Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HiJackThis log (Please Help) My computer some how got slower :( [RE


  • This topic is locked This topic is locked

#1
wrecklesskane

wrecklesskane

    Member

  • Member
  • PipPip
  • 83 posts
Hi everyone, :)

Ok all I can tell you is that I'm not very experienced in using computers, so I wouldn't know the name of my malware problem or whatever kind of problem it is... So i'll just tell ya my problem, ok ever since I got my computer it was pretty fast and when I would watch videos, the video would load no problem. But now whenever I try to watch them, it takes about a minute or two for me to wait until I could watch the whole thing... And so what I WANT TO KNOW is what could be causing this? and why my compuer suddenly got "SLOWER"?

Well here's my HiJackThis log, I really hope you guys can help me solve this :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:40 AM, on 5/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\svchost.exe
C:\WINNT\system32\SVchOst.Exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\config\sy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINNT\system32\AlxTB1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINNT\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Serial Number Service (Explorer) - Unknown owner - C:\WINNT\system32\config\svchost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: netpker - Unknown owner - c:\aa.exe
O23 - Service: radsrver - Unknown owner - C:\alexamw.exe
O23 - Service: Snake SockProxy Service (SkServer) - noname. http://snake.gnuchina.org - C:\WINNT\system32\config\sy.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 5101 bytes

Edited by wrecklesskane, 27 May 2008 - 12:45 AM.

  • 0

Advertisements


#2
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello wrecklesskane, my name is fenzodahl512 and welcome to Geekstogo.. Please do the following..

Before we continue, please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.geekstogo...er-t199473.html

Browse to the file you want to submit: Click Browse, and navigate to the following file:

C:\WINNT\system32\config\svchost.exe

Leave any comments, further information about this file, or contact information: From fenzodahl512 for SDFix.




NEXT


Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.





NEXT


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.



Please post the following logs in your next reply..

1. SDFix
2. Deckard System Scanner (both main.txt and extra.txt)

Please post each log in separate post..


Regards
fenzodahl512
  • 0

#3
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Hello fenzodahl512, it seems I have ran into a slight problem with this set of instructions right here. Well when ever I get onto the part where you press F8, and where them options pop up, my keyboard won't work for me from that point on. Do you know what could be causing this?

Thanks for coming to help by the way

Edited by wrecklesskane, 28 May 2008 - 02:57 PM.

  • 0

#4
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Do your keyboard works in Normal mode? Proceed with Deckard System Scanner please, and post both main.txt and extra.txt here.

Thank you :)
  • 0

#5
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
To answer your question, yes my keyboard works just fine in normal mode, and I haven't the slightest clue why it doesn't work on that part... Well here are the logs that you requested, I hope you can make good use of them. Both main.txt and extra.txt are here.



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 42%
Physical Memory (total/avail): 253.58 MiB / 144.61 MiB
Pagefile Memory (total/avail): 614.28 MiB / 506.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1952.26 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 9.32 GiB total, 3.91 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD100BA - 9.32 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 9.32 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CATAPULT
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\CATAPULT
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 10, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=080a
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=CATAPULT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Catapult (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
--> Rundll32 AlxTB2.dll,Uninstall RunDll32 syssetup.dll,SetupInfObjectInstallAction DefaultUnInstall.NT 4 alexa7.inf
Actiontec Gateway --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9692FD03-6662-4E62-B08C-30DFF51651E1}\setup.exe" -l0x9
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems PCI Soft Modem --> agrsmdel
Alexa Toolbar --> C:\Program Files\Alexa Toolbar\uninstall.exe
AOpen FM56-SVV Soft PCI Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_203014F1\HXFSETUP.EXE -U -IAopn203p.inf
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HotKeyz 2.6.0.0 --> "C:\Program Files\Skynergy\HotKeyz\unins000.exe"
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft .NET Framework 1.1 --> msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 --> MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1 Hotfix (KB886903) --> "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINNT\Microsoft.NET\Framework\v1.1.4322\Updates\M886903\M886903Uninstall.msp"
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINNT\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F50&SUBSYS_205F14F1\HXFSETUP.EXE -U -IVEN_14F1&DEV_2F50&SUBSYS_205F14F1
QuickConnect --> C:\Program Files\InstallShield Installation Information\{4998FF95-709A-430A-B104-92A009ABB848}\setup.exe -runfromtemp -l0x0009 -removeonly
Registry Patrol v3.0 --> C:\WINNT\unvise32.exe C:\Program Files\RegistryPatrol3.0\uninstal.log
Security Update for DirectX 9 (KB941568) --> "C:\WINNT\$NtUninstallKB941568_DX9$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB904706) -->
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
TruePoker (High Res) --> C:\PROGRA~1\TRUEPO~1\UNWISE.EXE C:\PROGRA~1\TRUEPO~1\INSTALL.LOG
Tweak UI --> C:\WINNT\rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultUninstall 4 C:\WINNT\Inf\Tweakui.Inf
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}


-- Application Event Log -------------------------------------------------------

Event Record #/Type958 / Warning
Event Submitted/Written: 05/29/2008 03:53:14 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET_2.0.50727 performance library because it returned invalid data: 0x0

Event Record #/Type957 / Warning
Event Submitted/Written: 05/29/2008 03:53:11 AM
Event ID/Source: 35 / WinMgmt
Event Description:
WMI ADAP was unable to load the ASP.NET performance library because it returned invalid data: 0x0

Event Record #/Type955 / Warning
Event Submitted/Written: 05/29/2008 03:52:28 AM
Event ID/Source: 4100 / EventSystem
Event Description:
The COM+ Event System failed to create an instance of the subscriber {6295DF2D-35EE-11D1-8707-00C04FD93327}. CoCreateInstanceEx returned HRESULT 8000401A.

Event Record #/Type954 / Error
Event Submitted/Written: 05/28/2008 04:18:44 PM
Event ID/Source: 0 / aa.exe
Event Description:
Access violation at address 00452626 in module 'aa.exe'. Read of address 000002F4

Event Record #/Type953 / Error
Event Submitted/Written: 05/28/2008 04:18:01 PM
Event ID/Source: 0 / aa.exe
Event Description:
Access violation at address 00452626 in module 'aa.exe'. Read of address 000002F4



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type345 / Error
Event Submitted/Written: 05/29/2008 03:52:25 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the radsrver service to connect.

Event Record #/Type341 / Error
Event Submitted/Written: 05/28/2008 04:03:35 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the radsrver service to connect.

Event Record #/Type337 / Error
Event Submitted/Written: 05/28/2008 03:30:03 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the radsrver service to connect.

Event Record #/Type333 / Error
Event Submitted/Written: 05/28/2008 03:20:16 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the radsrver service to connect.

Event Record #/Type329 / Error
Event Submitted/Written: 05/28/2008 03:32:16 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the radsrver service to connect.



-- End of Deckard's System Scanner: finished at 2008-05-29 04:58:54 ------------






Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-29 04:50:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (256 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:04 AM, on 5/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\config\svchost.exe
C:\WINNT\system32\SVchOst.Exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\config\sy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

O2 - BHO: RXResultTracker Class - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - C:\Program Files\RXToolBar\sfcont.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINNT\system32\AlxTB1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - C:\WINNT\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O18 - Filter hijack: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - C:\Program Files\RXToolBar\sfcont.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Serial Number Service (Explorer) - Unknown owner - C:\WINNT\system32\config\svchost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: netpker - Unknown owner - c:\aa.exe
O23 - Service: radsrver - Unknown owner - C:\alexamw.exe
O23 - Service: Snake SockProxy Service (SkServer) - noname. http://snake.gnuchina.org - C:\WINNT\system32\config\sy.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 5053 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 mdmxsdk - c:\winnt\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface x86 Driver>

S3 HSF_DPV - c:\winnt\system32\drivers\hsf_dpv.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 HSFHWBS2 - c:\winnt\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 winachsf - c:\winnt\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Explorer (Windows Serial Number Service) - "c:\winnt\system32\config\svchost.exe" /service
R2 netpker - c:\aa.exe
R2 SkServer (Snake SockProxy Service) - c:\winnt\system32\config\sy.exe <Not Verified; noname. http://snake.gnuchina.org; SkSockServer Module>

S2 Iusr_sys -
S2 radsrver - c:\alexamw.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-27 03:30:00 418 --a------ C:\WINNT\Tasks\ErrorSmart Scheduled Scan.job


-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-26 04:18:30 0 d-------- C:\Program Files\Trend Micro
2008-05-26 03:43:26 86016 --a------ C:\WINNT\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-05-26 03:43:11 0 d-------- C:\Program Files\RegistryPatrol3.0
2008-05-19 00:48:20 20480 --a------ C:\WINNT\system32\SysRestore.dll <Not Verified; Ascentive LLC; prjSysRestore>
2008-05-19 00:48:19 208896 --a------ C:\WINNT\system32\ConTest.dll <Not Verified; Ascentive; ConnectionTester>
2008-05-17 21:53:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-05-05 02:44:25 0 d-------- C:\Program Files\Java
2008-05-05 01:12:59 0 d--h---c- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$


-- Find3M Report ---------------------------------------------------------------

2008-05-28 16:01:15 837030 ---h----- C:\WINNT\ShellIconCache
2008-05-23 23:07:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-21 03:10:23 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-28 05:16:01 1160 --a------ C:\WINNT\mozver.dat
2008-04-24 03:53:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-04-23 15:36:09 0 --a------ C:\WINNT\nsreg.dat
2008-04-23 15:36:02 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-04-23 03:21:42 0 d-------- C:\Program Files\Alexa Toolbar
2008-04-08 10:43:50 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_31c.dat
2008-04-03 01:28:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Help
2008-04-03 01:27:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2008-04-02 18:11:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-02 18:11:35 0 d-------- C:\Program Files\Google
2008-04-01 23:54:35 0 d-------- C:\Program Files\Adaptec
2008-04-01 23:41:36 0 d-a------ C:\Program Files\Common Files
2008-04-01 22:53:35 10 --a------ C:\WINNT\smdat32m.sys
2008-03-29 15:13:54 1 ---h----- C:\Boots.sys
2008-03-26 08:45:59 1728512 --a------ C:\WINNT\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft Windows Operating System>
2008-03-19 07:47:42 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_5b0.dat
2008-03-16 14:34:16 876 --a------ C:\WINNT\smdat32a.sys
2008-03-13 18:38:27 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_540.dat
2008-03-13 03:55:45 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_83c.dat
2008-03-11 07:11:14 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_694.dat
2008-03-11 02:20:20 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_318.dat
2008-03-10 21:41:49 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_708.dat
2008-03-10 03:32:35 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_a44.dat
2008-03-10 02:14:58 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_9fc.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59879FA4-4790-461c-A1CC-4EC4DE4CA483}]
C:\Program Files\RXToolBar\sfcont.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333}]
10/30/06 08:07p 565248 --a------ C:\WINNT\system32\AlxTB1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 02:03p C:\WINNT\system32\TWEAKUI.CPL]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkeyz"="c:\program files\skynergy\hotkeyz\hotkeyz.exe" [11/21/06 12:05p]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"FlashPlayerUpdate"=C:\WINNT\system32\Macromed\Flash\GetFlash.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"=0 (0x0)
"RunLogonScriptSync"=0 (0x0)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"HideLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"DisableLockWorkstation"=0 (0x0)
"DisableChangePassword"=0 (0x0)
"HideLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"RestrictCpl"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"RestrictRun"=0 (0x0)
"DisallowRun"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoCustomizeWebView"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoWebView"=0 (0x0)
"DontShowSuperHidden"=0 (0x0)
"NoRun"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoHelp"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoCommonGroups"=1 (0x1)
"NoFind"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoFolderOptions"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoDisconnect"=0 (0x0)
"NoNtSecurity"=0 (0x0)
"NoSetFolders"=0 (0x0)
"GreyMSIAds"=0 (0x0)
"ForceMaxRecentDocs"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoStartBanner"=00000000
"NoActiveDesktop"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
"NoFileUrl"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoExpandedNewMenu"=0 (0x0)
"SpecifyDefaultButtons"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRunasInstallPrompt"=0 (0x0)
"PromptRunasInstallNetPath"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoDevMgrUpdate"=0 (0x0)
"ForceCopyAclwithFile"=0 (0x0)
"StartRunNoHOMEPATH"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"0?"=mobsync.exe
"1?"=jusched.exe
"2?"=rundll32.exe
"3?"=newadmin.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoChangeAnimation"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"RestrictCpl"=0 (0x0)
"DisallowCpl"=0 (0x0)
"NoViewOnDrive"=0 (0x0)
"RestrictRun"=0 (0x0)
"DisallowRun"=0 (0x0)
"NoPropertiesMyComputer"=0 (0x0)
"NoPropertiesMyDocuments"=0 (0x0)
"NoManageMyComputerVerb"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoCustomizeWebView"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoShellSearchButton"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoWinKeys"=0 (0x0)
"NoFileAssociate"=0 (0x0)
"NoDFSTab"=0 (0x0)
"NoHardwareTab"=0 (0x0)
"NoInstrumentation"=0 (0x0)
"NoWebView"=0 (0x0)
"DontShowSuperHidden"=0 (0x0)
"NoRun"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSMConfigurePrograms"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoSMMyPictures"=0 (0x0)
"NoStartMenuMyMusic"=0 (0x0)
"NoSMMyDocs"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSMHelp"=0 (0x0)
"NoHelp"=0 (0x0)
"NoNetworkConnections"=0 (0x0)
"NoCommonGroups"=0 (0x0)
"NoFind"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoFolderOptions"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ForceStartMenuLogoff"=0 (0x0)
"StartMenuLogoff"=0 (0x0)
"NoStartMenuSubFolders"=0 (0x0)
"NoDisconnect"=0 (0x0)
"NoNtSecurity"=0 (0x0)
"NoSetFolders"=0 (0x0)
"GreyMSIAds"=0 (0x0)
"ForceMaxRecentDocs"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoStartBanner"=00000000
"NoActiveDesktop"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)
"NoFileUrl"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoExpandedNewMenu"=0 (0x0)
"SpecifyDefaultButtons"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoRecentDocsNetHood"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"NoClose"=0 (0x0)
"NoLogOff"=0 (0x0)
"NoRunasInstallPrompt"=0 (0x0)
"PromptRunasInstallNetPath"=1 (0x1)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoDevMgrUpdate"=0 (0x0)
"ForceCopyAclwithFile"=0 (0x0)
"StartRunNoHOMEPATH"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\RestrictRun]
"0?"=mobsync.exe
"1?"=jusched.exe
"2?"=rundll32.exe
"3?"=newadmin.exe
"4?"=icwconn1.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DD7D4640-4464-48C0-82FD-21338366D2D2}"= C:\Program Files\Internet Explorer\MoWang.tdm [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ljutep ljutep

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
servicess




-- End of Deckard's System Scanner: finished at 2008-05-29 04:58:54 ------------

Edited by wrecklesskane, 29 May 2008 - 04:09 AM.

  • 0

#6
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello wrecklesskane, thanks for the reply.. Please do the following..

Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

Alexa Toolbar




NEXT


Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply

Note: DO NOT mouseclick combofix's window while its running. That may cause it to stall


Please post the following logs in your next reply..

1. ComboFix
2. A fresh HijackThis log..


Regards
fenzodahl512
  • 0

#7
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Hi fenzodahl512, :)

Wow call me crazy, but when I tried to remove the Alexa Toolbar it said I had to Reboot my computer to uninstall it, so when I did that, it was still there and wasn't uninstalled at all. So what do I do now fenzodahl512?

Edited by wrecklesskane, 29 May 2008 - 07:39 AM.

  • 0

#8
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Ok here's both of the logs you wanted, hope you can find the problem some where in there :)



ComboFix 08-05-28.4 - Administrator 05/29/2008 8:35:54.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.138 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\alexa toolbar
C:\Program Files\alexa toolbar\uninstall.exe
C:\Program Files\internet explorer\mowang.sys
C:\WINNT\Downloaded Program Files\setup.inf
C:\WINNT\smdat32a.sys
C:\WINNT\smdat32m.sys
C:\WINNT\system32\alxres.dll
C:\WINNT\system32\AlxTB1.dll
C:\WINNT\system32\config\svchost.exe
C:\WINNT\system32\drivers\csrss.exe
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 08:35 . 05/29/08 08:35a 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_314.dat
2008-05-29 04:49 . 05/29/08 04:49a <DIR> d-------- C:\Deckard
2008-05-26 04:18 . 05/26/08 04:18a <DIR> d-------- C:\Program Files\Trend Micro
2008-05-26 03:47 . 05/26/08 03:47a 45 --a------ C:\WINNT\system32\RPVersion.ini
2008-05-26 03:43 . 05/26/08 03:45a <DIR> d-------- C:\Program Files\RegistryPatrol3.0
2008-05-26 03:43 . 12/17/99 10:43p 86,016 --a------ C:\WINNT\unvise32.exe
2008-05-19 00:48 . 04/29/08 01:14p 208,896 --a------ C:\WINNT\system32\ConTest.dll
2008-05-19 00:48 . 07/03/07 11:48a 20,480 --a------ C:\WINNT\system32\SysRestore.dll
2008-05-17 21:53 . 05/17/08 09:53p <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Leadertech
2008-05-05 02:45 . 02/22/08 02:33a 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-05-05 02:44 . 05/05/08 02:45a <DIR> d-------- C:\Program Files\Java
2008-05-05 01:12 . 05/05/08 01:13a <DIR> d--h-c--- C:\WINNT\$SQLUninstallMDAC25SP3-KB927779-x86-ENU$

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 03:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 07:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-24 07:53 --------- d-----w C:\Documents and Settings\Administrator\Application Data\ErrorSmart
2008-04-02 22:11 --------- d-----w C:\Program Files\Google
2008-04-02 03:54 --------- d-----w C:\Program Files\Adaptec
2008-03-29 19:13 1 ---h--w C:\Boots.sys
2008-03-27 07:13 151,583 ----a-w C:\WINNT\system32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINNT\system32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINNT\system32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINNT\system32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINNT\system32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
2008-03-26 12:45 1,728,512 ----a-w C:\WINNT\system32\gdiplus.dll
2008-03-19 12:30 507,658 ----a-w C:\WINNT\java\Packages\GCR77R1N.ZIP
2008-03-19 09:26 1,644,080 ----a-w C:\WINNT\system32\WIN32K.SYS
2006-12-15 13:43 271 ------w C:\Program Files\desktop.ini
2006-12-15 13:43 21,952 ------w C:\Program Files\folder.htt
2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2007-12-06 03:57 61,545 --sha-r C:\WINNT\eraseme_02186.exe
2007-12-06 04:19 61,545 --sha-r C:\WINNT\eraseme_37006.exe
2007-12-06 03:24 61,545 --sha-r C:\WINNT\eraseme_42841.exe
2007-12-06 04:19 61,545 --sha-r C:\WINNT\eraseme_45822.exe
2007-12-06 03:59 61,545 --sha-r C:\WINNT\system32\eraseme_02186.exe
2007-12-06 03:29 61,545 --sha-r C:\WINNT\system32\eraseme_42841.exe
.

------- Sigcheck -------


.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Hotkeyz"="c:\program files\skynergy\hotkeyz\hotkeyz.exe" [11/21/06 12:05p 837632]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p 111376 C:\WINNT\system32\mobsync.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a 144784]
"Tweak UI"="TWEAKUI.CPL" [06/18/00 02:03p 106544 C:\WINNT\system32\TWEAKUI.CPL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [04/02/08 06:11p 171448]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 03:05p 186640]
"FlashPlayerUpdate"="C:\WINNT\system32\Macromed\Flash\GetFlash.exe" [ ]

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\
O_EOI.txt [2008-03-29 15:13:54 51]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mozilla Firefox
Mozilla Firefox (Safe Mode).lnk - C:\Program Files\Mozilla Firefox\firefox.exe [2008-04-23 15:35:49 7660656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispCPL"= 0 (0x0)
"NoDispAppearancePage"= 0 (0x0)
"NoDispScrSavPage"= 0 (0x0)
"NoDispSettingsPage"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)
"DisableChangePassword"= 0 (0x0)
"HideLogonScripts"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 1 (0x1)
"ForceStartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeKeyboardNavigationIndicators"= 0 (0x0)
"NoChangeAnimation"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"RestrictCpl"= 0 (0x0)
"DisallowCpl"= 0 (0x0)
"NoViewOnDrive"= 0 (0x0)
"RestrictRun"= 0 (0x0)
"DisallowRun"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
"NoViewContextMenu"= 0 (0x0)
"NoWinKeys"= 0 (0x0)
"NoFileAssociate"= 0 (0x0)
"NoDFSTab"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoWebView"= 0 (0x0)
"DontShowSuperHidden"= 0 (0x0)
"NoRun"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoHelp"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoFind"= 0 (0x0)
"ForceStartMenuLogoff"= 0 (0x0)
"StartMenuLogoff"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoDisconnect"= 0 (0x0)
"NoNtSecurity"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"GreyMSIAds"= 0 (0x0)
"ForceMaxRecentDocs"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"NoActiveDesktopChanges"= 0 (0x0)
"NoFileUrl"= 0 (0x0)
"NoBandCustomize"= 0 (0x0)
"NoToolbarCustomize"= 0 (0x0)
"NoExpandedNewMenu"= 0 (0x0)
"SpecifyDefaultButtons"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoClose"= 0 (0x0)
"NoLogOff"= 0 (0x0)
"NoRunasInstallPrompt"= 0 (0x0)
"PromptRunasInstallNetPath"= 1 (0x1)
"NoResolveTrack"= 0 (0x0)
"NoResolveSearch"= 0 (0x0)
"NoDevMgrUpdate"= 0 (0x0)
"ForceCopyAclwithFile"= 0 (0x0)
"StartRunNoHOMEPATH"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

R2 ljutep;ljutep;C:\WINNT\system32\SVchOst.Exe [07/26/00 01:00p]
R2 netpker;netpker;c:\aa.exe [12/05/07 10:46p]
R2 servicess;servicess;C:\WINNT\system32\svchost.exe [07/26/00 01:00p]
R2 SkServer;Snake SockProxy Service;C:\WINNT\system32\config\sy.exe [12/11/07 07:35a]
R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [10/23/99 08:22a]
S2 Explorer;Windows Serial Number Service;"C:\WINNT\system32\config\svchost.exe" /service []
S2 radsrver;radsrver;C:\alexamw.exe [12/11/07 07:35a]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
ljutep REG_MULTI_SZ ljutep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
servicess

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\D]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 07:30:00 C:\WINNT\Tasks\ErrorSmart Scheduled Scan.job"
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 08:38:03
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\aa.exe [524] 0x86AD1D60

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> c:\winnt\system32\nrtyxo.dll
.
Completion time: 05/29/2008 8:39:28
ComboFix-quarantined-files.txt 2008-05-29 12:39:21

Pre-Run: 4,076,363,776 bytes free
Post-Run: 4,230,832,128 bytes free

249 --- E O F --- 2008-05-29 12:21:58







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:43 AM, on 5/29/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\SVchOst.Exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\config\sy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKCU\..\Run: [Hotkeyz] "c:\program files\skynergy\hotkeyz\hotkeyz.exe /minimize"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: Ӳ.txt (User 'Default user')
O4 - .DEFAULT User Startup: Ӳ.txt (User 'Default user')
O4 - Global Startup: Mozilla Firefox
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O16 - DPF: Yahoo! Chess - http://download2.gam...nts/y/ct5_x.cab
O16 - DPF: {970EF5A2-CE21-4A16-B21F-3FC9AF1F89F2} (HearMe (eSylvan) (Firewall) Voice Control) - http://techsupport.e...itor/esvcfe.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {FFA0B580-F85C-11D4-B501-00010261BA08} - http://assessment.es....com/PCInfo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C88EEDDC-B6AE-45F8-BB34-A7F7ECE3D0CD}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Serial Number Service (Explorer) - Unknown owner - C:\WINNT\system32\config\svchost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: netpker - Unknown owner - c:\aa.exe
O23 - Service: radsrver - Unknown owner - C:\alexamw.exe
O23 - Service: Snake SockProxy Service (SkServer) - noname. http://snake.gnuchina.org - C:\WINNT\system32\config\sy.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Goku's%20SSJ3%20Dominating%20Power.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Administrator/My%20Documents/My%20Pictures/Gogeta%20and%20Gotenks.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\My Pictures\Alex, Jeff, Anthony, and da illest ni99a of all them Lance.jpg

--
End of file - 4891 bytes
  • 0

#9
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Hello wrecklesskane, thanks for the reply.. Please do the following..


Please show hidden files and folders. Please visit HERE if you don't know how.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\Boots.sys
  • Click on the submit button
  • Please post the results in your next reply.
If Jotti server is too busy, please submit the file to VirusTotal instead.




NEXT


Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum: wrecklesskane
  • Copy and paste the link to this thread: http://www.geekstogo...er-t199473.html
  • Browse for this filename:
    • C:\Boots.sys
  • In the comments, please mention that fenzodahl512 asked you to upload this file
  • Click on Send File




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
netpker
SkServer
Explorer
radsrver

File::
C:\WINNT\eraseme_02186.exe
C:\WINNT\eraseme_37006.exe
C:\WINNT\eraseme_42841.exe
C:\WINNT\eraseme_45822.exe
C:\WINNT\system32\eraseme_02186.exe
C:\WINNT\system32\eraseme_42841.exe
C:\WINNT\system32\config\sy.exe
C:\alexamw.exe
c:\aa.exe
C:\WINNT\system32\config\svchost.exe
C:\WINNT\web\related.htm
D:\Autorun.exe
c:\winnt\system32\nrtyxo.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\D]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Please post the following logs in your next reply.. Please post each log in separate post

1. Jotti result
2. ComboFix log
3. A fresh HijackThis log



Regards
fenzodahl512
  • 0

#10
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Steps for showing hidden files:

Windows 2000

1.Open My Computer.

2.Select the Tools menu and click Folder Options.

3.Select the View Tab.

4.Under the Hidden files and folders heading select Show hidden files and folders. (I can't get past this step right here)

5.Uncheck the Hide protected operating system files (recommended) option.

6.Click Yes to confirm.

7.Click OK.


Hi again fenzodahl512, ok I've ran into another problem with the showing hidden files thing. Well on step 4, I don't have the Hidden files and folders heading nor do I have the "SHOW HIDDEN FILES AND FOLDERS" option. Do you know what the problem is? because I know I did all the steps right, it's just that I didn't have these options and I don't know what I could be doing wrong, or if I have a different kind of computer, because I really don't know anything about my computer type or windows type at all, sorry :)

Edited by wrecklesskane, 29 May 2008 - 09:45 AM.

  • 0

Advertisements


#11
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok..

Try this instead

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

After this, please repeat my previous instruction from Jotti steps to ComboFix step.. :)
  • 0

#12
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Nope I don't have any of those insertable drive things that you are talking about, sorry :) or if I misunderstood you, then could you tell me more how of that works? or is this plan already called off because of me not having those drive things?

And yeah I will post those logs for you as soon as we get past this step ok :)
  • 0

#13
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Erm.. just download and run Flash Disinfector, it should be very short time (just a few seconds).. Then do the Jotti steps.. and so on.. I'm working right now and will be back at about three hours from now :)
  • 0

#14
wrecklesskane

wrecklesskane

    Member

  • Topic Starter
  • Member
  • PipPip
  • 83 posts
Nope can't do it, because I don't have a flash drive to plug in, sorry :)
We're gonna have to resort to another method.
  • 0

#15
fenzodahl512

fenzodahl512

  • Malware Removal
  • 9,863 posts
Ok, lets do this first..



1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
netpker
SkServer
Explorer
radsrver
ljutep
servicess

File::
C:\WINNT\eraseme_02186.exe
C:\WINNT\eraseme_37006.exe
C:\WINNT\eraseme_42841.exe
C:\WINNT\eraseme_45822.exe
C:\WINNT\system32\eraseme_02186.exe
C:\WINNT\system32\eraseme_42841.exe
C:\WINNT\system32\config\sy.exe
C:\alexamw.exe
c:\aa.exe
C:\WINNT\system32\config\svchost.exe
C:\WINNT\web\related.htm
D:\Autorun.exe
c:\winnt\system32\nrtyxo.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints\D]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


Please post the following logs in your next reply.. Please post each log in separate post

1. ComboFix log
2. A fresh HijackThis log



Regards
fenzodahl512

Edited by fenzodahl512, 29 May 2008 - 02:43 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP