Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I have it all and I need help!


  • This topic is locked This topic is locked

#1
Babs cabs

Babs cabs

    Member

  • Member
  • PipPip
  • 17 posts
Hi

I posted here a few time but never got any support. Please someone reply.

My laptop is a mess. Beeping, shuting down, [bleep] links in the start menu etc... blue screens, cant open apps, no memorym and the list goes on.

I used AVG, Spybot, Ad-aware, stinger and they all found lots of bad stuff but it still goes on

Here is my Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:58 AM, on 11/27/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\WINNT\modlb.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\system32\slserv.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA9.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colomba O'Doherty\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\winIogon.exe
O4 - HKLM\..\Run: [msresearch] c:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] c:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\Run: [FRISK FP-Scheduler] "C:\Program Files\FSI\F-Prot\F-Sched.exe" STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [NeroFil] NeroFil.EXE
O4 - HKCU\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFF0D385-2B0B-4C49-A161-5C025E1858CD}: NameServer = 194.74.65.68 194.72.0.114
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\lrrmonui.dll (file missing)
O21 - SSODL: rEbVonvD - {BCF01F6F-165A-B5C5-EF42-A70EA80E1289} - C:\WINNT\System32\wdef.dll (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINNT\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mod Libary (modlb) - Unknown owner - C:\WINNT\modlb.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

Advertisements


#2
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
PS: I am using win 2000 pro.
  • 0

#3
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Colomba and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated. Let’s see what we can do with the first sweep.

You appear to have four antivirus programmes running in real time, AVG7, F-Prot, BitDefender and AVPersonal. This practice is not recommended as they will cause conflicts and slow everything down. Please uninstall three of them.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Firstly could you please disable Spyware Doctor from running during the fix, it may just hinder our attempts to change anything.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
Ewido Security Suite

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Mod Libary (modlb)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

modlb

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\winIogon.exe
O4 - HKLM\..\Run: [msresearch] c:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] c:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\Run: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\lrrmonui.dll (file missing)
O21 - SSODL: rEbVonvD - {BCF01F6F-165A-B5C5-EF42-A70EA80E1289} - C:\WINNT\System32\wdef.dll (file missing)
O23 - Service: Mod Libary (modlb) - Unknown owner - C:\WINNT\modlb.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

BHSV.EXEuse search to find these files
IHSVC.EXE
NeroFil.EXE


Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\modlb.exe
C:\WINNT\System32\winIogon.exe
c:\windows\msresearch.exe
c:\windows\sp2update00.exe
c:\ex.cab
c:\eied_s7.cab

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Post back a fresh HijackThis log (from normal mode) and I will take another look. (2 logs)
  • 0

#4
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Crusty!

Thank you for responding!

I downloaded killbox, ewido and ccleaner and followed your instructions but had a few problems: bitdefender could not be removed?? Go to Start>Run and type Services.msc then hit OK (the start and stop are not active – I selected diable?).

I am on win 2000 pro (service pack 1972!). really old I think 2000.

My new logs:

Logfile of HijackThis v1.99.1
Scan saved at 2:21:26 PM, on 11/18/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\explorer.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\System32\winIogon.exe
O4 - HKLM\..\Run: [msresearch] c:\windows\msresearch.exe
O4 - HKLM\..\Run: [sp2update] c:\windows\sp2update00.exe
O4 - HKLM\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\Run: [NeroFil] NeroFil.EXE
O4 - HKCU\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKCU\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\lrrmonui.dll (file missing)
O21 - SSODL: rEbVonvD - {BCF01F6F-165A-B5C5-EF42-A70EA80E1289} - C:\WINNT\System32\wdef.dll (file missing)
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINNT\System32\wuapi.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


And:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:19:17 PM, 11/18/2005
+ Report-Checksum: 27960FCF

+ Scan result:

HKLM\SOFTWARE\PSGuard.com -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Spyware.PSGuard : Error during cleaning
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnce -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\HKCURun\RunOnceEx -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnce -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\HKLMRun\RunOnceEx -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuAllUsers -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\Autorun\StartMenuCurrentUser -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Application Data\PSGuard.com\P.S.Guard\BrowserObjects -> Spyware.PSGuard : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@ehg-yooxspa.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@saksfifthavenue.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINNT\Cookies\colomba o'doherty@www.etracker[2].txt -> Spyware.Cookie.Etracker : Cleaned with backup
C:\WINNT\system32\TFTP544 -> Backdoor.Rbot : Cleaned with backup


::Report End



Thank you again for the help!!! Paypal is on your way!!!
  • 0

#5
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello Colomba

Before I start analysing your latest HJT log, please run another HJT scan in normal mode and resubmit the log it produces. The one you have supplied is either taken from safe mode or we have got real problems :tazz:
  • 0

#6
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Real problems? I think so...anyway here is the log in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:27 PM, on 11/18/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\spooIsv.exe
C:\index2.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\Welcome.exe
C:\WINNT\System32\dssspd.exe
C:\WINNT\System32\dssspd.exe
C:\WINNT\TEMP\ei.exe
C:\windows\mrjj.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\windows\adtech2005.exe
C:\Program Files\aehr\ucet.exe
C:\WINNT\TEMP\MediaGateway.exe
C:\WINNT\Q29sb21iYSBPJ0RvaGVydHk\command.exe
C:\WINNT\System32\netddesrv.exe
C:\WINNT\explorer.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINNT\imGiant.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [W\:C] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] c:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKLM\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [NeroFil] NeroFil.EXE
O4 - HKCU\..\Run: [NeroCheck] NeroFilter.EXE
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload114a.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=2117
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFF0D385-2B0B-4C49-A161-5C025E1858CD}: NameServer = 194.74.65.68 194.72.0.114
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINNT\System32\wuapi.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q29sb21iYSBPJ0RvaGVydHk\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\System32\netddesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Colomba

This PC is in a bit of a mess by the looks of things.

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Service: Command Service (cmdService)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

cmdService

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Download NoahDfear's smitRem.exe©. and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark or tick next to each of the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dll
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINNT\imGiant.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [W\:C] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] c:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\RunServices: [Browser Help Svc] BHSV.EXE
O4 - HKLM\..\RunServices: [NeroFil] NeroFil.EXE
O4 - HKCU\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKCU\..\Run: [NeroFil] NeroFil.EXE
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload114a.exe
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=2117
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q29sb21iYSBPJ0RvaGVydHk\command.exe


Click Fix checked

Please Open Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\System32\spooIsv.exe
C:\WINNT\System32\dssspd.exe
C:\WINNT\TEMP\ei.exe
C:\windows\mrjj.exe
C:\Program Files\Internet Optimizer\optimize.exe
c:\windows\adtech2005.exe
C:\WINNT\TEMP\MediaGateway.exe
C:\WINNT\Q29sb21iYSBPJ0RvaGVydHk\command.exe
C:\WINNT\System32\netddesrv.exe
C:\WINNT\nem220.dll
C:\WINNT\imGiant.dll
C:\Program Files\E2G\IeBHOs.dll
C:\WINNT\System32\WinNB57.dll
c:\windows\timessquare.exe

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Using Windows Explorer, locate the following files, and delete them:

IHSVC.EXE
NeroFil.EXE
BHSV.EXE


Exit Windows Explorer

Open the smitRem.exe©. folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Please reply with a new HijackThis Log and the contents of the smitfiles.txt log
  • 0

#8
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Phil,

Below are my new logs. Also in Start,Run etc I couldn’t find Service: Command Service (cmdService)

IHSVC.EXE
NeroFil.EXE
BHSV.EXE

Could not be found.

Ad-Aware found over 100 new critical objects.

What next? Thanks.



smitRem © log file
version 2.7

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Sat 11/19/2005
The current time is: 8:51:37.10

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key present!



Running LTDFix/PSGuard.com fix!



PSGuard.com key was successfully removed! :tazz:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)




Logfile of HijackThis v1.99.1
Scan saved at 8:28:38 AM, on 11/19/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\netddesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\WINNT\explorer.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000062-2E5F-4AF7-986E-5B64E0951A96} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\RunServices: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKCU\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\Run: [tramre] C:\WINNT\System32\tramre.exe
O4 - HKCU\..\Run: [Ulel] "C:\Program Files\aehr\ucet.exe" -vt mt
O4 - HKCU\..\RunOnce: [tramre] C:\WINNT\System32\tramre.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINNT\System32\wuapi.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\System32\netddesrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

#9
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Colomba

It is looking a little better with each sweep.

You should be able to update your system quite safely now, and you have to have the security patches downloaded and working to continue.

You can download the patches from a variety of websites, but I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update Without the patches, you will just keep getting picked off by the amount of malware out on the web. You will need to protect up to SP4.

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

NetDDE Server (NetDDEsrv)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

NetDDEsrv

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000062-2E5F-4AF7-986E-5B64E0951A96} - (no file)
O4 - HKLM\..\Run: [Internet Help Svc] IHSVC.EXE
O4 - HKLM\..\Run: [MSN service] msmsgr.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\Isass.exe
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\RunServices: [MSN service] msmsgr.exe
O4 - HKCU\..\Run: [tramre] C:\WINNT\System32\tramre.exe
O4 - HKCU\..\RunOnce: [tramre] C:\WINNT\System32\tramre.exe
O15 - Trusted Zone: *.popuppers.com
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\System32\netddesrv.exe

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these files (if present) using Windows Explorer:

IHSVC.EXEuse search to find these files
msmsgr.exe

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINNT\System32\netddesrv.exe
C:\WINNT\System32\Isass.exe
C:\windows\mrjj.exe
C:\WINNT\System32\tramre.exe

  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log (from normal mode) and I will take another look.
  • 0

#10
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi Phil,

I followed your instructions and it took hours…my machine is now running really slow and crashes a lot. The link for the Windows service pack updates didn’t work. Do you know another one?


What’s next?

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:49 AM, on 11/20/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\Perfhmon.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\csmss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\winamp.exe
C:\WINNT\System32\taskmngrs.exe
C:\WINNT\System32\CTHELPR.EXE
C:\WINNT\System32\ctmon.exe
C:\WINNT\System32\mmsvc32.exe
C:\Program Files\aehr\ucet.exe
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\explorer.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINNT\imGiant.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\System32\winamp.exe
O4 - HKLM\..\Run: [MICROSFT MX UPDATE SUPPORT] taskmngrs.exe
O4 - HKLM\..\Run: [CTHELPR.EXE] CTHELPR.EXE
O4 - HKLM\..\Run: [CT Monitor] ctmon.exe
O4 - HKLM\..\Run: [Microsoft Network Services Controller] C:\WINNT\System32\mmsvc32.exe
O4 - HKLM\..\RunServices: [NeroFilter] NeroFilterCheck.EXE
O4 - HKLM\..\RunServices: [Windows Update Drive] drives.exe
O4 - HKLM\..\RunServices: [NeroCheck] NeroFilter.EXE
O4 - HKLM\..\RunServices: [MICROSFT MX UPDATE SUPPORT] taskmngrs.exe
O4 - HKLM\..\RunServices: [CTHELPR.EXE] CTHELPR.EXE
O4 - HKLM\..\RunServices: [CT Monitor] ctmon.exe
O4 - HKCU\..\Run: [NeroCheck] NeroFilter.EXE
O4 - HKCU\..\Run: [Ulel] "C:\Program Files\aehr\ucet.exe" -vt mt
O4 - HKCU\..\Run: [tramre] C:\WINNT\System32\tramre.exe
O4 - HKCU\..\RunOnce: [tramre] C:\WINNT\System32\tramre.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://promo.dollarr...artload114a.exe
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINNT\System32\wuapi.exe (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Performance Logs (Perfhmon) - Unknown owner - C:\WINNT\System32\Perfhmon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Windows Terminal Services - Unknown owner - C:\WINNT\csmss.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
  • 0

Advertisements


#11
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
PS: this is my new Ewido report. it found 81 new threats.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:51:24 AM, 11/20/2005
+ Report-Checksum: A0DBB782

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID\\ -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control.1\CLSID\\ -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/MediaTicketsInstaller.ocx\\.Owner -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/MediaTicketsInstaller.ocx\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/mfc42.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/msvcrt.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/System32/olepro32.dll\\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
[540] C:\WINNT\System32\Perfhmon.exe -> Backdoor.Codbot.ap : Cleaned with backup
[10016] C:\Program Files\E2G\IeBHOs.dll -> Spyware.E2Give : Cleaned with backup
C:\!KillBox\modlb.exe -> Backdoor.SdBot.aic : Cleaned with backup
C:\!KillBox\netddesrv.exe -> Backdoor.Codbot.at : Cleaned with backup
C:\!KillBox\spooIsv.exe -> Backdoor.PoeBot.b : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Cookies\colomba o'doherty@marksandspencer.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temp\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\6J2RGHXP\drsmartload_js[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\6J2RGHXP\mtrslib2[1].js -> TrojanDownloader.Small.ag : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\CV7YA7PS\drsmartload114a[1].exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\R49N0T1P\joysaver[1].cab/mm83.ocx -> TrojanDownloader.VB.ov : Error during cleaning
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\R49N0T1P\MediaGateway[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Cookies\system@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\1CDKF0FI\timessquare[1].exe -> Spyware.Hijacker.StartPage.aw : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\876029[1].exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\bridge-c18[1].cab/MediaGatewayX.dll -> Spyware.WinAD : Error during cleaning
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\drsmartload[1].exe -> Spyware.SmartLoad : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\joysaver[1].cab/mm83.ocx -> TrojanDownloader.VB.ov : Error during cleaning
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\mte3ndi6odoxng[1].exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\optimize[1].exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\drsmartload114a[1].exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\mrj[1].exe/mrjj.exe -> Trojan.LowZones.am : Error during cleaning
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\pi1_25[1].exe -> TrojanDownloader.Small.afq : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VE6KMRWI\adtech2005[1].exe -> Trojan.VB.afn : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VE6KMRWI\drsmartload_js[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VE6KMRWI\ei[1].exe -> TrojanDownloader.Small.bgl : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VE6KMRWI\MediaGateway[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VE6KMRWI\mtrslib2[1].js -> TrojanDownloader.Small.ag : Cleaned with backup
C:\drsmartload.exe -> Spyware.SmartLoad : Cleaned with backup
C:\drsmartload1.exe -> Spyware.SmartLoad : Cleaned with backup
C:\index2.exe -> Trojan.LowZones.cq : Cleaned with backup
C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\pbs.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\Program Files\E2G\IeBHOs.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\hijack this\backups\backup-20051119-082758-211.dll -> Spyware.E2Give : Cleaned with backup
C:\Program Files\hijack this\backups\backup-20051119-082758-849.dll -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-73586283-507921405-854245398-1000\Dc1.exe -> Backdoor.Rbot.aeu : Cleaned with backup
C:\windows\adtech2005.exe -> Trojan.VB.afn : Cleaned with backup
C:\windows\timessquare.exe -> Spyware.Hijacker.StartPage.aw : Cleaned with backup
C:\WINNT\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINNT\Downloaded Program Files\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINNT\Downloaded Program Files\mm83.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
C:\WINNT\F ma.exe/mrjj.exe -> Trojan.LowZones.am : Error during cleaning
C:\WINNT\imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINNT\pi1_25.exe -> TrojanDownloader.Small.afq : Cleaned with backup
C:\WINNT\system32\drivers\etc\hosts -> Trojan.Qhost : Cleaned with backup
C:\WINNT\system32\eraseme_18116.exe -> Backdoor.SdBot.aic : Cleaned with backup
C:\WINNT\system32\eraseme_32887.exe -> Backdoor.SdBot.aic : Cleaned with backup
C:\WINNT\system32\eraseme_63251.exe -> Backdoor.SdBot.aic : Cleaned with backup
C:\WINNT\system32\oslh.exe -> Backdoor.PoeBot.b : Cleaned with backup
C:\WINNT\system32\osxsjva.exe -> Backdoor.PoeBot.b : Cleaned with backup
C:\WINNT\system32\Perfhmon.exe -> Backdoor.Codbot.ap : Cleaned with backup
C:\WINNT\system32\pwwb.exe -> Backdoor.PoeBot.b : Cleaned with backup
C:\WINNT\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\WINNT\system32\sflsxmwn.exe -> Backdoor.PoeBot.b : Cleaned with backup
C:\WINNT\system32\Sygate.exe -> Backdoor.Rbot : Cleaned with backup
C:\WINNT\system32\taskmngrs.exe -> Backdoor.Rbot.afk : Cleaned with backup
C:\WINNT\system32\winamp.exe -> Backdoor.PoeBot.b : Cleaned with backup
C:\WINNT\system32\wincntrl.exe -> Backdoor.Rbot.ahp : Cleaned with backup
C:\WINNT\Temp\drev.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINNT\Temp\ICD1.tmp\MediaGatewayX.dll -> Spyware.WinAD : Cleaned with backup
C:\WINNT\TNN.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup


::Report End
  • 0

#12
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
oops and my bitdefender report:


//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 20/11/2005 12:26:35
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 4291
Files : 280298
Archives : 9060
Packed files : 27854
Identified viruses : 11
Infected files : 19
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 2
Copied files : 0
Moved files : 10
Renamed files : 0
I/O errors : 18
Scan time : 01:42:29
Scan speed (files/sec) : 45

Virus definitions : 233876
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\6J2RGHXP\index2[1].htm Infected HTML.MediaTickets.A
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\6J2RGHXP\index2[1].htm Disinfection failed
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\6J2RGHXP\index2[1].htm Moved
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\R49N0T1P\joysaver[1].cab=>mm83.ocx Infected Trojan.Downloader.VB.R
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\R49N0T1P\joysaver[1].cab=>mm83.ocx Disinfection failed
C:\Documents and Settings\Colomba O'Doherty\Local Settings\Temporary Internet Files\Content.IE5\R49N0T1P\joysaver[1].cab=>mm83.ocx Move failed
C:\Documents and Settings\Colombina O'Doherty\Local Settings\Application Data\Identities\{9C7F974E-BBB1-428E-8F76-2633EE1100EC}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 2)=>[Subject: Thank you!][Date: Wed, 19 Mar 2003 14:20:30 -0000]=>(MIME part)=>thank_you.pif Infected Win32.Sobig.F@mm
C:\Documents and Settings\Colombina O'Doherty\Local Settings\Application Data\Identities\{9C7F974E-BBB1-428E-8F76-2633EE1100EC}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 2)=>[Subject: Thank you!][Date: Wed, 19 Mar 2003 14:20:30 -0000]=>(MIME part)=>thank_you.pif Deleted
C:\Documents and Settings\Colombina O'Doherty\Local Settings\Application Data\Identities\{9C7F974E-BBB1-428E-8F76-2633EE1100EC}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 2)=>[Subject: Thank you!][Date: Wed, 19 Mar 2003 14:20:30 -0000]=>(MIME part) Update
C:\Documents and Settings\Colombina O'Doherty\Local Settings\Application Data\Identities\{9C7F974E-BBB1-428E-8F76-2633EE1100EC}\Microsoft\Outlook Express\Deleted Items.dbx=>(message 2) Update
C:\Documents and Settings\Colombina O'Doherty\Local Settings\Application Data\Identities\{9C7F974E-BBB1-428E-8F76-2633EE1100EC}\Microsoft\Outlook Express\Deleted Items.dbx Update failed
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\joysaver[1].cab=>mm83.ocx Infected Trojan.Downloader.VB.R
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\joysaver[1].cab=>mm83.ocx Disinfection failed
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\9Y35KTIL\joysaver[1].cab=>mm83.ocx Move failed
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\index2[1].htm Infected HTML.MediaTickets.A
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\index2[1].htm Disinfection failed
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\index2[1].htm Moved
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\mrj[1].exe=>(RAR Sfx o)=>mrjj.exe Infected Trojan.Lowzones.CA
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\mrj[1].exe=>(RAR Sfx o)=>mrjj.exe Disinfection failed
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\MJ31N8WA\mrj[1].exe=>(RAR Sfx o)=>mrjj.exe Move failed
C:\Program Files\ewido\security suite\Quarantine\fil3F.tmp=>(gzip) Infected Trojan.Qhosts.B
C:\Program Files\ewido\security suite\Quarantine\fil3F.tmp=>(gzip) Disinfection failed
C:\Program Files\ewido\security suite\Quarantine\fil3F.tmp=>(gzip) Move failed
C:\WINNT\F ma.exe=>(RAR Sfx o)=>mrjj.exe Infected Trojan.Lowzones.CA
C:\WINNT\F ma.exe=>(RAR Sfx o)=>mrjj.exe Disinfection failed
C:\WINNT\F ma.exe=>(RAR Sfx o)=>mrjj.exe Move failed
C:\WINNT\system32\csrs.exe Infected Backdoor.PoeBot.B
C:\WINNT\system32\csrs.exe Disinfection failed
C:\WINNT\system32\csrs.exe Move failed
C:\WINNT\system32\msmsgss.exe Infected Backdoor.RBot.5BB77AFB
C:\WINNT\system32\msmsgss.exe Deleted
C:\WINNT\system32\rdriv.sys Infected Trojan.Rootkit.L
C:\WINNT\system32\rdriv.sys Disinfection failed
C:\WINNT\system32\rdriv.sys Move failed
C:\WINNT\system32\spooIsv.exe Infected Backdoor.PoeBot.B
C:\WINNT\system32\spooIsv.exe Disinfection failed
C:\WINNT\system32\spooIsv.exe Moved
C:\WINNT\system32\vvuostk.exe Infected Backdoor.PoeBot.B
C:\WINNT\system32\vvuostk.exe Disinfection failed
C:\WINNT\system32\vvuostk.exe Moved
C:\WINNT\system32\winamp.exe Infected Backdoor.Poebot.B
C:\WINNT\system32\winamp.exe Disinfection failed
C:\WINNT\system32\winamp.exe Moved
C:\WINNT\system32\__delete_on_reboot__wincntrl.exe Infected Backdoor.RBot.FBU
C:\WINNT\system32\__delete_on_reboot__wincntrl.exe Disinfection failed
C:\WINNT\system32\__delete_on_reboot__wincntrl.exe Moved
C:\WINNT\Temp\~1D.tmp.exe Infected Dropped:Win32.Worm.Bobic.M
C:\WINNT\Temp\~1D.tmp.exe Disinfection failed
C:\WINNT\Temp\~1D.tmp.exe Moved
C:\WINNT\Temp\~3B.tmp.exe Infected Dropped:Win32.Worm.Bobic.M
C:\WINNT\Temp\~3B.tmp.exe Disinfection failed
C:\WINNT\Temp\~3B.tmp.exe Moved
C:\WINNT\Temp\~4F.tmp.exe Infected Dropped:Win32.Worm.Bobic.M
C:\WINNT\Temp\~4F.tmp.exe Disinfection failed
C:\WINNT\Temp\~4F.tmp.exe Moved
C:\WINNT\Temp\~50.tmp.exe Infected Dropped:Win32.Worm.Bobic.M
C:\WINNT\Temp\~50.tmp.exe Disinfection failed
C:\WINNT\Temp\~50.tmp.exe Moved


hope this all helps!
  • 0

#13
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Colomba

The link for the Windows service pack updates didn’t work. Do you know another one?

What do you mean by doesn't work. Do you mean the link is dead? Or is it a problem to do with validation?

Please follow these instructions.

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.

  • 0

#14
Babs cabs

Babs cabs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi,

I was able to upgrad to SP4 but I am now getting error messages that timessquare.exe has generated errors and will be closed. The same thing with IE.exe

I guess I am still infected.

Also I would like to buy new anti virus software and was thinking about AVG. Is that a good bet? it's cheaper than Norton or McAfee.
  • 0

#15
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Colomba

Please reply with the text from Windows Validation Assistant and a fresh HJT log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP