Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Slow Computer, Lots of spyware? [RESOLVED]


  • This topic is locked This topic is locked

#1
myers1965

myers1965

    Member

  • Member
  • PipPip
  • 18 posts
Computer is running extremely slow. Won't let me start in Safe mode. Here is my HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:00 PM, on 4/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
c:\dos\svchost.exe
C:\WINDOWS\system32\config\SVCHOST.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\USBNUMP.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.awginc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = nrnqetwbz.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = awgproxy.awginc.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.awginc.com;<local>
R3 - URLSearchHook: (no name) - _{A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NumChk] NumpChk.exe
O4 - HKLM\..\Run: [NUMPADL] USBNUMP.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [z60s8dhz] C:\Program Files\z60s8dhz\z60s8dhz.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e61.exe
O4 - HKLM\..\Run: [qp9f36S] peeenb32.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\lwintpdq.exe GEN001
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\farsm\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [mmcrat06] C:\WINNT\mmputt.exe
O4 - HKLM\..\Run: [ms040987361061] C:\WINNT\ms040987361061.exe
O4 - HKLM\..\Run: [ezRaH] C:\WINNT\system32\e0pnii5i6.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [bEqpRWepW] paxmlog.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\lwintpdq.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.awginc.com
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O18 - Filter hijack: text/html - {889A88EA-6A7A-44A8-86B6-A568EB90F243} - C:\WINNT\system32\p2jlseh8.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: RunWindowsUpdate - C:\WINNT\system32\ir6ol5j31.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE Service - Unknown owner - C:\WINNT\system32\netsrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINNT\system32\tcpip.exe (file missing)
O23 - Service: windowsafe - Unknown owner - c:\dos\svchost.exe
O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\ThinkPad\podozi.html

--
End of file - 8024 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello myers1965

Welcome to G2Go. :)
=================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = nrnqetwbz.exe
R3 - URLSearchHook: (no name) - _{A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [z60s8dhz] C:\Program Files\z60s8dhz\z60s8dhz.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e61.exe
O4 - HKLM\..\Run: [qp9f36S] peeenb32.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINNT\system32\lwintpdq.exe GEN001
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\farsm\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [mmcrat06] C:\WINNT\mmputt.exe
O4 - HKLM\..\Run: [ms040987361061] C:\WINNT\ms040987361061.exe
O4 - HKLM\..\Run: [ezRaH] C:\WINNT\system32\e0pnii5i6.exe
O4 - HKCU\..\Run: [bEqpRWepW] paxmlog.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - Startup: Think-Adz.lnk = C:\WINNT\system32\lwintpdq.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O15 - Trusted Zone: *.elitemediagroup.net
O18 - Filter hijack: text/html - {889A88EA-6A7A-44A8-86B6-A568EB90F243} - C:\WINNT\system32\p2jlseh8.dll
O20 - Winlogon Notify: RunWindowsUpdate - C:\WINNT\system32\ir6ol5j31.dll (file missing)



Now click on Fix Checked and then close Hijackthis.
==================================
Next:
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Program Files\z60s8dhz
    C:\\kybrdff_e61.exe
    C:\WINNT\system32\peeenb32.exe
    C:\WINNT\peeenb32.exe
    C:\WINNT\system32\lwintpdq.exe 
    C:\DOCUME~1\farsm\LOCALS~1\Temp\fred.exe
    C:\WINNT\mmputt.exe
    C:\WINNT\ms040987361061.exe
    C:\WINNT\system32\e0pnii5i6.exe
    C:\WINNT\paxmlog.exe
    C:\WINNT\system32\paxmlog.exe
    C:\Program Files\System Files
    C:\Program Files\WebRebates4
    C:\WINNT\system32\p2jlseh8.dll
    C:\WINNT\system32\tcpip.exe 
    c:\dos\svchost.exe
    C:\WINNT\system32\ir6ol5j31.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==========================================
Then:
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
================
Post back with these logs:
New Hijackthis log
OTMove it 2 log
COmbofix log


Because there are multiple logs to post you will have to split them up into more than one post.
  • 0

#3
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thank you for the fast reply. Here are my new logs

ComboFix

ComboFix 08-02.02.5 - farsm 04/02/2004 7:18:58.1 - FAT32x86
Running from: C:\Documents and Settings\farsm\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\farsm\Application Data\Dxccwrd.dll
C:\Documents and Settings\farsm\Application Data\ICROSO~1
C:\Program Files\cas2stub
C:\Program Files\cas2stub\cas2stub.exe
C:\Program Files\Common Files\sembly~1
C:\Program Files\TBONAS
C:\Program Files\ymbols~1
C:\WINNT\racle~1
C:\WINNT\system32\Cache
C:\WINNT\system32\vx.tll
C:\WINNT\system32\zxdnt3d.cfg
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02.02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 16:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 16:10 --------- d-----w C:\Program Files\CCleaner
2007-12-30 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-30 18:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-30 18:29 --------- d-----w C:\Documents and Settings\farsm\Application Data\SUPERAntiSpyware.com
2007-12-30 18:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2006-08-12 04:01 78,587 ---ha-w C:\Documents and Settings\farsm\Application Data\ptads.bin
2003-04-21 22:59 271 ---h--w C:\Program Files\desktop.ini
2003-04-21 22:59 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 20:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 03:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 03:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2007-08-29 01:18 478,720 --sh--r C:\WINNT\system32\netsrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [04/04/06 08:10a 126976]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [06/14/05 10:05a 6856704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/25/07 03:36p 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/07 02:06p 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [01/28/02 01:04p 69632]
"vptray"="C:\Program Files\NavNT\vptray.exe" [09/24/01 07:59a 73728]
"Synchronization Manager"="mobsync.exe" [06/19/03 12:05p 111376 C:\WINNT\system32\mobsync.exe]
"NumChk"="NumpChk.exe" []
"NUMPADL"="USBNUMP.exe" [01/30/03 03:30p 326144 C:\WINNT\USBNUMP.exe]
"PrinTray"="C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe" [06/11/01 11:05a 36864]
"ATIPTA"="atiptaxx.exe" [01/19/02 12:04a 311296 C:\WINNT\system32\atiptaxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [07/26/06 03:03a 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/25/07 03:36p 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2004-04-11 04:22:36 24576]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ThinkPad\podozi.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [09/24/01 10:12a 126976]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS [01/25/02 02:00a]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [02/20/02 01:23a]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [11/28/01 02:20p]
R2 SVKP;SVKP;C:\WINNT\system32\SVKP.sys [03/27/04 03:48a]
R2 Theme;Theme;C:\WINNT\system32\svchost.exe [05/08/01 12:00p]
R2 windowsafe;windowsafe;c:\dos\svchost.exe []
R2 Windowsclients;Network Provisioning Services;C:\WINDOWS\system32\config\SVCHOST.EXE [03/26/04 01:50p]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINNT\system32\CBTNDIS5.SYS [07/16/03 10:28p]
R3 i8042HDR;Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\i8042HDR.sys [01/31/02 09:39p]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINNT\system32\DRIVERS\odysseyIM3.sys [05/14/03 04:01p]
R3 TNET1130;Wireless-G Notebook Adapter v.2.0;C:\WINNT\system32\DRIVERS\tnet1130.sys [03/10/04 09:49p]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [01/18/02 03:04a]
S2 Network DDE Service;Network DDE Service;C:\WINNT\system32\netsrv.exe [08/28/07 05:18p]
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [11/13/03 01:29p]
S2 TCP and UDP Support;TCP and UDP Support;C:\WINNT\system32\tcpip.exe []
S2 ymniglcz;ymniglcz;C:\WINNT\system32\drivers\onoyrh.sys []
S3 USBNUMP;USBNUMP;C:\WINNT\system32\DRIVERS\USBNUMP.sys [01/31/02 09:40p]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Theme REG_MULTI_SZ Theme

.
Contents of the 'Scheduled Tasks' folder
"2004-04-02 15:03:30 C:\WINNT\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
"2004-03-29 16:00:02 C:\WINNT\Tasks\Scheduled Snapshot.job"
- C:\CFGSAFE\SCHWIZEX.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 07:21:26
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

? [732]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> c:\winnt\system32\onoyrh.dll
.
Completion time: 02/02/2008 7:22:01
ComboFix-quarantined-files.txt 2008-02-02 15:21:58



OTMOVEIT2


C:\Program Files\z60s8dhz\z60s8dhz1 moved successfully.
C:\Program Files\z60s8dhz moved successfully.
File/Folder C:\\kybrdff_e61.exe not found.
File/Folder C:\WINNT\system32\peeenb32.exe not found.
File/Folder C:\WINNT\peeenb32.exe not found.
File/Folder C:\WINNT\system32\lwintpdq.exe not found.
File/Folder C:\DOCUME~1\farsm\LOCALS~1\Temp\fred.exe not found.
File/Folder C:\WINNT\mmputt.exe not found.
File/Folder C:\WINNT\ms040987361061.exe not found.
File/Folder C:\WINNT\system32\e0pnii5i6.exe not found.
File/Folder C:\WINNT\paxmlog.exe not found.
File/Folder C:\WINNT\system32\paxmlog.exe not found.
File/Folder C:\Program Files\System Files not found.
File/Folder C:\Program Files\WebRebates4 not found.
File/Folder C:\WINNT\system32\p2jlseh8.dll not found.
File/Folder C:\WINNT\system32\tcpip.exe not found.
c:\dos\svchost.exe moved successfully.
File/Folder C:\WINNT\system32\ir6ol5j31.dll not found.

OTMoveIt2 v1.0.17 log created on 04022004_071323
  • 0

#4
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
And here is my new HIJACKTHIS log.....





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:27, on 2008-02-02
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
c:\dos\svchost.exe
C:\WINDOWS\system32\config\SVCHOST.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\USBNUMP.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.awginc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = awgproxy.awginc.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.awginc.com;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NumChk] NumpChk.exe
O4 - HKLM\..\Run: [NUMPADL] USBNUMP.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.awginc.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE Service - Unknown owner - C:\WINNT\system32\netsrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINNT\system32\tcpip.exe (file missing)
O23 - Service: windowsafe - Unknown owner - c:\dos\svchost.exe (file missing)
O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\ThinkPad\podozi.html
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINNT\system32\drivers\onoyrh.sys 
c:\winnt\system32\onoyrh.dll
C:\WINDOWS\system32\config\SVCHOST.EXE
Folder::
c:\dos
Driver::
Theme
windowsafe
TCP and UDP Support
ymniglcz
Windowsclients


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#6
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ComboFix 08-02.02.5 - farsm 2008-02-02 12:48:59.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.61 [GMT -8:00]
Running from: C:\Documents and Settings\farsm\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\farsm\Desktop\CFSCRIPT.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\config\SVCHOST.EXE
C:\WINNT\system32\drivers\onoyrh.sys
c:\winnt\system32\onoyrh.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\dos
C:\WINDOWS\system32\config\SVCHOST.EXE
c:\winnt\system32\onoyrh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_TCP_AND_UDP_SUPPORT
-------\LEGACY_THEME
-------\LEGACY_WINDOWSAFE
-------\LEGACY_WINDOWSCLIENTS
-------\LEGACY_YMNIGLCZ
-------\TCP and UDP Support
-------\Theme
-------\windowsafe
-------\Windowsclients
-------\ymniglcz


((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 16:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 16:10 --------- d-----w C:\Program Files\CCleaner
2007-12-30 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-30 18:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-30 18:29 --------- d-----w C:\Documents and Settings\farsm\Application Data\SUPERAntiSpyware.com
2007-12-30 18:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2006-08-12 04:01 78,587 ---ha-w C:\Documents and Settings\farsm\Application Data\ptads.bin
2003-04-21 22:59 271 ---h--w C:\Program Files\desktop.ini
2003-04-21 22:59 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 20:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 03:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 03:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
2007-08-29 01:18 478,720 --sh--r C:\WINNT\system32\netsrv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [06-04-04 08:10 126976]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [05-06-14 10:05 6856704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-25 15:36 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [02-01-28 13:04 69632]
"vptray"="C:\Program Files\NavNT\vptray.exe" [01-09-24 07:59 73728]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"NumChk"="NumpChk.exe" []
"NUMPADL"="USBNUMP.exe" [03-01-30 15:30 326144 C:\WINNT\USBNUMP.exe]
"PrinTray"="C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe" [01-06-11 11:05 36864]
"ATIPTA"="atiptaxx.exe" [02-01-19 00:04 311296 C:\WINNT\system32\atiptaxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [06-07-26 03:03 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-25 15:36 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2004-04-11 04:22:36 24576]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ThinkPad\podozi.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [01-09-24 10:12 126976]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS [02-01-25 02:00 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [02-02-20 01:23 ]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [01-11-28 14:20 ]
R2 SVKP;SVKP;C:\WINNT\system32\SVKP.sys [04-03-27 03:48 ]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINNT\system32\CBTNDIS5.SYS [03-07-16 22:28 ]
R3 i8042HDR;Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\i8042HDR.sys [02-01-31 21:39 ]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINNT\system32\DRIVERS\odysseyIM3.sys [03-05-14 16:01 ]
R3 TNET1130;Wireless-G Notebook Adapter v.2.0;C:\WINNT\system32\DRIVERS\tnet1130.sys [04-03-10 21:49 ]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [02-01-18 03:04 ]
S2 Network DDE Service;Network DDE Service;C:\WINNT\system32\netsrv.exe [07-08-28 17:18 ]
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [03-11-13 13:29 ]
S3 USBNUMP;USBNUMP;C:\WINNT\system32\DRIVERS\USBNUMP.sys [02-01-31 21:40 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Theme REG_MULTI_SZ Theme

.
Contents of the 'Scheduled Tasks' folder
"2004-04-02 15:03:30 C:\WINNT\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
"2004-03-29 16:00:02 C:\WINNT\Tasks\Scheduled Snapshot.job"
- C:\CFGSAFE\SCHWIZEX.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 12:53:15
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

? [724]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
.
**************************************************************************
.
Completion time: 2008-02-02 12:54:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-02 20:54:34
ComboFix2.txt 2008-02-02 15:22:02
  • 0

#7
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57, on 2008-02-02
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\USBNUMP.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.awginc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = awgproxy.awginc.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.awginc.com;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NumChk] NumpChk.exe
O4 - HKLM\..\Run: [NUMPADL] USBNUMP.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Happytofind Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.awginc.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE Service - Unknown owner - C:\WINNT\system32\netsrv.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\ThinkPad\podozi.html

--
End of file - 6140 bytes
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Ahhh I missed one. :)
===================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINNT\system32\netsrv.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=====================================
Post that log in your next reply along with the following log.

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
File move failed. C:\WINNT\system32\netsrv.exe scheduled to be moved on reboot.

OTMoveIt2 v1.0.17 log created on 02022008_140630
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Okay that is fine go ahead with the scan please and post those results.
  • 0

Advertisements


#11
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
The file was REAL big. I posted the beginning and cut out a lot of the middle. The part that I cut was more of the quarantined items. I can post them if necessary. It would probably take several postings....
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-02-02 16:50
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 546030
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
Z:\

Scan Statistics:
Total number of scanned objects: 58865
Number of viruses found: 73
Number of infected objects: 11388
Number of suspicious objects: 0
Duration of the scan process: 01:33:07

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\gtool.dll Infected: not-a-virus:AdWare.Win32.TopInstalls.a skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Downloaded Program Files\motorsix.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\octeltpop.exe Infected: Trojan.Win32.VB.atp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04400000.VBN Infected: Net-Worm.Win32.Welchia.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04380000.VBN Infected: Trojan-Spy.Win32.Idly.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04540000.VBN Infected: Trojan-Spy.Win32.Idly.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\043C0000.VBN Infected: Trojan-Spy.Win32.Idly.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04380001.VBN Infected: Trojan-Spy.Win32.Idly.c skipped






C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05F40001.VBN Infected: Net-Worm.Win32.Allaple.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05A80000.VBN Infected: Net-Worm.Win32.Allaple.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0494003A.VBN Infected: Net-Worm.Win32.Allaple.b skipped
C:\Documents and Settings\farsm\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\farsm\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\farsm\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\farsm\Local Settings\History\History.IE5\MSHist012008020220080203\index.dat Object is locked skipped
C:\Documents and Settings\farsm\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\farsm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\farsm\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\farsm\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\farsm\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-46722f9c.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\farsm\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-46722f9c.zip ZIP: infected - 1 skipped
C:\Documents and Settings\farsm\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\windows\bundles\s4Sept.exe Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\_OTMoveIt\MovedFiles\04022004_071323\Program Files\z60s8dhz\z60s8dhz1\z60s8dhz1.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\_OTMoveIt\MovedFiles\04022004_071323\Program Files\z60s8dhz\z60s8dhz1\z60s8dhz1.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\_OTMoveIt\MovedFiles\04022004_071323\Program Files\z60s8dhz\m1vk6ahk.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.t skipped
C:\_OTMoveIt\MovedFiles\04022004_071323\Program Files\z60s8dhz\csUNinst.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.al skipped
C:\_OTMoveIt\MovedFiles\04022004_071323\Program Files\z60s8dhz\csIEinst.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.al skipped
C:\_OTMoveIt\MovedFiles\04022004_071323\Program Files\z60s8dhz\csIEHookInst.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ak skipped
C:\QooBox\Quarantine\C\Program Files\Cas2Stub\cas2stub.exe.vir Infected: Trojan-Downloader.Win32.Agent.aaf skipped

Scan process completed.
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
No that info is not needed.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::C:\WINNT\system32\gtool.dll C:\WINNT\Downloaded Program Files\motorsix.ocx C:\windows\bundles\s4Sept.exe Folder::C:\Documents and Settings\farsm\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-46722f9c.zip


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#13
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ComboFix 08-02.02.5 - farsm 2008-02-02 18:42:42.3 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.140 [GMT -8:00]
Running from: C:\Documents and Settings\farsm\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\farsm\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\windows\bundles\s4Sept.exe
C:\WINNT\Downloaded Program Files\motorsix.ocx
C:\WINNT\system32\gtool.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\farsm\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-46722f9c.zip\
C:\windows\bundles\s4Sept.exe
C:\WINNT\Downloaded Program Files\motorsix.ocx
C:\WINNT\system32\gtool.dll

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-02 18:42 . 08-02-02 18:42 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_374.dat
2008-02-02 14:15 . 08-02-02 14:15 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-02-02 14:15 . 08-02-02 14:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-01 16:42 --------- d-----w C:\Program Files\Trend Micro
2008-01-01 16:10 --------- d-----w C:\Program Files\CCleaner
2007-12-30 18:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-30 18:29 --------- d-----w C:\Program Files\SUPERAntiSpyware
2007-12-30 18:29 --------- d-----w C:\Documents and Settings\farsm\Application Data\SUPERAntiSpyware.com
2007-12-30 18:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2006-08-12 04:01 78,587 ---ha-w C:\Documents and Settings\farsm\Application Data\ptads.bin
2003-04-21 22:59 271 ---h--w C:\Program Files\desktop.ini
2003-04-21 22:59 21,952 ---h--w C:\Program Files\folder.htt
2001-05-08 20:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
1998-12-09 03:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 03:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 03:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 03:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 03:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 03:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NoAds"="C:\Program Files\NoAds\NoAds.exe" [06-04-04 08:10 126976]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [05-06-14 10:05 6856704]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-25 15:36 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [07-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [02-01-28 13:04 69632]
"vptray"="C:\Program Files\NavNT\vptray.exe" [01-09-24 07:59 73728]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"NumChk"="NumpChk.exe" []
"NUMPADL"="USBNUMP.exe" [03-01-30 15:30 326144 C:\WINNT\USBNUMP.exe]
"PrinTray"="C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe" [01-06-11 11:05 36864]
"ATIPTA"="atiptaxx.exe" [02-01-19 00:04 311296 C:\WINNT\system32\atiptaxx.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [06-07-26 03:03 49263]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-08-25 15:36 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-G Notebook Adapter Utility.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe [2004-04-11 04:22:36 24576]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ThinkPad\podozi.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [01-09-24 10:12 126976]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 IBMTPCHK;IBMTPCHK;C:\WINNT\system32\drivers\IBMBLDID.SYS [02-01-25 02:00 ]
R1 TPPWR;TPPWR;C:\WINNT\system32\drivers\Tppwr.sys [02-02-20 01:23 ]
R2 PRPC;PRPC;C:\WINNT\system32\drivers\PRPC.sys [01-11-28 14:20 ]
R2 SVKP;SVKP;C:\WINNT\system32\SVKP.sys [04-03-27 03:48 ]
R3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;C:\WINNT\system32\CBTNDIS5.SYS [03-07-16 22:28 ]
R3 i8042HDR;Keyboard Filter Driver;C:\WINNT\system32\DRIVERS\i8042HDR.sys [02-01-31 21:39 ]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINNT\system32\DRIVERS\odysseyIM3.sys [03-05-14 16:01 ]
R3 TNET1130;Wireless-G Notebook Adapter v.2.0;C:\WINNT\system32\DRIVERS\tnet1130.sys [04-03-10 21:49 ]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [02-01-18 03:04 ]
S2 Network DDE Service;Network DDE Service;C:\WINNT\system32\netsrv.exe []
S2 NICSer_WPC54G;NICSer_WPC54G;C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [03-11-13 13:29 ]
S3 USBNUMP;USBNUMP;C:\WINNT\system32\DRIVERS\USBNUMP.sys [02-01-31 21:40 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Theme REG_MULTI_SZ Theme

.
Contents of the 'Scheduled Tasks' folder
"2004-04-02 15:03:30 C:\WINNT\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
"2004-03-29 16:00:02 C:\WINNT\Tasks\Scheduled Snapshot.job"
- C:\CFGSAFE\SCHWIZEX.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 18:44:16
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 18:44:37
ComboFix-quarantined-files.txt 2008-02-03 02:44:36
ComboFix3.txt 2008-02-02 15:22:02
ComboFix2.txt 2008-02-02 20:54:38
  • 0

#14
myers1965

myers1965

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46, on 2008-02-02
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\USBNUMP.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\wisptis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.awginc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = awgproxy.awginc.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.awginc.com;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NumChk] NumpChk.exe
O4 - HKLM\..\Run: [NUMPADL] USBNUMP.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] (User 'Default user')
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.awginc.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Network DDE Service - Unknown owner - C:\WINNT\system32\netsrv.exe (file missing)
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\ThinkPad\podozi.html

--
End of file - 6234 bytes
  • 0

#15
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
If you did not set this setting then please fix it with Hijackthis.

O24 - Desktop Component 0: (no name) - C:\Program Files\ThinkPad\podozi.html

If you did then leave it.
===================
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

    The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Clean System Restore points.

Also delete anything that we used that is left over.
==================================
After that please update your Java:
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:After that
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
=============================================
After that Your log is clean. :)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP