Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojandownloader.xs [CLOSED]


  • This topic is locked This topic is locked

#1
nikkiware

nikkiware

    Member

  • Member
  • PipPip
  • 12 posts
i have spybot but doesn't seem to help. I keep getting the warnings for spy removal to buy and i my display page keeps changing to this spy removal warning page. Here is my log file and my uninstall list. I hope you can assist me.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:00 PM, on 3/16/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\mgmrwmrv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\mgmrwmrv.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {20B7AC18-849A-432A-869A-AA5A7B89EF30} - C:\Program Files\Common Files\wecojem777444.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: 0 - {8A76FB3B-1692-4F1A-8498-A9F2CC71842A} - C:\Program Files\Internet Explorer\qudarud.dll
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: (no name) - {C6B748A8-8437-4BCC-9280-D1E40746511A} - C:\Program Files\NetMeeting\merox555077.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1205461605373
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 6299 bytes

uinstall list:

2Wire Wireless Client
Adobe Acrobat 4.0
Adobe Flash Player ActiveX
HijackThis 2.0.2
Learn2 Player (Uninstall Only)
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1
Microsoft Office Professional Edition 2003
Microsoft Works 2000
Outlook Express Q823353
RealPlayer Basic
SBC Yahoo! Applications
SoundMAX
Spybot - Search & Destroy 1.3
Viewpoint Media Player
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828741
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB835732
Windows 2000 Hotfix - KB837001
Windows 2000 Hotfix - KB839643
Windows 2000 Hotfix - KB839645
Windows 2000 Hotfix - KB840315
Windows 2000 Hotfix - KB841872
Windows 2000 Hotfix - KB841873
Windows 2000 Hotfix - KB842526
Windows Media Player Hotfix [See Q828026 for more information]
Windows Media Player system update (9 Series)
WinZip
  • 0

Advertisements


#2
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nikkiware ,

Welcome to Geeks To Go,

I'm sorry that we haven't got to you until now, but the forum can get hectic at times.

I am sage5 and I will be helping you with this problem.

First I need you to download the following tools & save them to your Desktop.
SmitfraudFix (by S!Ri)
SDFix
OTMoveIt2 by OldTimer.
Deckard's System Scanner
Malwarebytes' Anti-Malware from Here or Here


Start the Smitfraud scan:
  • Double-click SmitfraudFix.exe
  • Select option #1 - Search by typing 1 and press "Enter". A text file will appear, which lists infected files (if present). It is saved as C:\rapport.txt
  • Please copy/paste the content of that file into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm


Run SDFix:
Double click SDFix.exe and it will extract the files to %systemdrive%, (typically C:\SDFix)
  • Restart your Computer in Safe Mode
  • As soon as it starts to boot up, tap your F8 key repeatedly.
  • This should bring up the Windows Advanced Options Menu.
  • Use your arrow keys to select Safe Mode and click the Enter key.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save as C:\SDFix\Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).


Your log shows you are not running Anti-virus or Firewall software.
These are essential items and need to be loaded before we can continue fixing your PC.

I have listed a couple of free versions of both. Please download and install 1 Anti-virus and 1 Firewall.

Firewalls: Please install one only.
Comodo Firewall Pro or Sunbelt Personal Firewall

Anti-virus: Please install one only:
Avast! Free Edition or AntiVir PersonalEdition Classic

Anti-Virus Tutorials/Manuals:
Avast Tutorial
Avast Manual
Antivir Manual

Please allow the new Anti-virus to run a full System scan, and at the end of the process you should be able to save a scan log.
If the scan report window does not have a Save as Repot Button (or similar), you may be able to highlight the text in the window & copy & paste it to a new Notepad file.
Save it as C:\avscan.txt if you can.

I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:
  • Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Also paste me the text from C:\avscan.txt, C:\rapport.txt & C:\SDFix\Report.txt

The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

Cheers,

sage5
  • 0

#3
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks Sage: I had some problems at first and ad to repeat the steps over because i forgot the malware download but all steps have now been completed and new logs have been run I will now post the logs and wait for s reply. Also I keep getting the antivirus progar asking me to allow or deny I don't know what to do with this msg.

New Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:08 AM, on 3/22/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: 0 - {40F6A3F8-4300-412D-90B4-31D979E05356} - C:\Program Files\Internet Explorer\qudarud.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {C6B748A8-8437-4BCC-9280-D1E40746511A} - C:\Program Files\NetMeeting\merox555077.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1205461605373
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 6379 bytes
  • 0

#4
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
SmitFraudFix v2.305

Scan done at 21:53:11.02, Fri 03/21/2008
Run from C:\Documents and Settings\Value User\Desktop\New Folder\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\WINNT\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Value User


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Value User\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\VALUEU~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Internet Explorer\\rtemegowu.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com EtherLink PCI
DNS Server Search Order: 66.73.20.40
DNS Server Search Order: 206.141.193.55

Description: 3Com EtherLink PCI
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A0D3259-0588-4406-BBCA-249269BC9DDA}: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#5
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
How did you go with that SDFix log?
Were you able to get the scan complete?
If so, the log should have been saved at C:\SDFix\Report.txt

Cheers,

sage5
  • 0

#6
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
SDFix: Version 1.159

Run by Value User on Fri 03/21/2008 at 10:30p

Microsoft Windows 2000 [Version 5.00.2195]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\PROGRA~1\INTERN~1\QUDARUD - Deleted
C:\WINNT\system32\comsa32.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 22:36:39
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :


[b]Finished!
  • 0

#7
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nikkiware ,

Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O2 - BHO: 0 - {40F6A3F8-4300-412D-90B4-31D979E05356} - C:\Program Files\Internet Explorer\qudarud.dll (file missing)
O2 - BHO: (no name) - {C6B748A8-8437-4BCC-9280-D1E40746511A} - C:\Program Files\NetMeeting\merox555077.dll (file missing)
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\mgmrwmrv.exe
    C:\Program Files\Common Files\wecojem777444.dll
    C:\Program Files\Internet Explorer\qudarud.dll
    C:\Program Files\NetMeeting\merox555077.dll
    C:\WINNT\mrofinu72.exe
    C:\WINDOWS\system32\iexplorer.dll .dbt
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Run Deckard's System Scanner:
  • Close all other windows before proceeding.
  • Double click on the dss.exe file on your Desktop and follow the prompts.
  • Scans will run, and 2 text files will open in Notepad.
  • Close both of the text files.
These files are C:\Deckard\System Scanner\main.txt & extra.txt. I will need you to copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt, extra.txt & C:\otmove.txt in your next reply.



The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

Cheers,

sage5
  • 0

#8
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Deckard's System Scanner v20071014.68
Run by Value User on 2008-03-23 01:18:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 84% (more than 75%).
Total Physical Memory: 126 MiB (256 MiB recommended).


-- HijackThis (run as Value User.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:43 AM, on 3/23/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
C:\Documents and Settings\Value User\Desktop\New Folder\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Value User.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1205461605373
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 5532 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080323-010901-515 O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
backup-20080323-010901-660 O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
backup-20080323-010901-694 O2 - BHO: (no name) - {C6B748A8-8437-4BCC-9280-D1E40746511A} - C:\Program Files\NetMeeting\merox555077.dll (file missing)
backup-20080323-010901-700 O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
backup-20080323-010901-894 O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
backup-20080323-010901-927 O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
backup-20080323-010901-955 O2 - BHO: 0 - {40F6A3F8-4300-412D-90B4-31D979E05356} - C:\Program Files\Internet Explorer\qudarud.dll (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - shell\edit\command - jky7u64thng5thb.exe %1
.ini - inifile - shell\open\command - jky7u64thng5thb.exe %1
.reg - regfile - shell\edit\command - jky7u64thng5thb.exe %1
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\winnt\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.1.9) - c:\winnt\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
R3 catchme - c:\docume~1\valueu~1\locals~1\temp\catchme.sys (file missing)

S3 Intels51 (Intel® 536EP Modem) - c:\winnt\system32\drivers\intels51.sys <Not Verified; Intel Corporation; Intel® 536EP Modem Driver>
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-23 and 2008-03-23 -----------------------------

2008-03-22 01:21:18 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5e4.dat
2008-03-21 09:02:10 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_200.dat
2008-03-21 08:34:07 0 d-------- C:\Documents and Settings\Value User\Application Data\Malwarebytes
2008-03-21 08:33:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-21 08:33:52 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 08:27:16 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_550.dat
2008-03-21 00:02:56 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_204.dat
2008-03-20 23:20:53 0 d-------- C:\Program Files\Alwil Software
2008-03-20 23:14:57 0 d-------- C:\Documents and Settings\Value User\Application Data\Comodo
2008-03-20 23:14:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-20 23:11:03 0 d-------- C:\Program Files\Comodo
2008-03-20 22:44:40 0 d-------- C:\WINNT\ERUNT
2008-03-20 21:05:28 2000 --a------ C:\WINNT\system32\tmp.reg
2008-03-20 20:56:39 25600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-03-20 20:56:39 289144 --a------ C:\WINNT\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-20 20:56:39 86528 --a------ C:\WINNT\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-20 20:56:39 82432 --a------ C:\WINNT\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-20 20:56:38 288417 --a------ C:\WINNT\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-20 20:56:38 53248 --a------ C:\WINNT\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-20 20:56:38 51200 --a------ C:\WINNT\system32\dumphive.exe
2008-03-20 00:41:48 0 d---s---- C:\Documents and Settings\Default User\UserData
2008-03-19 06:19:59 0 d-------- C:\Documents and Settings\Default User\Application Data\Macromedia
2008-03-19 06:19:56 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
2008-03-19 06:13:50 206 --a------ C:\WINNT\MicroSoft.vbs
2008-03-19 06:13:50 59392 --a------ C:\WINNT\MicroSoft.pif
2008-03-17 17:15:09 20480 --a------ C:\WINNT\quit.exe <Not Verified; rd uy ikyui rytwe fds; r fghf drsf sdfs fgh d>
2008-03-16 23:35:07 0 d-------- C:\Program Files\Trend Micro
2008-03-16 21:10:55 0 d-------- C:\WINNT\??crosoft
2008-03-16 21:10:08 136627 --a------ C:\WINNT\POTA777444.exe
2008-03-16 21:09:15 0 d-------- C:\WINNT\?ystem32
2008-03-14 15:14:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 21:37:40 0 d-------- C:\Documents and Settings\Value User\Application Data\Adobe
2008-03-13 21:34:13 57344 --a------ C:\WINNT\uneng.exe <Not Verified; Roxio; Roxio Update Wizard>
2008-03-13 21:34:13 0 d-------- C:\Program Files\Common Files\Adaptec Shared
2008-03-13 21:33:57 225280 --a------ C:\WINNT\system32\wmpdxm.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Player>
2008-03-13 21:33:57 106496 --a------ C:\WINNT\system32\wmpasf.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Player>
2008-03-13 21:33:42 52224 --a------ C:\WINNT\system32\mspmsnsv.dll <Not Verified; Microsoft Corporation; Windows Media Device Manager>
2008-03-13 21:33:36 997888 --a------ C:\WINNT\system32\wmvdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2008-03-13 21:33:35 892416 --a------ C:\WINNT\system32\wmspdmoe.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2008-03-13 21:33:35 1111040 --a------ C:\WINNT\system32\wmsdmoe2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows Media Services>
2008-03-13 21:26:52 0 d-------- C:\WINNT\SoftwareDistribution
2008-03-13 20:48:14 0 d-------- C:\Documents and Settings\Value User\Application Data\Macromedia
2008-03-13 20:47:02 0 d-------- C:\Documents and Settings\Value User\Application Data\Yahoo!
2008-03-13 20:41:35 0 d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-13 20:41:17 65536 --a------ C:\WINNT\system32\YCRWin32.dll <Not Verified; ; YCRWin32 Module>
2008-03-13 20:18:40 0 d-------- C:\Program Files\Yahoo!
2008-03-13 20:18:23 929792 -ra------ C:\WINNT\system32\PRISME5.dll <Not Verified; Meetinghouse Data Communications; AEGIS Client API>
2008-03-13 20:18:23 15781 -ra------ C:\WINNT\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1.9>
2008-03-13 20:17:39 0 d-------- C:\Program Files\2Wire


-- Find3M Report ---------------------------------------------------------------

2008-03-21 21:58:14 1284330 ---h----- C:\WINNT\ShellIconCache
2008-03-21 21:48:52 0 d-a------ C:\Program Files\Common Files
2008-03-13 21:27:33 0 d-ah----- C:\Program Files\WindowsUpdate
2008-03-13 20:18:23 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [02/09/04 03:54a C:\WINNT\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" []
"PRISMSVR.EXE"="C:\WINNT\system32\PRISMSVR.exe" []
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [12/09/03 02:02p]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [03/20/08 11:11p]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/07 08:00a]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [08/15/05 03:24p]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [9/4/1999 5:23:00 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-03-23 01:19:52 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 92%
Physical Memory (total/avail): 125.52 MiB / 9.62 MiB
Pagefile Memory (total/avail): 319.99 MiB / 83.72 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1967.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 18.64 GiB total, 16.46 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST320413A - 18.65 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.64 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Value User\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VALUE-X5GUHQA71
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Value User
LOGONSERVER=\\VALUE-X5GUHQA71
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\VALUEU~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\VALUEU~1\LOCALS~1\Temp
USERDOMAIN=VALUE-X5GUHQA71
USERNAME=Value User
USERPROFILE=C:\Documents and Settings\Value User
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Value User (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

2Wire Wireless Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3BC5D37-30F9-4CF7-BD5C-0DFF063E4B6D}\Setup.exe" -l0x9 -L0x9
Adobe Acrobat 4.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Learn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Works 2000 --> MsiExec.exe /I{56364334-9530-11D2-BFFC-00C04FA329AA}
Outlook Express Q823353 --> C:\WINNT\oeuninst.exe C:\WINNT\INF\Q823353.inf
RealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
SBC Yahoo! Applications --> C:\PROGRA~1\Yahoo!\common\uninstall.exe
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall


-- Application Event Log -------------------------------------------------------

Event Record #/Type704 / Error
Event Submitted/Written: 03/23/2008 01:07:46 AM
Event ID/Source: 8222 / Fax Service
Event Description:
No fax devices were found.

Event Record #/Type702 / Warning
Event Submitted/Written: 03/21/2008 10:33:36 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of ""

Event Record #/Type701 / Warning
Event Submitted/Written: 03/21/2008 10:33:36 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of ""

Event Record #/Type700 / Warning
Event Submitted/Written: 03/21/2008 10:33:36 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of ""

Event Record #/Type699 / Warning
Event Submitted/Written: 03/21/2008 10:33:36 PM
Event ID/Source: 256 / PlugPlayManager
Event Description:
Timed out sending notification of device interface change to window of ""



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type875 / Error
Event Submitted/Written: 03/22/2008 10:35:43 PM
Event ID/Source: 1000 / Dhcp
Event Description:
Your computer has lost the lease to its IP address 192.168.1.65 on the
Network Card with network address 00065B414BAE.

Event Record #/Type874 / Warning
Event Submitted/Written: 03/22/2008 10:35:43 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00065B414BAE. The following
error occured:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type873 / Warning
Event Submitted/Written: 03/22/2008 10:30:17 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00065B414BAE. The following
error occured:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type872 / Warning
Event Submitted/Written: 03/22/2008 10:18:30 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00065B414BAE. The following
error occured:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type871 / Warning
Event Submitted/Written: 03/22/2008 09:54:59 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00065B414BAE. The following
error occured:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-03-23 01:19:52 ------------

File/Folder C:\WINNT\system32\mgmrwmrv.exe not found.
File/Folder C:\Program Files\Common Files\wecojem777444.dll not found.
File/Folder C:\Program Files\Internet Explorer\qudarud.dll not found.
File/Folder C:\Program Files\NetMeeting\merox555077.dll not found.
File/Folder C:\WINNT\mrofinu72.exe not found.
File/Folder C:\WINDOWS\system32\iexplorer.dll .dbt not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03232008_011447
  • 0

#9
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nikkiware ,

Please download the following & save to your Desktop:
ComboFix

Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#10
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ComboFix 08-03-24.1 - Value User 03/24/2008 16:38:53.1 - NTFSx86
Running from: C:\Documents and Settings\Value User\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINNT\crosof~1
C:\WINNT\system32\iexplorer.dll .dbt
C:\WINNT\Web\default.htt
C:\WINNT\ystem3~1

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PERFMONS
-------\Legacy_ROUTING


((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-24 16:47 . 08-03-24 16:47 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_208.dat
2008-03-23 01:14 . 08-03-23 01:14 <DIR> d-------- C:\_OTMoveIt
2008-03-21 08:34 . 08-03-21 08:34 <DIR> d-------- C:\Documents and Settings\Value User\Application Data\Malwarebytes
2008-03-21 08:33 . 08-03-21 08:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-21 08:33 . 08-03-21 08:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-20 23:21 . 03-03-18 15:20 1,060,864 --a------ C:\WINNT\system32\MFC71.dll
2008-03-20 23:21 . 07-12-04 08:04 837,496 --a------ C:\WINNT\system32\aswBoot.exe
2008-03-20 23:21 . 04-01-09 04:13 380,928 --a------ C:\WINNT\system32\actskin4.ocx
2008-03-20 23:21 . 07-12-04 07:54 95,608 --a------ C:\WINNT\system32\AvastSS.scr
2008-03-20 23:21 . 07-12-04 09:55 94,544 --a------ C:\WINNT\system32\drivers\aswmon2.sys
2008-03-20 23:21 . 07-12-04 09:56 93,264 --a------ C:\WINNT\system32\drivers\aswmon.sys
2008-03-20 23:21 . 07-12-04 09:51 42,912 --a------ C:\WINNT\system32\drivers\aswTdi.sys
2008-03-20 23:21 . 07-12-04 09:49 26,624 --a------ C:\WINNT\system32\drivers\aavmker4.sys
2008-03-20 23:21 . 07-12-04 09:53 23,152 --a------ C:\WINNT\system32\drivers\aswRdr.sys
2008-03-20 23:20 . 08-03-20 23:20 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-20 23:14 . 08-03-20 23:14 <DIR> d-------- C:\Documents and Settings\Value User\Application Data\Comodo
2008-03-20 23:14 . 08-03-20 23:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Comodo
2008-03-20 23:11 . 08-03-20 23:11 <DIR> d-------- C:\Program Files\Comodo
2008-03-20 22:44 . 08-03-20 22:44 <DIR> d-------- C:\WINNT\ERUNT
2008-03-20 21:16 . 08-03-21 22:43 <DIR> d-------- C:\SDFix
2008-03-20 21:05 . 08-03-21 21:53 2,000 --a------ C:\WINNT\system32\tmp.reg
2008-03-20 20:56 . 07-09-05 23:22 289,144 --a------ C:\WINNT\system32\VCCLSID.exe
2008-03-20 20:56 . 06-04-27 16:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2008-03-20 20:56 . 08-03-14 09:09 86,528 --a------ C:\WINNT\system32\VACFix.exe
2008-03-20 20:56 . 08-03-15 17:16 82,432 --a------ C:\WINNT\system32\IEDFix.exe
2008-03-20 20:56 . 03-06-05 20:13 53,248 --a------ C:\WINNT\system32\Process.exe
2008-03-20 20:56 . 04-07-31 17:50 51,200 --a------ C:\WINNT\system32\dumphive.exe
2008-03-20 20:56 . 07-10-03 23:36 25,600 --a------ C:\WINNT\system32\WS2Fix.exe
2008-03-20 01:34 . 08-03-20 12:39 51 --a------ C:\WINNT\system32\adckcon.ini
2008-03-20 00:41 . 08-03-20 00:41 <DIR> d---s---- C:\Documents and Settings\Default User\UserData
2008-03-19 06:13 . 08-03-20 18:13 59,392 --a------ C:\WINNT\MicroSoft.pif
2008-03-19 06:13 . 08-03-20 18:13 206 --a------ C:\WINNT\MicroSoft.vbs
2008-03-17 17:15 . 08-03-20 21:55 20,480 --a------ C:\WINNT\quit.exe
2008-03-16 23:35 . 08-03-16 23:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-16 21:18 . 02-08-29 09:14 585,728 --a------ C:\WINNT\system32\WININET.DLL
2008-03-16 21:10 . 08-03-20 23:04 136,627 --a------ C:\WINNT\POTA777444.exe
2008-03-14 15:14 . 08-03-14 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-13 21:34 . 08-03-13 21:34 <DIR> d-------- C:\Program Files\Common Files\Adaptec Shared
2008-03-13 21:34 . 08-03-13 21:34 58,000 --a------ C:\WINNT\system32\drivers\cdr4_2K.sys
2008-03-13 21:34 . 08-03-13 21:34 57,344 --a------ C:\WINNT\uneng.exe
2008-03-13 21:34 . 08-03-13 21:34 49,152 --a------ C:\WINNT\system32\cdrtc.dll
2008-03-13 21:34 . 08-03-13 21:34 45,056 --a------ C:\WINNT\system32\cdral.dll
2008-03-13 21:34 . 08-03-13 21:34 23,420 --a------ C:\WINNT\system32\drivers\cdralw2k.sys
2008-03-13 21:27 . 07-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2008-03-13 21:27 . 07-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2008-03-13 21:27 . 07-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2008-03-13 21:27 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-03-13 21:27 . 07-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2008-03-13 21:27 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-03-13 21:27 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-03-13 21:27 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-03-13 20:47 . 08-03-17 06:08 <DIR> d-------- C:\Documents and Settings\Value User\Application Data\Yahoo!
2008-03-13 20:41 . 08-03-13 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yahoo!
2008-03-13 20:41 . 03-03-18 20:14 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2008-03-13 20:41 . 03-02-21 04:42 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2008-03-13 20:41 . 02-01-05 06:37 344,064 --a------ C:\WINNT\system32\msvcr70.dll
2008-03-13 20:41 . 02-01-05 05:18 84,992 --a------ C:\WINNT\system32\ATL70.DLL
2008-03-13 20:41 . 01-10-11 10:26 65,536 --a------ C:\WINNT\system32\YCRWin32.dll
2008-03-13 20:18 . 08-03-13 20:46 <DIR> d-------- C:\Program Files\Yahoo!
2008-03-13 20:18 . 04-04-13 19:20 929,792 -ra------ C:\WINNT\system32\PRISME5.dll
2008-03-13 20:18 . 04-04-13 19:20 15,781 -ra------ C:\WINNT\system32\drivers\mdc8021x.sys
2008-03-13 20:17 . 08-03-13 20:47 <DIR> d-------- C:\Program Files\2Wire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-14 01:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2004-05-27 18:29 271 ---h--w C:\Program Files\desktop.ini
2004-05-27 18:29 21,952 -c-h--w C:\Program Files\folder.htt
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [05-08-15 15:24 3092480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"SoundMan"="SOUNDMAN.EXE" [04-02-09 03:54 65024 C:\WINNT\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" []
"PRISMSVR.EXE"="C:\WINNT\system32\PRISMSVR.exe" [ ]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [03-12-09 14:02 57344]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [08-03-20 23:11 1115728]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07-12-04 08:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 17:23:00 53317]

R2 aswMon;avast! Standard Shield Support;C:\WINNT\system32\drivers\aswMon.sys [07-12-04 09:56 ]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 07:22 ]
S3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 14:05 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 16:49:58
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-24 16:55:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-24 21:55:43
  • 0

Advertisements


#11
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nikkiware ,


Fix File Associations:
  • Go to Start > Run and type or paste "%userprofile%\desktop\dss.exe" /daft
  • Click on the Scan button.
  • Place a checkmark next to all the entries that appear in red
  • Click the Fix button.
  • Re-scan and save the logfile. This will default to daft.txt
  • Save it to your C:\ drive, I'll need that log later.
If everything is ok again, it should display the "all associations ok message"


Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\tmp.reg
    C:\WINNT\system32\WS2Fix.exe
    C:\WINNT\system32\VCCLSID.exe
    C:\WINNT\system32\SrchSTS.exe  
    C:\WINNT\system32\VACFix.exe  
    C:\WINNT\system32\IEDFix.exe  
    C:\WINNT\system32\Process.exe  
    C:\WINNT\system32\dumphive.exe  
    C:\WINNT\system32\WS2Fix.exe  
    C:\WINNT\system32\adckcon.ini  
    C:\WINNT\MicroSoft.vbs
    C:\WINNT\MicroSoft.pif
    C:\WINNT\quit.exe
    C:\WINNT\POTA777444.exe
  • Return to OTMoveIt, right click on the "Paste list of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
  • Type the word purity into the "Paste list Of Files/Patterns To Search For and Move" window (under the yellow bar).
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)


Shut down & Reboot normally:

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
  • Please include the text from C:\otmove.txt
Please include a note to tell me how your PC is running now.

Cheers,

sage5
  • 0

#12
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i am unable to access msn email i keep getting a msg that says acess denied, this never happened before. Here is my hijacks log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:07 PM, on 3/26/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\WINNT\SOUNDMAN.EXE
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINNT\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1205461605373
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

--
End of file - 5071 bytes
  • 0

#13
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nikkiware ,

It seems that I may have missed a couple of the bad files from that last ComboFix log.

Create a CombFix Script:
  • Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.
  • Now copy/paste the entire content of the codebox below into the Notepad window:
File::
C:\WINNT\system32\WININET.DLL
C:\WINNT\system32\Perflib_Perfdata_208.dat

  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
    Posted Image
  • After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report


Can you give me more information about the message window.
Can you copy down exactly what it says?
Where does the message come from, does it say who it is from?

Cheers,

sage5

Edited by sage5, 27 March 2008 - 12:37 AM.

  • 0

#14
nikkiware

nikkiware

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
sorry it took so long been down with flu. i did the last combofix that you stated and now i am unable to get online at all. i get a red error msg with red circle and white x in middle stating that it is unable to locate .dll I believe that whatever you had me do that wininet.dll was a needed item for my computer to access the internet. many of my other programs also come up with unable to locate path like my antivirus and my firewall now.
  • 0

#15
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi nikkiware ,

My apologies, that file can be corrupted my malware, but let's replace it and get you back on the air.

Go to the C:\qoobox\quarantine folder.
There you should see a file structure like C:\WINNT\system32.
In that fiolder you will see a file named wininet.dll.vir
Right click on it and Copy it back to your system folder C:\WINNT\system32.
Once there remove the .vir extension & reboot the system.

Check to see if you have a working internet connection.

If so download the following & save to your Desktop:
OTScanIt.exe

Install OTScanIt:
  • Double-click on OTScanIt.exe to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Make sure that the Non Microsoft option is clicked in the Drivers box.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning large amounts of data so depending on your system it could take a while to complete.
  • When the scan is done Notepad will open with the report file loaded in it.
  • Save the file in the new OTScanIt folder as Scan1.txt
If the log is too large to post, use the Reply button, scroll down to the Attachments section and attach the Notepad file here.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP