead end(unless you know another way to update the defs.) I also have Symantec but it is not picking up anything.
My logs are as follows :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:55 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Opera\Opera.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cache.govnet.gov.fj/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: SXG Advisor - {B21F613B-A670-4788-AB37-F08331D7C63D} - C:\WINDOWS\dpvtpornmw.dll
O3 - Toolbar: The elfwgps - {CD85E37D-E9D4-47F7-877D-CFE5C8552C02} - C:\WINDOWS\elfwgps.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\DOCUME~1\NIUMAI~1.TAB\LOCALS~1\Temp\7zS1333.tmp\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\Software\..\Telephony: DomainName = govnet.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = govnet.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: bqxomdo - {535F4CE9-7B95-4328-9F97-3A83A7B3D076} - C:\WINDOWS\bqxomdo.dll
O21 - SSODL: aswmklt - {B89C85F4-988C-4130-ACFD-47FFAE897D2B} - C:\WINDOWS\aswmklt.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Oracle WebDb Listener - Unknown owner - C:\orant\bin\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Reports Server [Rep60_ITCSUVAPC062] (OracleReportServer-Rep60_ITCSUVAPC062) - Oracle Corp - C:\orant\bin\rwmts60.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6756 bytes



Please let me know if there is anything ive missed or if there is other stuff that i can do...





Thanks
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
Nippz12

Nippz12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi thanks for your post..

I have follwed the instructions and here is my log for SmitFraudfix. I have booted into safemode
but i cannot log into my account(as the network connections are disabled) so i used the admin logon to run the scan. A new develpoment is that now i can only start up in safe mode as th screen is stuck on the loading settings screen when i try to log in onto my domain....

rapport.txt :


SmitFraudFix v2.276

Scan done at 15:30:43.14, Mon 01/28/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\DOCUME~1\ADMINI~1\FAVORI~1\Error Cleaner.url Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Privacy Protector.url Deleted
C:\DOCUME~1\ADMINI~1\FAVORI~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1562A252-D151-41EF-9211-B13E7377FD35}: DhcpNameServer=10.1.85.156 10.1.85.193
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1562A252-D151-41EF-9211-B13E7377FD35}: DhcpNameServer=10.1.85.156 10.1.85.193
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1562A252-D151-41EF-9211-B13E7377FD35}: DhcpNameServer=10.1.85.156 10.1.85.193
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.85.156 10.1.85.193
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.85.156 10.1.85.193
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.1.85.156 10.1.85.193


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you run DSS please
  • 0

#5
Nippz12

Nippz12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here are the results of the DSS scanning.

Main.txt:



Deckard's System Scanner v20071014.68
Run by Administrator on 2008-01-31 13:59:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-01-31 01:59:31 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-31 14:05:21
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsof...search.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...irector7/sw.cab
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} () - http://download.micr...78f/wvc1dmo.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.ma...t/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = govnet.local
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = govnet.local
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Oracle WebDb Listener - Unknown owner - C:\orant\BIN\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Reports Server [Rep60_ITCSUVAPC062] (OracleReportServer-Rep60_ITCSUVAPC062) - Oracle Corp - C:\orant\BIN\rwmts60.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


--
End of file - 7278 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080131-114601-129 O21 - SSODL: aswmklt - {B89C85F4-988C-4130-ACFD-47FFAE897D2B} - C:\WINDOWS\aswmklt.dll
backup-20080131-114601-792 O21 - SSODL: bqxomdo - {535F4CE9-7B95-4328-9F97-3A83A7B3D076} - C:\WINDOWS\bqxomdo.dll
backup-20080131-114601-874 O3 - Toolbar: The elfwgps - {CD85E37D-E9D4-47F7-877D-CFE5C8552C02} - C:\WINDOWS\elfwgps.dll

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Oracle WebDb Listener - c:\orant\bin\wdblsnr.exe
S3 OracleClientCache80 - c:\orant\bin\onrsd80.exe
S3 OracleReportServer-Rep60_ITCSUVAPC062 (Oracle Reports Server [Rep60_ITCSUVAPC062]) - c:\orant\bin\rwmts60.exe <Not Verified; Oracle Corp; Oracle Reports Server>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_1186&DEV_4C00&SUBSYS_4C001186&REV_11\4&1A671D0C&0&58F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_1186&DEV_4C00&SUBSYS_4C001186&REV_11\4&1A671D0C&0&58F0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Compaq NC3121 Fast Ethernet NIC
Device ID: PCI\VEN_8086&DEV_1229&SUBSYS_B0D70E11&REV_05\4&1A671D0C&0&68F0
Manufacturer: Compaq
Name: Compaq NC3121 Fast Ethernet NIC
PNP Device ID: PCI\VEN_8086&DEV_1229&SUBSYS_B0D70E11&REV_05\4&1A671D0C&0&68F0
Service: N100


-- Files created between 2007-12-31 and 2008-01-31 -----------------------------

2008-01-28 15:30:49 2386 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 12:30:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-28 12:25:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-28 11:10:14 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-28 10:44:25 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 09:26:10 0 d-------- C:\Program Files\Trend Micro
2008-01-28 09:11:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-28 09:09:19 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-28 09:09:18 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\SUPERAntiSpyware.com
2008-01-25 15:42:51 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Grisoft
2008-01-25 15:42:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-24 16:13:24 0 d-------- C:\Program Files\MediaEntertainmentCodec
2008-01-24 15:49:56 81920 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-24 15:49:56 172032 --a------ C:\WINDOWS\elfwgps.dll <Not Verified; ; elfwgps Module>
2008-01-21 15:35:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-01-21 10:48:57 0 d-------- C:\Program Files\Opera
2008-01-21 10:38:59 0 d-------- C:\Program Files\Java
2008-01-21 10:38:57 0 d-------- C:\Program Files\Common Files\Java
2008-01-21 09:51:00 0 d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-01-21 09:50:04 0 d-------- C:\Program Files\GRETECH
2008-01-18 11:40:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 08:45:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-09 14:17:50 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-01-31 10:27:44 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-28 09:03:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 08:36:36 0 d-------- C:\Program Files\Google
2008-01-21 10:38:57 0 d-------- C:\Program Files\Common Files
2008-01-15 16:21:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 09:35:27 0 d-------- C:\Program Files\Messenger
2008-01-09 16:39:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-09 16:38:23 0 d-------- C:\Program Files\Symantec
2008-01-09 14:52:36 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-19 12:20:09 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2007-12-03 16:24:52 0 d-------- C:\Program Files\Real Alternative
2007-11-13 14:06:44 3407 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [04/05/2006 11:38 AM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/12/2006 04:40 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [04/08/2005 03:52 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [04/17/2005 12:30 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [05/03/2006 02:56 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 09:25 PM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [04/21/2006 05:03 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2004 12:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 02/27/2007 11:39 AM 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau




-- End of Deckard's System Scanner: finished at 2008-01-31 14:10:11 ------------




extra.txt :

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 47%
Physical Memory (total/avail): 1015.48 MiB / 534.3 MiB
Pagefile Memory (total/avail): 2446.31 MiB / 2046.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.89 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 21.93 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400EB-11CPF0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)
AV: Symantec AntiVirus Corporate Edition v10.0.0.359 (Symantec Corporation) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ITCSUVAPC062
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
lib=C:\Program Files\SQLXML 4.0\bin\
LOGONSERVER=\\ITCSUVAPC062
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\orant\bin;C:\oracle\product\10.2.0\client_1;C:\orant\jdk\bin;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\Microsoft SQL Server\90\DTS\Binn\;C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\;C:\Program Files\Java\jdk1.5.0_09\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=ITCSUVAPC062
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
VS80COMNTOOLS=C:\Program Files\Microsoft Visual Studio 8\Common7\Tools\
windir=C:\WINDOWS
wv_gateway_cfg=C:\orant\listener\cfg\wdbsvr.app


-- User Profiles ---------------------------------------------------------------

ASPNET
Administrator (admin)
shabrina.shameem (admin)
niumaia.tabunakawai (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2in1 Coundition Zero 1.1&Counter-Strike 1.6(build 2738) --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A6B06FBE-783A-4322-9532-5BCC16CD8554}\Setup.exe" -l0x9
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Broadcom Management Programs --> MsiExec.exe /I{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}
Broadcom NetXtreme Ethernet Controller --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{BE6890C7-31EF-478C-812E-1E2899ABFCA9} /l1033
Companies Office --> MsiExec.exe /I{41B14B50-5FE9-457F-A003-6F6F0304F019}
Enterprise Library for .NET Framework 2.0 - January 2006 --> MsiExec.exe /I{7FD12C24-1C06-406C-8116-2EE8A92CE690}
ESET NOD32 Antivirus --> MsiExec.exe /I{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}
Formatter Plus V1.4 --> C:\PROGRA~1\QUESTS~1\TOAD\Help\UNWISE.EXE C:\PROGRA~1\QUESTS~1\TOAD\Help\INSTALL.LOG
GOM Player --> "C:\Program Files\GRETECH\GomPlayer\Uninstall.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Document Explorer 2005 --> C:\Program Files\Common Files\Microsoft Shared\Help 8\Microsoft Document Explorer 2005\install.exe
Microsoft Document Explorer 2005 --> MsiExec.exe /X{44D4AF75-6870-41F5-9181-662EA05507E1}
Microsoft Office Access 2003 --> MsiExec.exe /I{90150409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Project Professional 2003 --> MsiExec.exe /I{903B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{90120409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Visio for Enterprise Architects --> MsiExec.exe /I{90550409-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server 2005 --> "C:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 (SQLEXPRESS) --> MsiExec.exe /I{130A3BE1-85CC-4135-8EA7-5A724EE6CE2C}
Microsoft SQL Server 2005 Analysis Services (SQLEXPRESS) --> MsiExec.exe /I{8ABF8FEB-ABB0-40DC-9945-85AF36EF30A9}
Microsoft SQL Server 2005 Backward compatibility --> MsiExec.exe /I{96327C3C-96BE-4C7A-A6F7-A71635E5949A}
Microsoft SQL Server 2005 Books Online (English) --> MsiExec.exe /I{0B43A744-B1B8-4089-9BD1-9D41C7EC0AA3}
Microsoft SQL Server 2005 Integration Services --> MsiExec.exe /I{EE8CFFD9-6E29-4DC3-A967-7348D5F41F44}
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools --> MsiExec.exe /X{1389C6A4-4965-4AEC-9175-08B54A10FA48}
Microsoft SQL Server 2005 Notification Services --> MsiExec.exe /I{37E9AD9F-3217-4229-B5A5-7A0C82364C6C}
Microsoft SQL Server 2005 Reporting Services (SQLEXPRESS) --> MsiExec.exe /I{E930E839-998E-42F9-97E2-71FC960DB1B7}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{1DD463C0-A50A-4394-B7E4-5895C02F9E0D}
Microsoft SQL Server Native Client --> MsiExec.exe /I{BF251EAF-8697-4E89-BF09-C998F97BBC40}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{1CBE3804-20DF-48DA-B048-895C206E80A5}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual J# 2.0 Redistributable Package --> C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
Microsoft Visual SourceSafe 2005 - ENU --> "C:\Program Files\Microsoft Visual SourceSafe\Microsoft Visual SourceSafe 2005 - ENU\setup.exe"
Microsoft Visual Studio 2005 Professional Edition - ENU --> C:\Program Files\Microsoft Visual Studio 8\Microsoft Visual Studio 2005 Professional Edition - ENU\setup.exe
Microsoft Visual Studio 2005 Web Application Projects --> MsiExec.exe /I{D1D2308E-B8E4-41FA-89AC-82F65B9A255A}
Mozilla Firefox (2.0.0.11) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Nero 7 Premium --> MsiExec.exe /I{70AB1576-7883-2313-C650-7A71270B1033}
Opera 9.10 --> MsiExec.exe /X{5D582D33-EB35-4D77-B7AF-403322D947E6}
Oracle Data Provider for .NET Help --> MsiExec.exe /I{6AA003BF-73E5-4911-ADB7-71DD5674DDD4}
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Programming Microsoft Web Forms --> MsiExec.exe /X{0942E188-97E6-4752-820D-CE8F995CB402}
Quest Software TOAD Xpert Edition 7.6 --> C:\PROGRA~1\QUESTS~1\TOAD\UNINST~1.EXE
Real Alternative 1.60 --> "C:\Program Files\Real Alternative\unins000.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
SQLab --> C:\PROGRA~1\QUESTS~1\TOAD\SQLABT~1\UNWISE.EXE C:\PROGRA~1\QUESTS~1\TOAD\SQLABT~1\INSTALL.LOG
SQLXML4 --> MsiExec.exe /I{8C62A94B-4AB6-485F-A111-93056684D340}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
Titles and Deeds Registration --> MsiExec.exe /I{6DE91A9D-B0BA-4A83-A5DF-CE78ED106460}
Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB915364) --> C:\WINDOWS\system32\msiexec.exe /promptrestart /uninstall {C20ED8A3-74AA-4F58-9A2D-7D2AB1BE3E45} /package {437AB8E0-FB69-4222-B280-A64F3DE22591}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type3889 / Error
Event Submitted/Written: 01/31/2008 01:58:15 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type3886 / Error
Event Submitted/Written: 01/31/2008 01:57:13 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type3880 / Error
Event Submitted/Written: 01/31/2008 00:22:30 PM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

Event Record #/Type3864 / Error
Event Submitted/Written: 01/31/2008 11:50:40 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application otmoveit2.exe, version 1.0.16.0, faulting module unknown, version 0.0.0.0, fault address 0x1000bcac.
Processing media-specific event for [otmoveit2.exe!ws!]

Event Record #/Type3863 / Error
Event Submitted/Written: 01/31/2008 11:28:10 AM
Event ID/Source: 1085 / Userenv
Event Description:
The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4439 / Error
Event Submitted/Written: 01/31/2008 01:57:11 PM / 01/31/2008 01:57:12 PM
Event ID/Source: 5719 / NETLOGON
Event Description:
No Domain Controller is available for domain GOVNET due to the following:
%%1311.

Make sure that the computer is connected to the network and try
again. If the problem persists, please contact your domain administrator.

Event Record #/Type4435 / Error
Event Submitted/Written: 01/31/2008 01:55:21 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type4432 / Error
Event Submitted/Written: 01/31/2008 00:23:18 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AVG Anti-Spyware Driver
easdrv
eeCtrl
Fips
intelppm
SASDIFSV
SASKUTIL
SAVRT
SAVRTPEL
SYMTDI

Event Record #/Type4431 / Error
Event Submitted/Written: 01/31/2008 00:23:18 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
%%1068

Event Record #/Type4430 / Error
Event Submitted/Written: 01/31/2008 00:23:18 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error:
%%1068



-- End of Deckard's System Scanner: finished at 2008-01-31 14:10:11 ------------



Iam running DSS under my machines admin account as the machine hangs when i use my own account...

Thanks
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\fvqkfsp.exe
    C:\WINDOWS\elfwgps.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Reboot and post a new DSS log
  • 0

#7
Nippz12

Nippz12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry for the late response...

here are the logs for the OTMoveIt2 scan and the SuperAntiSpyware scanning:

OTMoveIt2 :

File/Folder C:\WINDOWS\fvqkfsp.exe not found.
File/Folder C:\WINDOWS\elfwgps.dll not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.16 log created on 01312008_143356

SUPERAntiSpyware Scan Log
Generated 01/31/2008 at 11:22 AM

Application Version : 3.6.1000

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 00:32:13

Memory items scanned : 220
Memory threats detected : 0
Registry items scanned : 8032
Registry threats detected : 0
File items scanned : 38200
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\niumaia.tabunakawai\Cookies\[email protected][1].txt
C:\Documents and Settings\niumaia.tabunakawai\Cookies\[email protected][1].txt


I have rebooted and was able to login in Normal mode but today the machine froze again. It also froze while running the SuerAntiSpyware scan. Iam still working on trying to run DSS in Normal Mode.Or can i also run it in Safe Mode...Will be updating on my progress

Thnx Again..
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try run DSS from Normal Mode

If it fails try Safe Mode
  • 0

#9
Nippz12

Nippz12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,

I have tried in to run DSS in safe mode and it ran but only produced one log file: main.txt. Im still working
on running it in Normal Mode and posting the two logs that are created. Here is the log file from running DSS in
Safre Mode

main.txt :



Deckard's System Scanner v20071014.68
Run by niumaia.tabunakawai on 2008-02-01 09:56:07
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------



-- HijackThis (run as niumaia.tabunakawai.exe) ---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56, on 2008-02-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\niumaia.tabunakawai.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cache.govnet.gov.fj/
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\Software\..\Telephony: DomainName = govnet.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = govnet.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Oracle WebDb Listener - Unknown owner - C:\orant\bin\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Reports Server [Rep60_ITCSUVAPC062] (OracleReportServer-Rep60_ITCSUVAPC062) - Oracle Corp - C:\orant\bin\rwmts60.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5157 bytes

-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-01-31 15:49:25 73728 ---hs---- C:\WINDOWS\system32\dx6vcl.dll
2008-01-28 15:30:49 2386 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 12:30:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-28 12:25:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-28 11:10:14 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-28 10:44:25 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 09:26:10 0 d-------- C:\Program Files\Trend Micro
2008-01-28 09:11:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-28 09:09:19 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-28 09:09:18 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\SUPERAntiSpyware.com
2008-01-25 15:42:51 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Grisoft
2008-01-25 15:42:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-24 16:13:24 0 d-------- C:\Program Files\MediaEntertainmentCodec
2008-01-21 15:35:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-01-21 10:48:57 0 d-------- C:\Program Files\Opera
2008-01-21 10:38:59 0 d-------- C:\Program Files\Java
2008-01-21 10:38:57 0 d-------- C:\Program Files\Common Files\Java
2008-01-21 09:51:00 0 d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-01-21 09:50:04 0 d-------- C:\Program Files\GRETECH
2008-01-18 11:40:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 08:45:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-09 14:17:50 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-02-01 09:16:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-28 09:03:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 08:36:36 0 d-------- C:\Program Files\Google
2008-01-21 16:19:58 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Google
2008-01-21 15:45:26 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Adobe
2008-01-21 10:38:57 0 d-------- C:\Program Files\Common Files
2008-01-15 16:21:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 09:35:27 0 d-------- C:\Program Files\Messenger
2008-01-09 16:39:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-09 16:38:23 0 d-------- C:\Program Files\Symantec
2008-01-09 14:52:36 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-18 15:32:12 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Ahead
2007-12-13 16:58:56 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Help
2007-12-03 16:24:52 0 d-------- C:\Program Files\Real Alternative
2007-12-03 16:24:44 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Real
2007-11-13 14:06:44 3407 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-04-05 11:38]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 21:25]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 17:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 00:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d7c1120-8593-11dc-babd-00508b5d31d5}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe uc.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{850ac5b5-8bf8-11dc-bac9-0002e33f3e55}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5cf7f3f-836d-11dc-baba-00508b5d31d5}]
Auto\command- G:\servet.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL servet.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{990B770D-62AE-5421-DA6D-16033B76258C}]
%SystemRoot%\system32\ssmicrco.scr



-- End of Deckard's System Scanner: finished at 2008-02-01 09:57:14 ------------





...Will keep on trying to login to my account in Normal mode.
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.



Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\dx6vcl.dll
    C:\Program Files\MediaEntertainmentCodec
    G:\servet.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe



Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d7c1120-8593-11dc-babd-00508b5d31d5}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{850ac5b5-8bf8-11dc-bac9-0002e33f3e55}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5cf7f3f-836d-11dc-baba-00508b5d31d5}]

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{990B770D-62AE-5421-DA6D-16033B76258C}]

[-HKEY_CLASSES_ROOT\CLSID\{3d7c1120-8593-11dc-babd-00508b5d31d5}]

[-HKEY_CLASSES_ROOT\CLSID\{850ac5b5-8bf8-11dc-bac9-0002e33f3e55}]

[-HKEY_CLASSES_ROOT\CLSID\{c5cf7f3f-836d-11dc-baba-00508b5d31d5}]

[-HKEY_CLASSES_ROOT\CLSID\{990B770D-62AE-5421-DA6D-16033B76258C}]


Then double click on the fix.reg file, when it prompts to merge click "Yes".



Reboot and post a new DSS log
  • 0

#11
Nippz12

Nippz12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi again...


Followed the instructions and Scanned using the Flash Disinfector and OTMoveIt2. The flash disinfector ran without any problems and didnt detect anything. For OTMoveIt2 I was confused by the last file path as it had G:\path and there seems to be nothing connected to my pc with a G Drive. Anyways I ran the scan and here are the results :


OTMOveIt2 :

File/Folder C:\WINDOWS\system32\dx6vcl.dll not found.
File/Folder C:\Program Files\MediaEntertainmentCodec not found.
File/Folder G:\servet.exe not found.
[Custom Input]
< purity >

OTMoveIt2 v1.0.16 log created on 02012008_165443




I also loaded the ERUNT application from the link provided and created the fix.reg file from the code you gave.
After merging with the existing registry, I rebooted and was able to logon to my account.I ran DSS and here are the results:



main.txt:

Deckard's System Scanner v20071014.68
Run by niumaia.tabunakawai on 2008-02-01 17:20:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as niumaia.tabunakawai.exe) ---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20, on 2008-02-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\NIUMAI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.govnet.gov.fj/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cache.govnet.gov.fj/
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\Software\..\Telephony: DomainName = govnet.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = govnet.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Oracle WebDb Listener - Unknown owner - C:\orant\bin\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Reports Server [Rep60_ITCSUVAPC062] (OracleReportServer-Rep60_ITCSUVAPC062) - Oracle Corp - C:\orant\bin\rwmts60.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6192 bytes

-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-02-01 17:12:04 73728 ---hs---- C:\WINDOWS\system32\dx6vcl.dll
2008-01-28 15:30:49 2386 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 12:30:30 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-28 12:25:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-28 11:10:14 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-28 10:44:25 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 09:26:10 0 d-------- C:\Program Files\Trend Micro
2008-01-28 09:11:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-28 09:09:19 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-28 09:09:18 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\SUPERAntiSpyware.com
2008-01-25 15:42:51 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Grisoft
2008-01-25 15:42:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-21 15:35:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-01-21 10:48:57 0 d-------- C:\Program Files\Opera
2008-01-21 10:38:59 0 d-------- C:\Program Files\Java
2008-01-21 10:38:57 0 d-------- C:\Program Files\Common Files\Java
2008-01-21 09:51:00 0 d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-01-21 09:50:04 0 d-------- C:\Program Files\GRETECH
2008-01-18 11:40:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-15 08:45:47 0 d-------- C:\WINDOWS\system32\PreInstall
2008-01-09 14:17:50 0 d-------- C:\WINDOWS\pss


-- Find3M Report ---------------------------------------------------------------

2008-02-01 09:16:21 0 d-------- C:\Program Files\Symantec AntiVirus
2008-01-28 09:03:03 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-28 08:36:36 0 d-------- C:\Program Files\Google
2008-01-21 16:19:58 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Google
2008-01-21 15:45:26 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Adobe
2008-01-21 10:38:57 0 d-------- C:\Program Files\Common Files
2008-01-15 16:21:56 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-15 09:35:27 0 d-------- C:\Program Files\Messenger
2008-01-09 16:39:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-09 16:38:23 0 d-------- C:\Program Files\Symantec
2008-01-09 14:52:36 0 d-------- C:\Program Files\Common Files\InstallShield
2007-12-18 15:32:12 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Ahead
2007-12-13 16:58:56 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Help
2007-12-03 16:24:52 0 d-------- C:\Program Files\Real Alternative
2007-12-03 16:24:44 0 d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Real
2007-11-13 14:06:44 3407 --a------ C:\WINDOWS\mozver.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-04-05 11:38]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 21:25]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 17:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 00:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]

C:\Documents and Settings\niumaia.tabunakawai\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d7c1120-8593-11dc-babd-00508b5d31d5}]
Auto\command- F:\boot.pif
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{850ac5b5-8bf8-11dc-bac9-0002e33f3e55}]
AutoRun\command- ntde1ect.com
explore\Command- ntde1ect.com
open\Command- ntde1ect.com


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{990B770D-62AE-5421-DA6D-16033B76258C}]
%SystemRoot%\system32\ssmicrco.scr



-- End of Deckard's System Scanner: finished at 2008-02-01 17:21:54 ------------



I am running all the other antivirus and anti spyware scans just in case.....Let me know if i have done the stuff properly or not....
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Just one thing is not going away

Do you have software that would use your G:\ drive ? Like an external hard drive


Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#13
Nippz12

Nippz12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hello again,

I downloaded the Combofix and ran it. I also did another HiJackThis scan and have pasted both logs. Regarding the G:\ drive, I do not have any external hard drives that are connected to my machine. The only devices connected through USB are my mouse and my flash drive, although this drive is always assigned F:\ as its drive letter and not G:\...My network drives are assigned P and R drive paths respectively.

Here are the logs

ComboFix Log:

ComboFix 08-01-31.1 - niumaia.tabunakawai 2008-02-04 11:57:58.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.415 [GMT 12:00]
Running from: C:\Documents and Settings\niumaia.tabunakawai\Desktop\worm\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-01 17:12 . 2008-02-01 17:12 73,728 ---hs---- C:\WINDOWS\system32\dx6vcl.dll
2008-01-31 09:28 . 2008-01-31 09:28 <DIR> d-------- C:\Deckard
2008-01-28 15:30 . 2008-02-01 09:51 2,386 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-28 12:30 . 2008-01-28 12:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-01-28 12:25 . 2008-01-28 12:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-28 11:10 . 2008-01-28 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-01-28 10:44 . 2008-01-28 10:47 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-28 10:44 . 2008-01-28 10:44 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-28 10:44 . 2008-01-28 10:44 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-28 10:44 . 2008-01-28 10:44 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-28 09:26 . 2008-01-28 09:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-28 09:11 . 2008-01-28 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-28 09:09 . 2008-01-31 16:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-28 09:09 . 2008-01-28 09:09 <DIR> d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\SUPERAntiSpyware.com
2008-01-25 15:42 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\niumaia.tabunakawai\Application Data\Grisoft
2008-01-25 15:42 . 2008-01-25 15:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-25 15:42 . 2007-05-31 00:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-23 15:59 . 2008-02-04 09:20 <DIR> d-------- C:\temp\ASPNet
2008-01-21 10:48 . 2008-01-21 10:49 <DIR> d-------- C:\Program Files\Opera
2008-01-21 10:39 . 2006-05-03 02:56 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-01-21 10:38 . 2008-01-21 10:39 <DIR> d-------- C:\Program Files\Java
2008-01-21 10:38 . 2008-01-21 10:38 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-21 09:51 . 2008-01-21 09:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\GRETECH
2008-01-21 09:50 . 2008-01-21 09:50 <DIR> d-------- C:\Program Files\GRETECH
2008-01-18 17:12 . 2008-01-18 17:12 125 --a------ C:\ioSpecial.ini
2008-01-18 11:40 . 2008-01-18 17:11 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-04 19:39 . 2008-01-04 19:39 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 21:16 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-01-27 21:03 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-27 20:36 --------- d-----w C:\Program Files\Google
2008-01-15 04:21 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 04:39 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-09 04:38 --------- d-----w C:\Program Files\Symantec
2008-01-09 02:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-20 20:21 33,800 ----a-w C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-12-20 20:20 30,216 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys
2007-12-20 20:19 39,944 ----a-w C:\WINDOWS\system32\drivers\eamon.sys
2007-12-18 03:32 --------- d-----w C:\Documents and Settings\niumaia.tabunakawai\Application Data\Ahead
2007-12-04 00:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\pdf995
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 17:03 94208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-05 00:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2006-04-05 11:38 518144]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 15:52 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-04-17 12:30 85184]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 21:25 6731312]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-12-21 08:21 1443072]

C:\Documents and Settings\niumaia.tabunakawai\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 12:04:08 38912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-12-21 08:21]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-05 00:00]
S3 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe" [2005-10-14 03:45]
S3 msftesql$SQLEXPRESS;SQL Server FullText Search (SQLEXPRESS);"C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe" -s:MSSQL.4 []
S3 MSOLAP$SQLEXPRESS;SQL Server Analysis Services (SQLEXPRESS);"C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe" [2005-10-14 03:46]
S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;C:\WINDOWS\system32\DRIVERS\n100325.sys [2001-08-18 00:11]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2000-10-28 07:45]
S3 OracleReportServer-Rep60_ITCSUVAPC062;Oracle Reports Server [Rep60_ITCSUVAPC062];C:\orant\bin\rwmts60.exe [2000-10-28 07:38]
S3 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);"C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe" [2005-10-14 03:44]
S3 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);"C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\SQLAGENT90.EXE" [2005-10-14 03:51]
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2005-10-14 03:53]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" [2005-09-23 07:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d7c1120-8593-11dc-babd-00508b5d31d5}]
\Shell\Auto\command - F:\boot.pif
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{850ac5b5-8bf8-11dc-bac9-0002e33f3e55}]
\Shell\AutoRun\command - ntde1ect.com
\Shell\explore\Command - ntde1ect.com
\Shell\open\Command - ntde1ect.com


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{990B770D-62AE-5421-DA6D-16033B76258C}]
%SystemRoot%\system32\ssmicrco.scr
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 12:30:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$SQLEXPRESS]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.4\MSSQL\Binn\msftesql.exe\" -s:MSSQL.4 -f:SQLEXPRESS"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
**************************************************************************
.
Completion time: 2008-02-04 12:36:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 00:36:43
ComboFix2.txt 2008-02-01 00:30:01
ComboFix3.txt 2008-01-31 21:49:55
ComboFix4.txt 2008-01-30 22:42:43







HJT Log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38, on 2008-02-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.govnet.gov.fj/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://cache.govnet.gov.fj/
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\Software\..\Telephony: DomainName = govnet.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = govnet.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = govnet.local
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Oracle WebDb Listener - Unknown owner - C:\orant\bin\wdblsnr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Oracle Reports Server [Rep60_ITCSUVAPC062] (OracleReportServer-Rep60_ITCSUVAPC062) - Oracle Corp - C:\orant\bin\rwmts60.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 5949 bytes




Although my pc is running normally again, Iam stll worried that the virus may have created its own virtual drive G:\ and is still infecting my files without being detected...waiting for any suggestions that you may have regarding this issue....



Thnx
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I wouldn't worry :)

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\dx6vcl.dll
F:\boot.pif

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3d7c1120-8593-11dc-babd-00508b5d31d5}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{850ac5b5-8bf8-11dc-bac9-0002e33f3e55}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also tell me how your PC is running
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP