Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan-gen ? Trouble with wmsncs.exe

Started by thib30 , Dec 07 2008 05:24 AM

  • Please log in to reply

#1
thib30
Posted 07 December 2008 - 05:24 AM

thib30

    New Member

  • Member
  • Pip
  • 3 posts
Hello,

I get a message at startup that says that windows cannot find the file c:\windows\fonts\wmsncs.exe, I get this message too launching the files explorer (I cannot launch it anymore) and launching other application like for example the recycler.
Before that, I launched AVAST soft, it detected some trojan and then i received the message for the missing file.

I saw another post (http://www.geekstogo...xe-t206969.html) close to my issue but i don't know if it's exactly the same solution.

Here is the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:32, on 07/12/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\internat.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\cmd.exe
E:\my_data\logiciels\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=explorer.exe "C:\WINNT\Fonts\wmsncs.exe"
O2 - BHO: (no name) - {085FF802-B861-4D8A-8733-4A9B97226BF1} - C:\WINNT\System32\aksciipr.dll
O2 - BHO: (no name) - {109BE732-8F8C-49D4-A3F4-FEDCAC7F0A25} - C:\WINNT\System32\awtqpOHB.dll (file missing)
O2 - BHO: (no name) - {5FEA066F-9C4E-413E-BF5D-EA6223821463} - C:\WINNT\System32\urqoooNh.dll (file missing)
O2 - BHO: {324c4af9-0e31-b6cb-8d04-3e9e1a88173e} - {e37188a1-e9e3-40d8-bc6b-13e09fa4c423} - C:\WINNT\System32\lldouj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O5 "LPT1:" /M "Stylus D88"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Fichiers communs\System\wmsncs.exe
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINNT\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Windows Update] ssms.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINNT\System32\wins\wmsncs.exe
O4 - HKLM\..\Run: [BM332f3cc5] Rundll32.exe "C:\WINNT\System32\fyojebxq.dll",s
O4 - HKLM\..\RunServices: [Windows Update] ssms.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NvidMediaCenter] C:\Program Files\Fichiers communs\System\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spool Driver Service] C:\WINNT\System32\spool\drivers\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wins Service] C:\WINNT\System32\wins\wmsncs.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157664722390
O20 - AppInit_DLLs: lldouj.dll
O20 - Winlogon Notify: awtqpOHB - awtqpOHB.dll (file missing)
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MS NET Service - Unknown owner - C:\WINNT\wiadss.exe (file missing)

--
End of file - 4856 bytes

Thanks in advance for your help.
  • 0

Advertisements

#2
kahdah
Posted 07 December 2008 - 06:58 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello thib30

Welcome to G2Go. :)
=====================
You do not have any of your service packs installed aat all.
I will need you to do that after we clean you up a bit.
I think it would make things worse at this point.
================================
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • 0

#3
thib30
Posted 07 December 2008 - 07:59 AM

thib30

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Kahdah,

First, thanks for your help and then here are the contents of the 2 files:

log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by pongy at 2008-12-07 14:47:46
Microsoft Windows 2000 Professionnel
System drive C: has 15 GB (77%) free of 19 GB
Total RAM: 126 MB (41% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:47:52, on 07/12/2008
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\cmd.exe
E:\my_data\logiciels\RSIT.exe
E:\my_data\logiciels\pongy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.fr/0SEFRFR/SAOS02
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
F2 - REG:system.ini: Shell=explorer.exe "C:\WINNT\Fonts\wmsncs.exe"
O2 - BHO: (no name) - {085FF802-B861-4D8A-8733-4A9B97226BF1} - C:\WINNT\System32\aksciipr.dll
O2 - BHO: (no name) - {109BE732-8F8C-49D4-A3F4-FEDCAC7F0A25} - C:\WINNT\System32\awtqpOHB.dll (file missing)
O2 - BHO: (no name) - {5FEA066F-9C4E-413E-BF5D-EA6223821463} - C:\WINNT\System32\urqoooNh.dll (file missing)
O2 - BHO: {324c4af9-0e31-b6cb-8d04-3e9e1a88173e} - {e37188a1-e9e3-40d8-bc6b-13e09fa4c423} - C:\WINNT\System32\lldouj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [EPSON Stylus D88 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE /P23 "EPSON Stylus D88 Series" /O5 "LPT1:" /M "Stylus D88"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fr\msnappau.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NvidMediaCenter] C:\Program Files\Fichiers communs\System\wmsncs.exe
O4 - HKLM\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe
O4 - HKLM\..\Run: [Spool Driver Service] C:\WINNT\System32\spool\drivers\wmsncs.exe
O4 - HKLM\..\Run: [Windows Update] ssms.exe
O4 - HKLM\..\Run: [Wins Service] C:\WINNT\System32\wins\wmsncs.exe
O4 - HKLM\..\Run: [BM332f3cc5] Rundll32.exe "C:\WINNT\System32\fyojebxq.dll",s
O4 - HKLM\..\RunServices: [Windows Update] ssms.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [NvidMediaCenter] C:\Program Files\Fichiers communs\System\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wmsncs Service] C:\WINNT\Fonts\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spool Driver Service] C:\WINNT\System32\spool\drivers\wmsncs.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Wins Service] C:\WINNT\System32\wins\wmsncs.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay10...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1157664722390
O20 - AppInit_DLLs: lldouj.dll
O20 - Winlogon Notify: awtqpOHB - awtqpOHB.dll (file missing)
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Service d'administration du Gestionnaire de disque logique (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MS NET Service - Unknown owner - C:\WINNT\wiadss.exe (file missing)

--
End of file - 4882 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{085FF802-B861-4D8A-8733-4A9B97226BF1}]
C:\WINNT\System32\aksciipr.dll [2008-11-12 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{109BE732-8F8C-49D4-A3F4-FEDCAC7F0A25}]
C:\WINNT\System32\awtqpOHB.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5FEA066F-9C4E-413E-BF5D-EA6223821463}]
C:\WINNT\System32\urqoooNh.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e37188a1-e9e3-40d8-bc6b-13e09fa4c423}]
C:\WINNT\System32\lldouj.dll [2008-12-05 106496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\System32\msdxm.ocx [2002-07-12 848144]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"IgfxTray"=C:\WINNT\System32\i [2008-11-20 79]
"HotKeysCmds"=C:\WINNT\System32\hkcmd.exe [2002-07-17 90112]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-05-16 79224]
"LoadQM"=C:\WINNT\loadqm.exe [2000-05-03 7536]
"EPSON Stylus D88 Series"=C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_FATIABE.EXE [2005-01-27 98304]
"msnappau"=C:\Program Files\MSN Apps\Updater\01.02.0002.1001\fr\msnappau.exe []
"Lexmark X73 Button Monitor"=C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe [2001-05-11 53248]
"Lexmark X73 Button Manager"=C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe [2001-06-11 53248]
"PrinTray"=C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe [2001-07-05 36864]
"NvidMediaCenter"=C:\Program Files\Fichiers communs\System\wmsncs.exe []
"Wmsncs Service"=C:\WINNT\Fonts\wmsncs.exe []
"Spool Driver Service"=C:\WINNT\System32\spool\drivers\wmsncs.exe []
"Windows Update"=ssms.exe []
"Wins Service"=C:\WINNT\System32\wins\wmsncs.exe []
"BM332f3cc5"=C:\WINNT\System32\fyojebxq.dll []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"=C:\WINNT\system32\internat.exe [1999-12-16 20752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="lldouj.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqpOHB]
awtqpOHB.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{109BE732-8F8C-49D4-A3F4-FEDCAC7F0A25}"=C:\WINNT\System32\awtqpOHB.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINNT\System32\urqoooNh

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2100-02-23 18:55:50 ----A---- C:\WINNT\Lexmark_ICM.ini
2100-02-08 15:53:34 ----A---- C:\WINNT\GtX73.ini
2008-12-07 14:47:46 ----D---- C:\rsit
2008-12-05 16:13:19 ----A---- C:\WINNT\System32\whvjycum.dll
2008-12-05 16:13:19 ----A---- C:\WINNT\System32\lldouj.dll
2008-12-05 15:44:38 ----SH---- C:\WINNT\System32\dfkfxkgq.ini
2008-12-05 15:44:37 ----A---- C:\WINNT\System32\qgkxfkfd.dll
2008-12-05 15:43:14 ----A---- C:\WINNT\System32\axnsyybw.dll
2008-11-28 10:44:56 ----SH---- C:\WINNT\System32\knewsalj.ini
2008-11-28 10:41:56 ----A---- C:\WINNT\System32\yajnxsap.dll
2008-11-28 10:41:56 ----A---- C:\WINNT\System32\isjolu.dll
2008-11-28 10:38:56 ----A---- C:\WINNT\System32\meknsesl.dll
2008-11-28 10:38:56 ----A---- C:\WINNT\System32\fjsddh.dll
2008-11-28 10:37:25 ----A---- C:\WINNT\System32\wvvccspk.dll
2008-11-28 10:37:25 ----A---- C:\WINNT\System32\ggfcoy.dll
2008-11-27 12:12:31 ----SH---- C:\WINNT\System32\kkjhemgo.ini
2008-11-27 12:09:31 ----A---- C:\WINNT\System32\pjhbwgpf.dll
2008-11-27 12:09:31 ----A---- C:\WINNT\System32\avttve.dll
2008-11-27 12:06:31 ----SH---- C:\WINNT\System32\tlgkmojw.ini
2008-11-27 11:06:31 ----A---- C:\WINNT\System32\svlvorju.dll
2008-11-27 11:06:31 ----A---- C:\WINNT\System32\nyoqhs.dll
2008-11-27 11:05:00 ----SH---- C:\WINNT\System32\mtqeougb.ini
2008-11-20 12:34:28 ----A---- C:\WINNT\System32\wmsoft18803.exe
2008-11-20 12:17:05 ----A---- C:\WINNT\System32\wmsoft71380.exe
2008-11-20 12:08:51 ----A---- C:\WINNT\System32\rkphoulh.dll
2008-11-20 12:08:51 ----A---- C:\WINNT\System32\idvghy.dll
2008-11-20 12:05:52 ----SH---- C:\WINNT\System32\cwiqkdox.ini
2008-11-20 12:04:23 ----SH---- C:\WINNT\System32\klxtapgi.ini
2008-11-19 09:08:40 ----A---- C:\WINNT\System32\xzmubx.dll
2008-11-19 09:08:39 ----A---- C:\WINNT\System32\gccrgray.dll
2008-11-19 09:07:46 ----A---- C:\WINNT\System32\nbci.exe
2008-11-19 09:07:46 ----A---- C:\WINNT\System32\iasqqtim.exe
2008-11-19 09:07:18 ----SH---- C:\WINNT\System32\gljrjtbb.ini
2008-11-19 09:07:15 ----A---- C:\WINNT\System32\bbtjrjlg.dll
2008-11-17 18:23:12 ----A---- C:\WINNT\System32\ynhrci.exe
2008-11-17 18:23:12 ----A---- C:\WINNT\System32\rhsr.exe
2008-11-17 18:22:56 ----SH---- C:\WINNT\System32\iwxebxfb.ini
2008-11-17 18:22:55 ----A---- C:\WINNT\System32\bfxbexwi.dll
2008-11-17 18:21:50 ----A---- C:\WINNT\System32\vrpobt.dll
2008-11-17 18:21:50 ----A---- C:\WINNT\System32\aqnedvbj.dll
2008-11-17 18:20:38 ----SH---- C:\WINNT\System32\afkmknco.ini
2008-11-12 18:27:39 ----A---- C:\WINNT\System32\vehuwvi.exe
2008-11-12 18:27:39 ----A---- C:\WINNT\System32\ktoupwix.exe
2008-11-12 18:15:27 ----A---- C:\WINNT\System32\wmsoft11547.exe
2008-11-12 17:29:08 ----A---- C:\WINNT\System32\mdnrhx.dll
2008-11-12 17:29:07 ----A---- C:\WINNT\System32\jqcascrs.dll
2008-11-12 17:26:18 ----SH---- C:\WINNT\System32\ttwdfrer.ini
2008-11-12 17:26:12 ----A---- C:\WINNT\System32\rerfdwtt.dll
2008-11-12 17:23:11 ----A---- C:\WINNT\System32\aksciipr.dll
2008-11-12 17:21:26 ----A---- C:\WINNT\System32\tkcopufu.dll
2008-11-12 17:17:54 ----A---- C:\WINNT\System32\vtgagsje.dll
2008-11-12 16:30:26 ----A---- C:\WINNT\System32\yjhjsgg.exe
2008-11-12 16:30:25 ----A---- C:\WINNT\System32\pnbm.exe
2008-11-12 16:18:32 ----SH---- C:\WINNT\System32\etsqpxyt.ini
2008-11-12 16:18:31 ----A---- C:\WINNT\System32\tyxpqste.dll
2008-11-12 16:16:38 ----A---- C:\WINNT\System32\zsec.exe
2008-11-12 16:16:38 ----A---- C:\WINNT\System32\vxwm.exe
2008-11-12 16:15:16 ----A---- C:\WINNT\System32\ygawhllj.dll
2008-11-12 16:15:16 ----A---- C:\WINNT\System32\ughxcs.dll
2008-11-12 16:13:25 ----A---- C:\WINNT\System32\vuawpjwp.dll
2008-11-12 16:13:25 ----A---- C:\WINNT\System32\cxnvrl.dll
2008-11-08 11:54:19 ----SH---- C:\WINNT\System32\hwyxmcqh.ini
2008-11-08 10:57:19 ----SH---- C:\WINNT\System32\hjyifctg.ini
2008-11-08 10:54:19 ----A---- C:\WINNT\System32\yiebdl.dll
2008-11-08 10:54:19 ----A---- C:\WINNT\System32\tggxjbay.dll
2008-11-08 10:51:19 ----A---- C:\WINNT\System32\ooyeauks.dll
2008-11-08 10:51:19 ----A---- C:\WINNT\System32\istyhl.dll
2008-11-08 10:49:29 ----SH---- C:\WINNT\System32\wjwcvouo.ini

======List of files/folders modified in the last 1 months======

2008-12-07 14:46:34 ----A---- C:\WINNT\X73_DS.ini
2008-12-07 13:34:34 ----A---- C:\WINNT\SchedLgU.Txt
2008-12-05 16:18:52 ----ASH---- C:\WINNT\System32\hNoooqru.ini
2008-12-05 16:17:54 ----ASH---- C:\WINNT\System32\hNoooqru.ini2
2008-12-05 16:12:30 ----A---- C:\WINNT\BM332f3cc5.txt
2008-12-05 16:12:02 ----A---- C:\WINNT\pskt.ini
2008-11-20 12:05:00 ----A---- C:\WINNT\System32\3b3fcb27-.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINNT\System32\drivers\Aavmker4.sys [2008-05-16 26944]
R1 aswSP;avast! Self Protection; C:\WINNT\System32\drivers\aswSP.sys [2008-05-16 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINNT\System32\drivers\aswTdi.sys [2008-05-16 42912]
R2 aswMon;avast! Standard Shield Support; C:\WINNT\System32\drivers\aswMon.sys [2008-01-17 93264]
R3 fhlppppoe;PPPOE/ADSL miniport; C:\WINNT\System32\DRIVERS\fhlpppoe.sys [2002-11-21 49264]
R3 i81x;i81x; C:\WINNT\System32\DRIVERS\i81xnt5.sys [2002-07-23 161020]
R3 ichaud;Service pour pilote AC'97 (WDM); C:\WINNT\system32\drivers\ichaud.sys [1999-10-22 32592]
R3 LVUSBSta;Logitech USB Monitor Filter; C:\WINNT\System32\DRIVERS\LVUSBSta.sys [2005-05-27 22016]
R3 rtl8139;Pilote NT de carte Realtek PCI Fast Ethernet à base RTL8139; C:\WINNT\System32\DRIVERS\RTL8139.SYS [1999-09-25 18704]
R3 uhcd;Pilote de contrôleur hôte universel USB Microsoft; C:\WINNT\System32\DRIVERS\uhcd.sys [1999-12-16 32144]
R3 usbhub;Pilote de concentrateur standard USB Microsoft; C:\WINNT\System32\DRIVERS\usbhub.sys [1999-12-16 40016]
R3 USBSTOR;Pilote de stockage de masse USB; C:\WINNT\System32\DRIVERS\USBSTOR.SYS [1999-10-01 19760]
S2 LXARScan;Lexmark X73 MFP Scanner; C:\WINNT\System32\Drivers\Lxarscan.sys [2001-06-28 18024]
S3 aswRdr;aswRdr; C:\WINNT\System32\drivers\aswRdr.sys [2008-05-16 23152]
S3 ccdecode;Décodeur sous-titre fermé; C:\WINNT\system32\drivers\ccdecode.sys [1999-10-04 13232]
S3 MSTEE;Convertisseur en T/site-à-site de répartition Microsoft; C:\WINNT\system32\drivers\MSTEE.sys [1999-09-25 5136]
S3 PID_08A0;QuickCam IM(PID_08A0); C:\WINNT\System32\DRIVERS\LV302AV.SYS [2005-05-27 913280]
S3 usbaudio;Pilote USB audio (WDM); C:\WINNT\system32\drivers\usbaudio.sys [1999-10-12 68912]
S3 usbprint;Classe d'imprimantes USB Microsoft; C:\WINNT\System32\DRIVERS\usbprint.sys [1999-10-26 22064]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 LexBceS;LexBce Server; C:\WINNT\system32\LEXBCES.EXE [2001-07-05 311296]
S2 MS NET Service;MS NET Service; C:\WINNT\wiadss.exe []
S3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-05-16 247160]
S3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-05-16 349560]

-----------------EOF-----------------


and info:

info.txt logfile of random's system information tool 1.04 2008-12-07 14:47:55

======Uninstall list======

Adobe Acrobat 5.0-->C:\WINNT\ISUN040C.EXE -f"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Fichiers communs\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX-->C:\WINNT\System32\Macromed\Flash\uninstall_activeX.exe
AIDA32 v3.85-->"C:\Program Files\AIDA32 - Enterprise System Information\unins000.exe"
avast! Antivirus-->C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Barre d'outils MSN-->C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\mtbs.exe c
EPSON Attach To Email-->C:\Program Files\Fichiers communs\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DA7BC15-18D3-41A0-9F59-838DA3EAEF17}\SETUP.EXE" -l0x40c UNINST
EPSON File Manager-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x40c UNINST
EPSON Logiciel imprimante-->C:\WINNT\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x40c -u
EPSON Web-To-Page-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x40c -anything
ESD88 Guide d'utilisation-->C:\Program Files\EPSON\TPMANUAL\ESD88\USE_G\DOCUNINS.EXE
Heredis 9-->C:\WINNT\unvise32.exe C:\Program Files\BSD Concept\Heredis 9\uninstal.log
HijackThis 2.0.2-->"E:\my_data\logiciels\HijackThis.exe" /uninstall
Intel® 810/810E/815/815E/815EM Chipset Graphics Driver Software-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A708DD8-A5E6-11D4-A706-000629E95E20}\Setup.exe" -inteluninstall
Kit point de croix 2-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{382C5418-8B05-49E4-A7A7-2C15B612158F}\Setup.exe" -l0x40c
Lexmark X73-->C:\Program Files\LexmarkX73\RemoveX73.exe
MGI PhotoSuite 8.1 (suppression seulement)-->C:\WINNT\IsUn040c.exe -f"C:\Program Files\MGI\PhotoSuite 8.1\Uninst.isu" -c"C:\Program Files\MGI\PhotoSuite 8.1\CustomUninstall.dll"
Microsoft Internet Explorer 6 SP1-->rundll32 C:\WINNT\System32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Premium-->MsiExec.exe /I{0000040C-78E1-11D2-B60F-006097C998E7}
Microsoft Office PowerPoint Viewer 2003-->MsiExec.exe /X{90AF040C-6000-11D3-8CFE-0150048383C9}
MSN Messenger 7.0-->MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
OLYMPUS CAMEDIA Master 4.1-->RunDll32 C:\PROGRA~1\FICHIE~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
PPP over Ethernet-->rundll32.exe pppoe32.dll,Uninstall
QuickTime-->C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log

======Hosts File======

127.0.0.1 localhost
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads5.kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 symantec.com

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=080a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

See you...
  • 0

#4
kahdah
Posted 07 December 2008 - 09:14 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information,
please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions
to apprise them of your situation.

Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
==============================
First:

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

C:\WINNT\System32\wmsoft18803.exe
C:\WINNT\System32\wmsoft71380.exe
C:\WINNT\System32\nbci.exe
C:\WINNT\System32\iasqqtim.exe
C:\WINNT\System32\ynhrci.exe
C:\WINNT\System32\rhsr.exe
C:\WINNT\System32\vehuwvi.exe
C:\WINNT\System32\ktoupwix.exe
C:\WINNT\System32\wmsoft11547.exe
C:\WINNT\System32\yjhjsgg.exe
C:\WINNT\System32\pnbm.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to samples.

Click Here to upload the files please.
============================================
After that do the following:

1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
MS NET Service

files to delete: 
C:\WINNT\wiadss.exe 
C:\WINNT\System32\lldouj.dll
C:\WINNT\System32\dfkfxkgq.ini 
C:\WINNT\System32\qgkxfkfd.dll 
C:\WINNT\System32\axnsyybw.dll 
C:\WINNT\System32\knewsalj.ini 
C:\WINNT\System32\yajnxsap.dll 
C:\WINNT\System32\isjolu.dll 
C:\WINNT\System32\meknsesl.dll 
C:\WINNT\System32\fjsddh.dll 
C:\WINNT\System32\wvvccspk.dll 
C:\WINNT\System32\ggfcoy.dll 
C:\WINNT\System32\kkjhemgo.ini 
C:\WINNT\System32\pjhbwgpf.dll
C:\WINNT\System32\avttve.dll 
C:\WINNT\System32\tlgkmojw.ini
 C:\WINNT\System32\svlvorju.dll 
C:\WINNT\System32\nyoqhs.dll 
C:\WINNT\System32\mtqeougb.ini 
C:\WINNT\System32\wmsoft18803.exe 
C:\WINNT\System32\wmsoft71380.exe 
C:\WINNT\System32\rkphoulh.dll 
C:\WINNT\System32\idvghy.dll 
C:\WINNT\System32\cwiqkdox.ini 
C:\WINNT\System32\klxtapgi.ini 
C:\WINNT\System32\xzmubx.dll 
C:\WINNT\System32\gccrgray.dll 
C:\WINNT\System32\nbci.exe 
C:\WINNT\System32\iasqqtim.exe 
C:\WINNT\System32\gljrjtbb.ini 
C:\WINNT\System32\bbtjrjlg.dll 
C:\WINNT\System32\ynhrci.exe 
C:\WINNT\System32\rhsr.exe 
C:\WINNT\System32\iwxebxfb.ini 
C:\WINNT\System32\bfxbexwi.dll 
C:\WINNT\System32\vrpobt.dll 
C:\WINNT\System32\aqnedvbj.dll 
C:\WINNT\System32\afkmknco.ini 
C:\WINNT\System32\vehuwvi.exe 
C:\WINNT\System32\ktoupwix.exe 
C:\WINNT\System32\wmsoft11547.exe 
C:\WINNT\System32\mdnrhx.dll 
C:\WINNT\System32\jqcascrs.dll 
C:\WINNT\System32\ttwdfrer.ini 
C:\WINNT\System32\rerfdwtt.dll 
C:\WINNT\System32\aksciipr.dll 
C:\WINNT\System32\tkcopufu.dll 
C:\WINNT\System32\vtgagsje.dll 
C:\WINNT\System32\yjhjsgg.exe 
C:\WINNT\System32\pnbm.exe 
C:\WINNT\System32\etsqpxyt.ini 
C:\WINNT\System32\tyxpqste.dll 
C:\WINNT\System32\zsec.exe 
C:\WINNT\System32\vxwm.exe 
C:\WINNT\System32\ygawhllj.dll 
C:\WINNT\System32\ughxcs.dll 
C:\WINNT\System32\vuawpjwp.dll 
C:\WINNT\System32\cxnvrl.dll 
C:\WINNT\System32\hwyxmcqh.ini 
C:\WINNT\System32\hjyifctg.ini 
C:\WINNT\System32\yiebdl.dll 
C:\WINNT\System32\tggxjbay.dll 
C:\WINNT\System32\ooyeauks.dll 
C:\WINNT\System32\istyhl.dll 
C:\WINNT\System32\wjwcvouo.ini
C:\WINNT\System32\hNoooqru.ini
C:\WINNT\System32\hNoooqru.ini2
C:\WINNT\BM332f3cc5.txt
C:\WINNT\pskt.ini
C:\WINNT\System32\3b3fcb27-.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
==============
Then Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
thib30
Posted 07 December 2008 - 03:11 PM

thib30

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Actually, the computer with the issue is not mine. I have to go to see my friend to apply all your solution on his computer contaminated.
I use my computer to transfer the data needed (for example, I will copy on my USB key the files to upload that I will upload on my computer), do I have a risk to have the virus ?

Thanks.
  • 0

#6
kahdah
Posted 07 December 2008 - 06:46 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I see no evidence of an autorun infection but yes there is always a chance.
It would be better to burn the items onto a cd or something.
But as far as the files that I asked you to upload they will be contained so there is nothing to worry about there.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP