Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Am I suffering from a Worm? [CLOSED]


  • This topic is locked This topic is locked

#1
Seb.Albert

Seb.Albert

    New Member

  • Member
  • Pip
  • 7 posts
Hi Geeks,

as I came back home from vacations three days ago, my computer began shutting down itself telling something about NT-AUTHORITY because "SERVICES.EXE terminated unexpectedly with status code 128". Windows Update does not work. It is Windows 2000 Professional. This only happens when I set my router to forward all incoming packets to my computer. So that's no urgent problem, but it would also be nice if it was fixed.

But that's not all. My router began rejecting its work again and again. Once it recovers, after some seconds of reconnection to the internet it will brake down again. After disconnecting my computer from the network, everything went fine. Once I reconnect my computer, the router immediately begins suffering again.

Here is my current HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 17:49:47, on 25.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\svchost.exe
C:\Programme\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cmd.exe
F:\Install\WinDump.exe
C:\WINNT\system32\7.tmp
C:\Programme\TextPad 4\TextPad.exe
C:\WINNT\system32\NOTEPAD.EXE
F:\Install\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\7.tmp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Startup: WinDump.exe.lnk = F:\Install\windump.bat
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124805765406
O17 - HKLM\System\CCS\Services\Tcpip\..\{15D1F46F-8A2D-4269-BA40-97BD0F3C53F9}: NameServer = 192.168.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15D1F46F-8A2D-4269-BA40-97BD0F3C53F9}: NameServer = 192.168.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15D1F46F-8A2D-4269-BA40-97BD0F3C53F9}: NameServer = 192.168.8.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MySQL - Unknown owner - C:\Programme\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe


I installed WinDump on my computer (and put it into autostart as you can see in the log) and caught my computer scanning whole lists of IP addresses on port 445.
The following happened some minutes after reconnecting my computer to the internet (my machine is 192.168.8.20):

16:37:12.879883 arp who-has 192.168.8.1 tell 192.168.8.20
16:37:12.880257 arp reply 192.168.8.1 is-at 00:09:17:00:0a:5b
16:37:12.880272 IP 192.168.8.20.1034 > 192.168.8.1.53: 30582+ A? ypgw.wallloan.com. (35)
16:37:13.170131 IP 192.168.8.1.9 > 192.168.8.255.9: UDP, length 84
16:37:13.875095 IP 192.168.8.20.1034 > 192.168.8.1.53: 30582+ A? ypgw.wallloan.com. (35)
16:37:14.030961 IP 217.237.149.161.53 > 192.168.8.20.1034: 30582 3/0/0 A 68.194.214.251,[|domain]
16:37:14.031870 IP 192.168.8.20.1035 > 68.194.214.251.18067: S 3426812347:3426812347(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:14.196272 IP 68.194.214.251.18067 > 192.168.8.20.1035: R 0:0(0) ack 3426812348 win 0
16:37:14.640625 IP 192.168.8.20.1035 > 68.194.214.251.18067: S 3426812347:3426812347(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:14.791986 IP 68.194.214.251.18067 > 192.168.8.20.1035: S 3477415870:3477415870(0) ack 3426812348 win 64240 <mss 1400,nop,nop,sackOK>
16:37:14.792045 IP 192.168.8.20.1035 > 68.194.214.251.18067: . ack 1 win 16800
16:37:14.792171 IP 192.168.8.20.1035 > 68.194.214.251.18067: P 1:14(13) ack 1 win 16800
16:37:15.132010 IP 68.194.214.251.18067 > 192.168.8.20.1035: . ack 14 win 64227
16:37:15.132065 IP 192.168.8.20.1035 > 68.194.214.251.18067: P 14:31(17) ack 1 win 16800
16:37:15.273132 IP 68.194.214.251.18067 > 192.168.8.20.1035: P 1:24(23) ack 31 win 64210
16:37:15.273270 IP 192.168.8.20.1035 > 68.194.214.251.18067: P 31:52(21) ack 24 win 16777
16:37:15.471547 IP 68.194.214.251.18067 > 192.168.8.20.1035: P 24:80(56) ack 52 win 64189
16:37:15.471619 IP 192.168.8.20.1035 > 68.194.214.251.18067: P 52:70(18) ack 80 win 16721
16:37:15.670850 AT 255.89.1.6 > 0.0.6: at-#6 25
16:37:15.676460 IP 68.194.214.251.18067 > 192.168.8.20.1035: P 80:213(133) ack 70 win 64171
16:37:15.771008 AT 255.89.1.6 > 0.0.6: at-#6 25
16:37:15.843767 IP 192.168.8.20.1035 > 68.194.214.251.18067: . ack 213 win 16588
16:37:15.871582 AT 255.89.1.6 > 0.0.6: at-#6 25
16:37:15.935916 IP 192.168.8.20.1037 > 192.168.8.1.53: 32880+ A? southerncalidjs.com. (37)
16:37:15.969687 AT 255.89.1.6 > 0.0.6: at-#6 25
16:37:15.970793 IP 217.237.149.161.53 > 192.168.8.20.1037: 32880 1/0/0 A 67.18.72.194 (53)
16:37:15.973312 IP 192.168.8.20.1038 > 67.18.72.194.80: S 3528227341:3528227341(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:16.069786 AT 255.89.1.6 > 0.0.6: at-#6 25
16:37:16.126167 IP 67.18.72.194.80 > 192.168.8.20.1038: S 681757834:681757834(0) ack 3528227342 win 5840 <mss 1400,nop,nop,sackOK>
16:37:16.126241 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 1 win 16800
16:37:16.126598 IP 192.168.8.20.1038 > 67.18.72.194.80: P 1:158(157) ack 1 win 16800
16:37:16.169981 IP 192.168.8.1.9 > 192.168.8.255.9: UDP, length 84
16:37:16.300240 IP 67.18.72.194.80 > 192.168.8.20.1038: . ack 158 win 6432
16:37:16.311686 IP 67.18.72.194.80 > 192.168.8.20.1038: . 1:1401(1400) ack 158 win 6432
16:37:16.322766 IP 67.18.72.194.80 > 192.168.8.20.1038: . 1401:2801(1400) ack 158 win 6432
16:37:16.322800 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 2801 win 16800
16:37:16.486817 IP 67.18.72.194.80 > 192.168.8.20.1038: . 2801:4201(1400) ack 158 win 6432
16:37:16.486915 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 4201 win 16800
16:37:16.498264 IP 67.18.72.194.80 > 192.168.8.20.1038: . 4201:5601(1400) ack 158 win 6432
16:37:16.509410 IP 67.18.72.194.80 > 192.168.8.20.1038: . 5601:7001(1400) ack 158 win 6432
16:37:16.509460 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 7001 win 16800
16:37:16.651715 IP 67.18.72.194.80 > 192.168.8.20.1038: . 7001:8401(1400) ack 158 win 6432
16:37:16.651821 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 8401 win 16800
16:37:16.662267 IP 67.18.72.194.80 > 192.168.8.20.1038: P 8401:9801(1400) ack 158 win 6432
16:37:16.681281 IP 67.18.72.194.80 > 192.168.8.20.1038: . 9801:11201(1400) ack 158 win 6432
16:37:16.681353 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 11201 win 16800
16:37:16.692339 IP 67.18.72.194.80 > 192.168.8.20.1038: P 11201:12601(1400) ack 158 win 6432
16:37:16.703483 IP 67.18.72.194.80 > 192.168.8.20.1038: . 12601:14001(1400) ack 158 win 6432
16:37:16.703557 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 14001 win 16800
16:37:16.821683 IP 67.18.72.194.80 > 192.168.8.20.1038: . 14001:15401(1400) ack 158 win 6432
16:37:16.833472 IP 67.18.72.194.80 > 192.168.8.20.1038: . 15401:16801(1400) ack 158 win 6432
16:37:16.833570 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 16801 win 16800
16:37:16.844562 IP 67.18.72.194.80 > 192.168.8.20.1038: . 16801:18201(1400) ack 158 win 6432
16:37:16.856016 IP 67.18.72.194.80 > 192.168.8.20.1038: . 18201:19601(1400) ack 158 win 6432
16:37:16.856050 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 19601 win 16800
16:37:16.867102 IP 67.18.72.194.80 > 192.168.8.20.1038: P 19601:21001(1400) ack 158 win 6432
16:37:16.867174 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 21001 win 16800
16:37:16.878212 IP 67.18.72.194.80 > 192.168.8.20.1038: . 21001:22401(1400) ack 158 win 6432
16:37:16.889330 IP 67.18.72.194.80 > 192.168.8.20.1038: . 22401:23801(1400) ack 158 win 6432
16:37:16.889364 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 23801 win 16800
16:37:16.900446 IP 67.18.72.194.80 > 192.168.8.20.1038: . 23801:25201(1400) ack 158 win 6432
16:37:16.900518 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 25201 win 16800
16:37:16.998908 IP 67.18.72.194.80 > 192.168.8.20.1038: . 25201:26601(1400) ack 158 win 6432
16:37:17.009997 IP 67.18.72.194.80 > 192.168.8.20.1038: . 26601:28001(1400) ack 158 win 6432
16:37:17.010057 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 28001 win 16800
16:37:17.021100 IP 67.18.72.194.80 > 192.168.8.20.1038: . 28001:29401(1400) ack 158 win 6432
16:37:17.021191 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 29401 win 16800
16:37:17.065878 IP 67.18.72.194.80 > 192.168.8.20.1038: P 29401:30801(1400) ack 158 win 6432
16:37:17.076968 IP 67.18.72.194.80 > 192.168.8.20.1038: . 30801:32201(1400) ack 158 win 6432
16:37:17.077029 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 32201 win 16800
16:37:17.088071 IP 67.18.72.194.80 > 192.168.8.20.1038: . 32201:33601(1400) ack 158 win 6432
16:37:17.099191 IP 67.18.72.194.80 > 192.168.8.20.1038: . 33601:35001(1400) ack 158 win 6432
16:37:17.099272 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 35001 win 16800
16:37:17.110620 IP 67.18.72.194.80 > 192.168.8.20.1038: P 35001:36401(1400) ack 158 win 6432
16:37:17.155445 IP 67.18.72.194.80 > 192.168.8.20.1038: . 36401:37801(1400) ack 158 win 6432
16:37:17.155521 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 37801 win 16800
16:37:17.166484 IP 67.18.72.194.80 > 192.168.8.20.1038: . 37801:39201(1400) ack 158 win 6432
16:37:17.177583 IP 67.18.72.194.80 > 192.168.8.20.1038: . 39201:40601(1400) ack 158 win 6432
16:37:17.177670 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 40601 win 16800
16:37:17.188704 IP 67.18.72.194.80 > 192.168.8.20.1038: . 40601:42001(1400) ack 158 win 6432
16:37:17.274306 IP 67.18.72.194.80 > 192.168.8.20.1038: . 42001:43401(1400) ack 158 win 6432
16:37:17.274367 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 43401 win 16800
16:37:17.285370 IP 67.18.72.194.80 > 192.168.8.20.1038: . 43401:44801(1400) ack 158 win 6432
16:37:17.285463 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 44801 win 16800
16:37:17.296487 IP 67.18.72.194.80 > 192.168.8.20.1038: P 44801:46201(1400) ack 158 win 6432
16:37:17.341256 IP 67.18.72.194.80 > 192.168.8.20.1038: . 46201:47601(1400) ack 158 win 6432
16:37:17.341330 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 47601 win 16800
16:37:17.352346 IP 67.18.72.194.80 > 192.168.8.20.1038: . 47601:49001(1400) ack 158 win 6432
16:37:17.363450 IP 67.18.72.194.80 > 192.168.8.20.1038: . 49001:50401(1400) ack 158 win 6432
16:37:17.363531 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 50401 win 16800
16:37:17.374928 IP 67.18.72.194.80 > 192.168.8.20.1038: . 50401:51801(1400) ack 158 win 6432
16:37:17.386018 IP 67.18.72.194.80 > 192.168.8.20.1038: . 51801:53201(1400) ack 158 win 6432
16:37:17.386072 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 53201 win 16800
16:37:17.397106 IP 67.18.72.194.80 > 192.168.8.20.1038: . 53201:54601(1400) ack 158 win 6432
16:37:17.397183 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 54601 win 16800
16:37:17.408215 IP 67.18.72.194.80 > 192.168.8.20.1038: P 54601:56001(1400) ack 158 win 6432
16:37:17.419694 IP 67.18.72.194.80 > 192.168.8.20.1038: . 56001:57401(1400) ack 158 win 6432
16:37:17.419754 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 57401 win 16800
16:37:17.438308 IP 67.18.72.194.80 > 192.168.8.20.1038: . 57401:58801(1400) ack 158 win 6432
16:37:17.449743 IP 67.18.72.194.80 > 192.168.8.20.1038: . 58801:60201(1400) ack 158 win 6432
16:37:17.449807 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 60201 win 16800
16:37:17.460861 IP 67.18.72.194.80 > 192.168.8.20.1038: . 60201:61601(1400) ack 158 win 6432
16:37:17.500226 IP 192.168.8.20.1039 > 84.37.8.0.445: S 3035265630:3035265630(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.500450 IP 192.168.8.20.1040 > 84.37.8.1.445: S 3856728270:3856728270(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.500643 IP 192.168.8.20.1041 > 84.37.8.2.445: S 765492335:765492335(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.500835 IP 192.168.8.20.1042 > 84.37.8.3.445: S 147923373:147923373(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.501022 IP 192.168.8.20.1043 > 84.37.8.4.445: S 2802799929:2802799929(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.501209 IP 192.168.8.20.1044 > 84.37.8.5.445: S 1214868291:1214868291(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.501400 IP 192.168.8.20.1045 > 84.37.8.6.445: S 2202547603:2202547603(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.501586 IP 192.168.8.20.1046 > 84.37.8.7.445: S 602283761:602283761(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.501773 IP 192.168.8.20.1047 > 84.37.8.8.445: S 2814247400:2814247400(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.501968 IP 192.168.8.20.1048 > 84.37.8.9.445: S 620157481:620157481(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.502160 IP 192.168.8.20.1049 > 84.37.8.10.445: S 3645255065:3645255065(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.502353 IP 192.168.8.20.1050 > 84.37.8.11.445: S 2155734800:2155734800(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.502548 IP 192.168.8.20.1051 > 84.37.8.12.445: S 2466078532:2466078532(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.502741 IP 192.168.8.20.1052 > 84.37.8.13.445: S 1126046938:1126046938(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.502932 IP 192.168.8.20.1053 > 84.37.8.14.445: S 1135769687:1135769687(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.503123 IP 192.168.8.20.1054 > 84.37.8.15.445: S 4146536228:4146536228(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.503309 IP 192.168.8.20.1055 > 84.37.8.16.445: S 4120221541:4120221541(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.503498 IP 192.168.8.20.1056 > 84.37.8.17.445: S 1873008558:1873008558(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.503691 IP 192.168.8.20.1057 > 84.37.8.18.445: S 4262648085:4262648085(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.503888 IP 192.168.8.20.1058 > 84.37.8.19.445: S 2735550317:2735550317(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.504074 IP 192.168.8.20.1059 > 84.37.8.20.445: S 2902928983:2902928983(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.504266 IP 192.168.8.20.1060 > 84.37.8.21.445: S 1689528393:1689528393(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.504457 IP 192.168.8.20.1061 > 84.37.8.22.445: S 685181512:685181512(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.504651 IP 192.168.8.20.1062 > 84.37.8.23.445: S 210648633:210648633(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.504843 IP 192.168.8.20.1063 > 84.37.8.24.445: S 872930358:872930358(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.504943 IP 67.18.72.194.80 > 192.168.8.20.1038: . 61601:63001(1400) ack 158 win 6432
16:37:17.504992 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 63001 win 16800
16:37:17.505123 IP 192.168.8.20.1064 > 84.37.8.25.445: S 3899208759:3899208759(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.505324 IP 192.168.8.20.1065 > 84.37.8.26.445: S 2252784871:2252784871(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.505514 IP 192.168.8.20.1066 > 84.37.8.27.445: S 4288492192:4288492192(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.505708 IP 192.168.8.20.1067 > 84.37.8.28.445: S 2840071996:2840071996(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.505897 IP 192.168.8.20.1068 > 84.37.8.29.445: S 2345680006:2345680006(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.506092 IP 192.168.8.20.1069 > 84.37.8.30.445: S 4043280991:4043280991(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.506305 IP 192.168.8.20.1070 > 84.37.8.31.445: S 3835849550:3835849550(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.515800 IP 192.168.8.20.1071 > 84.130.10.0.445: S 2669572492:2669572492(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.516016 IP 192.168.8.20.1072 > 84.130.10.1.445: S 1198815219:1198815219(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.516215 IP 192.168.8.20.1073 > 84.130.10.2.445: S 1601763822:1601763822(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.516417 IP 192.168.8.20.1074 > 84.130.10.3.445: S 2948984401:2948984401(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.516609 IP 192.168.8.20.1075 > 84.130.10.4.445: S 3751054845:3751054845(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.516801 IP 192.168.8.20.1076 > 84.130.10.5.445: S 2171254685:2171254685(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.516909 IP 67.18.72.194.80 > 192.168.8.20.1038: . 63001:64401(1400) ack 158 win 6432
16:37:17.516989 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 64401 win 16800
16:37:17.517768 IP 192.168.8.20.1077 > 84.130.10.6.445: S 3714692150:3714692150(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.518026 IP 192.168.8.20.1078 > 84.130.10.7.445: S 3243016884:3243016884(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.518237 IP 192.168.8.20.1079 > 84.130.10.8.445: S 70431217:70431217(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.518435 IP 192.168.8.20.1080 > 84.130.10.9.445: S 2772288605:2772288605(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.518629 IP 192.168.8.20.1081 > 84.130.10.10.445: S 3808174140:3808174140(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.518830 IP 192.168.8.20.1082 > 84.130.10.11.445: S 48506366:48506366(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.519032 IP 192.168.8.20.1083 > 84.130.10.12.445: S 3514509193:3514509193(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.519225 IP 192.168.8.20.1084 > 84.130.10.13.445: S 4077866370:4077866370(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.519415 IP 192.168.8.20.1085 > 84.130.10.14.445: S 3285623426:3285623426(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.519608 IP 192.168.8.20.1086 > 84.130.10.15.445: S 641134694:641134694(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.519800 IP 192.168.8.20.1087 > 84.130.10.16.445: S 3192055438:3192055438(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.519997 IP 192.168.8.20.1088 > 84.130.10.17.445: S 1016452396:1016452396(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.520195 IP 192.168.8.20.1089 > 84.130.10.18.445: S 1927240549:1927240549(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.520393 IP 192.168.8.20.1090 > 84.130.10.19.445: S 3876888211:3876888211(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.520594 IP 192.168.8.20.1091 > 84.130.10.20.445: S 625427570:625427570(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.520792 IP 192.168.8.20.1092 > 84.130.10.21.445: S 329022687:329022687(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.520984 IP 192.168.8.20.1093 > 84.130.10.22.445: S 4270432408:4270432408(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.521185 IP 192.168.8.20.1094 > 84.130.10.23.445: S 1061377774:1061377774(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.521382 IP 192.168.8.20.1095 > 84.130.10.24.445: S 336228015:336228015(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.521580 IP 192.168.8.20.1096 > 84.130.10.25.445: S 3634782826:3634782826(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.522198 IP 192.168.8.20.1097 > 84.130.10.26.445: S 865223503:865223503(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.522463 IP 192.168.8.20.1098 > 84.130.10.27.445: S 1806211400:1806211400(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.522677 IP 192.168.8.20.1099 > 84.130.10.28.445: S 1558466897:1558466897(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.522883 IP 192.168.8.20.1100 > 84.130.10.29.445: S 1927597928:1927597928(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.523087 IP 192.168.8.20.1101 > 84.130.10.30.445: S 3100775921:3100775921(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.523287 IP 192.168.8.20.1102 > 84.130.10.31.445: S 1269845595:1269845595(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.528964 IP 67.18.72.194.80 > 192.168.8.20.1038: P 64401:65801(1400) ack 158 win 6432
16:37:17.531493 IP 192.168.8.20.1103 > 84.37.8.0.445: S 147617722:147617722(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.531727 IP 192.168.8.20.1104 > 84.37.8.1.445: S 254543166:254543166(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.531927 IP 192.168.8.20.1105 > 84.37.8.2.445: S 3085461527:3085461527(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.532123 IP 192.168.8.20.1106 > 84.37.8.3.445: S 3520574531:3520574531(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.532322 IP 192.168.8.20.1107 > 84.37.8.4.445: S 264268272:264268272(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.532525 IP 192.168.8.20.1108 > 84.37.8.5.445: S 1679755712:1679755712(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.532724 IP 192.168.8.20.1109 > 84.37.8.6.445: S 50680858:50680858(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.532929 IP 192.168.8.20.1110 > 84.37.8.7.445: S 3638241063:3638241063(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.533129 IP 192.168.8.20.1111 > 84.37.8.8.445: S 1792697281:1792697281(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.533331 IP 192.168.8.20.1112 > 84.37.8.9.445: S 1642091570:1642091570(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.533527 IP 192.168.8.20.1113 > 84.37.8.10.445: S 2669248669:2669248669(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.533729 IP 192.168.8.20.1114 > 84.37.8.11.445: S 1844293197:1844293197(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.533927 IP 192.168.8.20.1115 > 84.37.8.12.445: S 1482769539:1482769539(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.534125 IP 192.168.8.20.1116 > 84.37.8.13.445: S 1957593209:1957593209(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.534322 IP 192.168.8.20.1117 > 84.37.8.14.445: S 1334864799:1334864799(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.534519 IP 192.168.8.20.1118 > 84.37.8.15.445: S 2298848681:2298848681(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.534715 IP 192.168.8.20.1119 > 84.37.8.16.445: S 2333754445:2333754445(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.534913 IP 192.168.8.20.1120 > 84.37.8.17.445: S 2816731867:2816731867(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.535115 IP 192.168.8.20.1121 > 84.37.8.18.445: S 3852793860:3852793860(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.535310 IP 192.168.8.20.1122 > 84.37.8.19.445: S 2178286606:2178286606(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.535509 IP 192.168.8.20.1123 > 84.37.8.20.445: S 2991004002:2991004002(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.535759 IP 192.168.8.20.1124 > 84.37.8.21.445: S 481812305:481812305(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.535968 IP 192.168.8.20.1125 > 84.37.8.22.445: S 190542849:190542849(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.536165 IP 192.168.8.20.1126 > 84.37.8.23.445: S 1778748913:1778748913(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.536363 IP 192.168.8.20.1127 > 84.37.8.24.445: S 872887012:872887012(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.536561 IP 192.168.8.20.1128 > 84.37.8.25.445: S 2054379788:2054379788(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.536755 IP 192.168.8.20.1129 > 84.37.8.26.445: S 917559556:917559556(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.536946 IP 192.168.8.20.1130 > 84.37.8.27.445: S 2587120128:2587120128(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.537139 IP 192.168.8.20.1131 > 84.37.8.28.445: S 4220411515:4220411515(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.537336 IP 192.168.8.20.1132 > 84.37.8.29.445: S 2150326718:2150326718(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.537533 IP 192.168.8.20.1133 > 84.37.8.30.445: S 3942010194:3942010194(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.537723 IP 192.168.8.20.1134 > 84.37.8.31.445: S 2612472803:2612472803(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.540894 IP 67.18.72.194.80 > 192.168.8.20.1038: . 65801:67201(1400) ack 158 win 6432
16:37:17.540959 IP 192.168.8.20.1038 > 67.18.72.194.80: . ack 67201 win 16800
16:37:17.547075 IP 192.168.8.20.1135 > 84.130.8.0.445: S 160434757:160434757(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.547291 IP 192.168.8.20.1136 > 84.130.8.1.445: S 2816246310:2816246310(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.547495 IP 192.168.8.20.1137 > 84.130.8.2.445: S 3691121155:3691121155(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.547689 IP 192.168.8.20.1138 > 84.130.8.3.445: S 3291637847:3291637847(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.547888 IP 192.168.8.20.1139 > 84.130.8.4.445: S 1623972475:1623972475(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.548079 IP 192.168.8.20.1140 > 84.130.8.5.445: S 3991145985:3991145985(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.548322 IP 192.168.8.20.1141 > 84.130.8.6.445: S 2860099757:2860099757(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.548538 IP 192.168.8.20.1142 > 84.130.8.7.445: S 3539943426:3539943426(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.548740 IP 192.168.8.20.1143 > 84.130.8.8.445: S 2086104268:2086104268(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.548943 IP 192.168.8.20.1144 > 84.130.8.9.445: S 2932374010:2932374010(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.549145 IP 192.168.8.20.1145 > 84.130.8.10.445: S 2409801429:2409801429(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.549347 IP 192.168.8.20.1146 > 84.130.8.11.445: S 2322439681:2322439681(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.549545 IP 192.168.8.20.1147 > 84.130.8.12.445: S 3834996261:3834996261(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.549741 IP 192.168.8.20.1148 > 84.130.8.13.445: S 1038458180:1038458180(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.549936 IP 192.168.8.20.1149 > 84.130.8.14.445: S 1063908792:1063908792(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.550136 IP 192.168.8.20.1150 > 84.130.8.15.445: S 121926690:121926690(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.550337 IP 192.168.8.20.1151 > 84.130.8.16.445: S 385040266:385040266(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.550537 IP 192.168.8.20.1152 > 84.130.8.17.445: S 703993082:703993082(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.550735 IP 192.168.8.20.1153 > 84.130.8.18.445: S 1861704659:1861704659(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.550981 IP 192.168.8.20.1154 > 84.130.8.19.445: S 2502649294:2502649294(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.551197 IP 192.168.8.20.1155 > 84.130.8.20.445: S 2253335936:2253335936(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.551407 IP 192.168.8.20.1156 > 84.130.8.21.445: S 4155773687:4155773687(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.551609 IP 192.168.8.20.1157 > 84.130.8.22.445: S 317721460:317721460(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.551811 IP 192.168.8.20.1158 > 84.130.8.23.445: S 262477304:262477304(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.552012 IP 192.168.8.20.1159 > 84.130.8.24.445: S 3710394553:3710394553(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.552205 IP 192.168.8.20.1160 > 84.130.8.25.445: S 4159032005:4159032005(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.552404 IP 192.168.8.20.1161 > 84.130.8.26.445: S 2564417506:2564417506(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.552608 IP 192.168.8.20.1162 > 84.130.8.27.445: S 3378558376:3378558376(0) win 16384 <mss 1460,nop,nop,sackOK>
16:37:17.552812 IP 192.168.8.20.1163 > 84.130.8.28.445: S 1299938648:1299938648(0) win 16384 <mss 1460,nop,nop,sackOK>


and so on...

Furthermore, I watched activities on my port 135 yesterday.

I would be very grateful if someone could tell me
1. what's that all about and
2. how I can clean my computer from hopefully everything bad.

Seb.Albert
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Seb.Albert

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log and post the log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an check in the boxes, only next to these following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\7.tmp
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe

Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let it remove all it finds

Run CWShredder to fix your CWS problem.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)
C:\WINNT\system32\7.tmp
C:\WINNT\web\related.htm
C:\WINNT\system32\ssl.exe


Let the system reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

[b]Run HijackThis and post the new log.


Kc :tazz:
  • 0

#3
Seb.Albert

Seb.Albert

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you.

There was no prefetch folder.

The lovely program CleanUp! (mind the irony) began deleting my whole folder called "tmp" which is actually not a temp file folder of any program but a folder with many of my own data. I cancelled it.

Furthermore, I do not want to run that online scan. I'm not interested in giving away email addresses and so on.

Here's the hijack this log, ssl.exe returned somehow and the O9 lines you asked me to fix were not even there.

Logfile of HijackThis v1.99.1
Scan saved at 22:36:51, on 25.08.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINNT\system32\svchost.exe
C:\Programme\ewido\security suite\ewidoctrl.exe
C:\Programme\ewido\security suite\ewidoguard.exe
C:\Programme\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
F:\Install\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - Startup: WinDump.exe.lnk = F:\Install\windump.bat
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Programme\ICQ\ICQ.exe
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124805765406
O17 - HKLM\System\CCS\Services\Tcpip\..\{15D1F46F-8A2D-4269-BA40-97BD0F3C53F9}: NameServer = 192.168.8.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{15D1F46F-8A2D-4269-BA40-97BD0F3C53F9}: NameServer = 192.168.8.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{15D1F46F-8A2D-4269-BA40-97BD0F3C53F9}: NameServer = 192.168.8.1
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programme\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programme\ewido\security suite\ewidoguard.exe
O23 - Service: MySQL - Unknown owner - C:\Programme\MySQL\MySQL.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)

And here's the log by evido:

---------------------------------------------------------
ewido security suite - Scan Report
---------------------------------------------------------

+ Erstellt am: 21:15:55, 25.08.2005
+ Report-Checksumme: 5223AB57

+ Scanergebnis:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Gesäubert mit Backup
C:\WINNT\system32\.exe -> Backdoor.IRCBot.ex : Gesäubert mit Backup
C:\WINNT\system32\ssl.exe -> Backdoor.IRCBot.ex : Gesäubert mit Backup


::Report Ende

(i removed a very long list of only cookies)

Seb.Albert
  • 0

#4
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Seb.Albert

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
[urlhttp://russelltexas.com/malware/adawarese/adawarese.htm]Check Here on how setup and use it[/url] - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Important Step
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Service: Microsoft SSL (ssl)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Reboot into Safe Mode: Please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.<--XP only

Please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINNT\system32\ssl.exe

Let the system reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP