Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer compromised [RESOLVED]


  • This topic is locked This topic is locked

#1
Gnitrops

Gnitrops

    Member

  • Member
  • PipPip
  • 29 posts
Hi,

I'm using Windows XP SP2, and lately I've noticed my computer got extremely slow. My Windows partition got full out of nowhere. I found it weird, since I wasn't installing anything lately and my swap file is on other partition. I noticed my C:\Windows takes 3,29 Gb of space, which I found quite weird.

Apart from that, I've been getting weird errors out of nowhere, like some "fatal errors" and "exception blabla memory couldn't be read", related to iexplore.exe or explorer. exe. Found it even stranger, since I don't use IE.

I had been leaving my Kaspersky AV off for the last days. As soon as I turn it back on, it detected Win32.Agent.tym on some .exe with very strange names. "M1X6Wr04.exe", "mAThy0Jx.exe", "NALJ8YSL.exe" and such. According to Kaspersky, it eliminated all of them.

Only to have them back the next day.
I ran TuneUp's Reg Cleaner, Disk Cleaner, 1-Click Maintenance, Kaspersky full system scan, and Spybot S&D, to find a regdump.bat file at the Temp folder, which Kaspersky deleted. I searched on google for Win32.Agent.tym and found no info.

Then, my computer restarted out of nowhere. On the restart, Kaspersky started to warn me that services.exe and explorer.exe were trying to inject code. Plus, it found again Win32.Agent, now the Win32.Agent.yyy version, on the same weirded name exes it found the "tym" first time.

I then turned KAV off and ran Deckard System Scanner, which seemed to end abruptly. Still, it produced the main.txt on the dss folder. The log of it is here:

System Drive C: has 0.25 GiB (less than 15%) free.


-- HijackThis (run as Thiago.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 0:09:32, on 13-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\alg.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Deckard System Scanner\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Thiago.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.84.17.42:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Programas\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [RK Launcher] C:\Programas\RK Launcher\RKLauncher.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202053288859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7503 bytes

-- Files created between 2008-06-13 and 2008-07-13 -----------------------------

2008-07-12 11:28:23 0 d-------- C:\Programas\Windows Live Safety Center
2008-07-12 11:01:12 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Adobe
2008-07-12 11:00:16 0 dr------- C:\Documents and Settings\NetworkService\Favoritos
2008-07-11 16:36:05 0 d-------- C:\Programas\Enigma Software Group
2008-07-10 22:15:44 0 d-------- C:\Programas\Windows Installer Clean Up
2008-07-10 22:15:30 0 d-------- C:\Programas\MSECACHE
2008-07-06 11:04:00 0 d-------- C:\Documents and Settings\Thiago\Application Data\FastStone
2008-07-06 11:03:58 0 d-------- C:\Programas\FastStone Capture
2008-07-02 17:39:49 0 d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-07-02 17:39:44 0 d-------- C:\Programas\TuneUp Utilities 2008
2008-07-02 08:07:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-07-01 23:54:03 0 dr-h----- C:\Documents and Settings\Thiago\Recent
2008-07-01 23:09:20 0 d-------- C:\Programas\Yahoo!
2008-06-28 16:11:43 0 d-------- C:\Documents and Settings\Thiago\amsn
2008-06-26 00:57:03 196608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll <Not Verified; internet-support foehr.com; RedMon EE>
2008-06-26 00:57:02 23552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL <Not Verified; Microsoft Corporation; MSMAPI-Steuerelementbibliothek>
2008-06-26 00:57:02 0 d-------- C:\Programas\PDFCreator
2008-06-24 22:04:13 0 d-------- C:\Programas\Hattrick Manager
2008-06-24 22:04:02 0 d-------- C:\Programas\Hattrick Coach Professional
2008-06-24 19:34:45 0 d-------- C:\Programas\HAM
2008-06-21 11:34:10 408576 --a------ C:\WINDOWS\system32\Smab.dll
2008-06-21 11:34:10 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2008-06-21 11:34:10 318976 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2008-06-21 11:34:09 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2008-06-21 11:34:09 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2008-06-21 11:34:09 0 d-------- C:\Programas\AviSynth 2.5
2008-06-20 21:39:50 0 d-------- C:\Programas\Cloudbrain
2008-06-20 21:38:25 0 d-------- C:\Documents and Settings\Thiago\Application Data\Mp3tag
2008-06-20 21:38:20 0 d-------- C:\Programas\Mp3tag
2008-06-20 20:07:22 0 d-------- C:\Documents and Settings\Thiago\Application Data\MiniLyrics
2008-06-20 20:05:12 0 d-------- C:\Programas\Minilyrics
2008-06-20 19:24:31 0 d-------- C:\Programas\MediaMonkey
2008-06-13 21:06:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-13 21:06:54 0 d-------- C:\Programas\StuffPlug3
2008-06-13 21:05:41 0 d-------- C:\Programas\Messenger Plus! Live
2008-06-13 21:05:14 0 d-------- C:\Programas\aMSN


-- Find3M Report ---------------------------------------------------------------

2008-06-16 22:08:34 453706 --a------ C:\WINDOWS\system32\perfh016.dat
2008-06-16 22:08:34 74488 --a------ C:\WINDOWS\system32\perfc016.dat
2008-06-10 17:37:52 0 d-------- C:\Programas\Design Science
2008-06-07 09:59:42 0 d-------- C:\Documents and Settings\Thiago\Application Data\Malwarebytes
2008-06-04 19:06:52 0 d-------- C:\Programas\Virtual Earth 3D
2008-05-25 11:23:10 0 d-------- C:\Documents and Settings\Thiago\Application Data\cronometer
2008-04-21 19:25:14 481040 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [18-12-2007 00:43]
"SpyHunter Security Suite"="C:\Programas\Enigma Software Group\SpyHunter\SpyHunter3.exe" [19-06-2008 16:48]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RK Launcher"="C:\Programas\RK Launcher\RKLauncher.exe" [14-09-2005 19:23]
"msnmsgr"="C:\Programas\Windows Live\Messenger\msnmsgr.exe" [18-10-2007 11:34]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 00:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)
"NoClose"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=11 (0xb)
"NoSMBalloonTip"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"MemCheckBoxInRunDlg"=0 (0x0)
"NoClose"=0 (0x0)
"NoAutoTrayNotify"=0 (0x0)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoStartBanner"=01000000
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{21572149-16d4-11dd-93d0-0090f52305b8}]
AutoRun\command- EXPLORER.EXE
explore\Command- EXPLORER.EXE
open\Command- EXPLORER.EXE




-- End of Deckard's System Scanner: finished at 2008-07-13 00:10:59 ------------


Any idea what's going on with my system?
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there and sorry for the delay I would like a fresh look at your system

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanit folder and double-click on OTScanit.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • File - Additional Folder Scans
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0

#3
Gnitrops

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hello Essexboy,

I did as you asked, here's the log:

Attached Files


  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK Gnitrops lets try and reclaim some of your drive space. During this fix I will be killing Explorer so you may loose your desktop for a while

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Drives - Autoruns > -> 
NY -> autorun [] -> J:\autorun [ NTFS ]
[Files/Folders - Created Within 90 days]
NY -> NALJ8YSL.exe -> %SystemRoot%\System32\NALJ8YSL.exe
NY -> NALJ8YSL.exe_ -> %SystemRoot%\System32\NALJ8YSL.exe_
NY -> NALJ8YSL.exe.a_a -> %SystemRoot%\System32\NALJ8YSL.exe.a_a
NY -> 80jkOGAF.exe -> %SystemRoot%\System32\80jkOGAF.exe
NY -> fj3Q1f6S.exe.a_a -> %SystemRoot%\System32\fj3Q1f6S.exe.a_a
NY -> 80jkOGAF.exe.a_a -> %SystemRoot%\System32\80jkOGAF.exe.a_a
NY -> At122.job -> %SystemRoot%\tasks\At122.job
NY -> At123.job -> %SystemRoot%\tasks\At123.job
NY -> At124.job -> %SystemRoot%\tasks\At124.job
NY -> At125.job -> %SystemRoot%\tasks\At125.job
NY -> At126.job -> %SystemRoot%\tasks\At126.job
NY -> At127.job -> %SystemRoot%\tasks\At127.job
NY -> At128.job -> %SystemRoot%\tasks\At128.job
NY -> At129.job -> %SystemRoot%\tasks\At129.job
NY -> At130.job -> %SystemRoot%\tasks\At130.job
NY -> At131.job -> %SystemRoot%\tasks\At131.job
NY -> At132.job -> %SystemRoot%\tasks\At132.job
NY -> At133.job -> %SystemRoot%\tasks\At133.job
NY -> At134.job -> %SystemRoot%\tasks\At134.job
NY -> At135.job -> %SystemRoot%\tasks\At135.job
NY -> At136.job -> %SystemRoot%\tasks\At136.job
NY -> At137.job -> %SystemRoot%\tasks\At137.job
NY -> At138.job -> %SystemRoot%\tasks\At138.job
NY -> At139.job -> %SystemRoot%\tasks\At139.job
NY -> At140.job -> %SystemRoot%\tasks\At140.job
NY -> At141.job -> %SystemRoot%\tasks\At141.job
NY -> At142.job -> %SystemRoot%\tasks\At142.job
NY -> At143.job -> %SystemRoot%\tasks\At143.job
NY -> At144.job -> %SystemRoot%\tasks\At144.job
NY -> At97.job -> %SystemRoot%\tasks\At97.job
NY -> At98.job -> %SystemRoot%\tasks\At98.job
NY -> At99.job -> %SystemRoot%\tasks\At99.job
NY -> At100.job -> %SystemRoot%\tasks\At100.job
NY -> At101.job -> %SystemRoot%\tasks\At101.job
NY -> At102.job -> %SystemRoot%\tasks\At102.job
NY -> At103.job -> %SystemRoot%\tasks\At103.job
NY -> At104.job -> %SystemRoot%\tasks\At104.job
NY -> At105.job -> %SystemRoot%\tasks\At105.job
NY -> At106.job -> %SystemRoot%\tasks\At106.job
NY -> At107.job -> %SystemRoot%\tasks\At107.job
NY -> At108.job -> %SystemRoot%\tasks\At108.job
NY -> At109.job -> %SystemRoot%\tasks\At109.job
NY -> At110.job -> %SystemRoot%\tasks\At110.job
NY -> At111.job -> %SystemRoot%\tasks\At111.job
NY -> At112.job -> %SystemRoot%\tasks\At112.job
NY -> At113.job -> %SystemRoot%\tasks\At113.job
NY -> At114.job -> %SystemRoot%\tasks\At114.job
NY -> At115.job -> %SystemRoot%\tasks\At115.job
NY -> At116.job -> %SystemRoot%\tasks\At116.job
NY -> At117.job -> %SystemRoot%\tasks\At117.job
NY -> At118.job -> %SystemRoot%\tasks\At118.job
NY -> At119.job -> %SystemRoot%\tasks\At119.job
NY -> At120.job -> %SystemRoot%\tasks\At120.job
NY -> At121.job -> %SystemRoot%\tasks\At121.job
[Files/Folders - Modified Within 90 days]
NY -> NALJ8YSL.exe -> %SystemRoot%\System32\NALJ8YSL.exe
NY -> NALJ8YSL.exe_ -> %SystemRoot%\System32\NALJ8YSL.exe_
NY -> NALJ8YSL.exe.a_a -> %SystemRoot%\System32\NALJ8YSL.exe.a_a
NY -> 80jkOGAF.exe -> %SystemRoot%\System32\80jkOGAF.exe
NY -> fj3Q1f6S.exe.a_a -> %SystemRoot%\System32\fj3Q1f6S.exe.a_a
NY -> 80jkOGAF.exe.a_a -> %SystemRoot%\System32\80jkOGAF.exe.a_a
NY -> At122.job -> %SystemRoot%\tasks\At122.job
NY -> At123.job -> %SystemRoot%\tasks\At123.job
NY -> At124.job -> %SystemRoot%\tasks\At124.job
NY -> At125.job -> %SystemRoot%\tasks\At125.job
NY -> At126.job -> %SystemRoot%\tasks\At126.job
NY -> At127.job -> %SystemRoot%\tasks\At127.job
NY -> At128.job -> %SystemRoot%\tasks\At128.job
NY -> At129.job -> %SystemRoot%\tasks\At129.job
NY -> At130.job -> %SystemRoot%\tasks\At130.job
NY -> At131.job -> %SystemRoot%\tasks\At131.job
NY -> At132.job -> %SystemRoot%\tasks\At132.job
NY -> At133.job -> %SystemRoot%\tasks\At133.job
NY -> At134.job -> %SystemRoot%\tasks\At134.job
NY -> At135.job -> %SystemRoot%\tasks\At135.job
NY -> At136.job -> %SystemRoot%\tasks\At136.job
NY -> At137.job -> %SystemRoot%\tasks\At137.job
NY -> At138.job -> %SystemRoot%\tasks\At138.job
NY -> At139.job -> %SystemRoot%\tasks\At139.job
NY -> At140.job -> %SystemRoot%\tasks\At140.job
NY -> At141.job -> %SystemRoot%\tasks\At141.job
NY -> At142.job -> %SystemRoot%\tasks\At142.job
NY -> At143.job -> %SystemRoot%\tasks\At143.job
NY -> At144.job -> %SystemRoot%\tasks\At144.job
NY -> At97.job -> %SystemRoot%\tasks\At97.job
NY -> At98.job -> %SystemRoot%\tasks\At98.job
NY -> At99.job -> %SystemRoot%\tasks\At99.job
NY -> At100.job -> %SystemRoot%\tasks\At100.job
NY -> At101.job -> %SystemRoot%\tasks\At101.job
NY -> At102.job -> %SystemRoot%\tasks\At102.job
NY -> At103.job -> %SystemRoot%\tasks\At103.job
NY -> At104.job -> %SystemRoot%\tasks\At104.job
NY -> At105.job -> %SystemRoot%\tasks\At105.job
NY -> At106.job -> %SystemRoot%\tasks\At106.job
NY -> At107.job -> %SystemRoot%\tasks\At107.job
NY -> At108.job -> %SystemRoot%\tasks\At108.job
NY -> At109.job -> %SystemRoot%\tasks\At109.job
NY -> At110.job -> %SystemRoot%\tasks\At110.job
NY -> At111.job -> %SystemRoot%\tasks\At111.job
NY -> At112.job -> %SystemRoot%\tasks\At112.job
NY -> At113.job -> %SystemRoot%\tasks\At113.job
NY -> At114.job -> %SystemRoot%\tasks\At114.job
NY -> At115.job -> %SystemRoot%\tasks\At115.job
NY -> At116.job -> %SystemRoot%\tasks\At116.job
NY -> At117.job -> %SystemRoot%\tasks\At117.job
NY -> At118.job -> %SystemRoot%\tasks\At118.job
NY -> At119.job -> %SystemRoot%\tasks\At119.job
NY -> At120.job -> %SystemRoot%\tasks\At120.job
NY -> At121.job -> %SystemRoot%\tasks\At121.job
NY -> 1fgCPnxo.exe -> D:\Temp\1fgCPnxo.exe
NY -> 3r842uVR.exe -> D:\Temp\3r842uVR.exe
NY -> 8N0b206w.exe -> D:\Temp\8N0b206w.exe
NY -> WlMaVOn1.exe -> D:\Temp\WlMaVOn1.exe
NY -> YHEW5nHj.exe -> D:\Temp\YHEW5nHj.exe
NY -> 3846u885.dat -> D:\Temp\3846u885.dat
NY -> 3846u885.dat -> C:\WINDOWS\Temp\3846u885.dat
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#5
Gnitrops

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ok, I've ran that fix. My C: still shows 244 Mb free only. I noticed I have some FOUND.000, FOUND.001 etc folders on C:\. I can also see files I couldn't see before, even if I turned show hidden files on.

After a reboot, KAV didn't show up any Win32.Agent errors, which he used to in every reboot. I'm still testing the whole system though.

Heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:59, on 18-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\slserv.exe
C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\PROGRA~1\WINDOW~4\MESSEN~1\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 202.84.17.42:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVP] "C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\WINDOW~4\MESSEN~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide1] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202053288859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O18 - Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Programas\Design Science\MathPlayer\MathMLMimer.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7194 bytes

I will let you know if I get anything strange after using the system for a while.
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK that looks reasonable lets now go to the next stage and search for orphans. The found elements are recovered clusters from you HDD and be safely deleted

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#7
Gnitrops

Gnitrops

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Essexboy,


The log came out 100% clean :) (It came out in Portuguese, and it has no info whatsovever, just multiple indications that it is clean, so I think it's not worth posting)

I managed to clean up my hard drive as well, the system is now faster and stable. I haven't had any IE errors out of nowhere anymore, and Kaspersky didn't talk about Win32.Agent anymore.


Thank you very much for you help!
  • 0

#8
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Thank you very much for you help!

My pleasure :)

Now the best part of the day ----- Your log now appears clean :)

Double click OTScanit once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTScanit wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP