Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hijackthislog - Trojan Iteka

Started by benomoth , Apr 19 2007 11:09 PM

  • This topic is locked This topic is locked

#1
benomoth
Posted 19 April 2007 - 11:09 PM

benomoth

    Member

  • Member
  • PipPip
  • 16 posts
I have a Dell Inspiron E1505 notebook. I use the firewall that came on it (McAfee) and since McAfee's trial ran up, I have not had good virus protection, only occasionally scanning with Adaware Personal SE and Spybot. I am a frequent music, video, and file downloader off of many sites.

About a week ago I went onto the blog site, http://xxxemofreakxxx.blogspot.com The site crashed and I restarted the computer to find out that I could not connect to the network. I downloaded AVG and downloaded definitions for AVG, Spybot, and Adaware. Did full system scans and found some labeled trojans and some worms. Instead of getting better, my firewall started to turn off. After I could not get it back on, it disconnected me from my network at school, including wireless. The Internal NIC card is off. I then got XosftspySE v4.31 and deep scanned, finding more viruses and trojans. I deleted them all but the Trojan Iteka would come back, saying it changed the registry value, and spawning Trojan BHO NTLDRs. I have tried disabling system restore, booting up with safe mode and deep scanning, but the Trojan iteka will not be removed.

It is located in C:\WINDOWS\system32\ntos.exe

I am in college and finals week is a week away. I cannot do most of my homework and am having serious issues without my laptop, because much of our work is online. I want to hear back from you guys before taking it to the school's IT because I do not want to have to completely wipe it clean yet.

Thank you,
Ben

Logfile of HijackThis v1.99.1
Scan saved at 12:47:41 AM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst1f8.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

Advertisements

#2
Daemon
Posted 21 April 2007 - 01:15 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
First click here to download LSPFix. Extract the program from the zip file and run it, make sure you click the "I know what I'm doing" button. Select eqtldvyddwkqr.dll and using the right-pointing 'arrows' and move all instances of eqtldvyddwkqr.dll it mentions to the Remove (RHS) side but leave everything else (it might already be over there when you open LSPFix). Click the 'Finished' button (if you exit with the X at top right nothing happens).

Download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Post the results of the AVG Anti-Spyware report scan. Then do this - download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

  • 0

#3
benomoth
Posted 21 April 2007 - 04:55 PM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thanks alot for the response. I did everything as you said except for I could not update the definitions because I could not connect to the internet. Here are my logs.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:22:46 PM 4/21/2007

+ Scan result:



C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
:mozilla.10:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.19:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.20:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.28:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.29:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.49:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.53:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.59:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.23:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.24:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.25:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.26:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.30:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.32:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.33:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.133:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.134:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.72:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.168:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.169:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.170:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.171:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.172:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.27:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.174:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.175:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.183:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.184:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.186:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.187:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.188:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.189:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.190:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.191:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.192:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.193:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.194:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.155:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.156:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.157:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.158:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.159:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.16:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.17:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.211:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.212:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\3viechwd.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.


::Report end



SUPERAntiSpyware Scan Log
Generated 04/21/2007 at 06:02 PM

Application Version : 3.6.1000

Core Rules Database Version : 3190
Trace Rules Database Version: 1200

Scan type : Complete Scan
Total Scan Time : 01:33:25

Memory items scanned : 459
Memory threats detected : 0
Registry items scanned : 5288
Registry threats detected : 5
File items scanned : 86174
File threats detected : 3

Trojan.Downloader-RPCC
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Asynchronous
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rpcc#Startup

Trojan.Spam-RUCrzy
C:\PROGRAM FILES\CRAZY BROWSER\D5.EXE

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\NTOS.EXE

Trace.Known Threat Sources
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0TUV0P23\zc[1].htm



Logfile of HijackThis v1.99.1
Scan saved at 6:10:07 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst1f8.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks again!
  • 0

#4
Daemon
Posted 22 April 2007 - 02:08 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst1f8.dll

Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here. Has your internet connection returned?
  • 0

#5
benomoth
Posted 22 April 2007 - 12:08 PM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Ok, I moved it to C:\Hijackthis and scanned.

Fixed those 3 but with the last one there was an error creating backup. Rebooted and those 3 selections are gone but network card is still off, no internet or firewall.

Logfile of HijackThis v1.99.1
Scan saved at 1:29:49 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
  • 0

#6
Daemon
Posted 22 April 2007 - 03:13 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Click here to download WinsockFix. Save it on a floppy and then transfer it to the hard disk of the affected computer. Extract the file from the zip and double click it to run it. Let me know if it helps with the internet access.

Edited by Daemon, 22 April 2007 - 03:14 PM.

  • 0

#7
benomoth
Posted 22 April 2007 - 03:54 PM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I ran WinSock and it was successful, but sadly my internal network card and firewall are still off and no network connections showing up.

Should I send it anywhere? Anything else I could try myself?

Thanks for all your help it is very much appreciated
  • 0

#8
Daemon
Posted 22 April 2007 - 04:04 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You have got the internet back?

Please download AVG Anti-Rootkit Beta from here and save it to your desktop.

Double click the file to install it. Accept the licence and follow the prompts to install and reboot. After rebooting, you should see the icon for AVG Anti-Rootkit Beta on your desktop. Double click it to open the program. You will see a window with 4 buttons at the bottom of it. Click Search For Rootkits and the program will start a scan, you will see the progress bar moving from left to right. When the scan is complete, a small window will open alerting you to the result. If anything was found, click Save Result To File and post that in your reply.

If nothing was found, please click the Perform in-depth Search saving anything found to file as before.
  • 0

#9
benomoth
Posted 22 April 2007 - 07:54 PM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
No, i do not have the internet back yet.

Before I read your reply, I scanned with Xoftspy and found no Trojan Iteka, only 3 Trojan BHO NTLDRs. I deleted them and scanned with all my opther virus programs, finding nothing. i ran WinSock again, restarted and still no internet. i scanned again with Xoftspy and found the 3 Trojan BHO NTLDRs again.

I rebooted and ran both searches for RootKit and found nothing.

It seems as if Trojan Iteka may be gone, but now something else is blocking me?
  • 0

#10
Daemon
Posted 23 April 2007 - 12:12 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
No, it appears that the malware you had has altered all your connectivity settings. Do one more scan for me:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Also, open LSPFix, there will be a Keep box and a Remove box. Post back here with the contents of both.
  • 0

Advertisements

#11
benomoth
Posted 23 April 2007 - 02:09 PM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
That link says 404 not found. I searched all over the site.. is the file combo.exe? It says something about malware for that file.
  • 0

#12
Daemon
Posted 24 April 2007 - 12:26 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm... try this link instead: http://www.techsuppo...ls/combofix.exe

Post that LSPFix info also.
  • 0

#13
benomoth
Posted 24 April 2007 - 11:15 AM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Combofix would stop running after i entered Y to scan, so i rebooted into SafeMode and did it

Start Time= Tue 04/24/2007 12:57:39.64

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-23 10:49:26 13312 ( A.... ) "C:\Documents and Settings\Ben\Application Data\wklnhst.dat"
2007-04-21 16:26:42 ( .D... ) "C:\Program Files\SUPERAntiSpyware"
2007-04-21 16:26:42 ( .D... ) "C:\Documents and Settings\Ben\Application Data\SUPERAntiSpyware.com"
2007-04-21 16:26:28 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2007-04-19 15:29:16 ( .D... ) "C:\Program Files\XoftSpySE"
2007-04-17 19:09:42 ( .D... ) "C:\Program Files\MSXML 4.0"
2007-04-17 17:29:02 ( .D... ) "C:\Documents and Settings\Ben\Application Data\AVG7"
2007-04-17 17:28:26 ( .D... ) "C:\Program Files\Grisoft"
2007-04-16 17:39:02 39424 ( A.... ) "C:\WINDOWS\or3.exe"
2007-04-16 17:38:34 21504 ( A.... ) "C:\WINDOWS\system32\eqtldvyddwkqr.dll"
2007-04-16 17:38:24 8327 ( ...HR ) "C:\WINDOWS\system32\tmp_7k.exe"
2007-04-16 17:38:10 8704 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2007-04-11 16:07:40 ( .D.H. ) "C:\Documents and Settings\Ben\Application Data\Move Networks"
2007-04-03 13:48:54 13511640 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2007-03-17 09:43:02 292864 ( A.... ) "C:\WINDOWS\system32\winsrv.dll"
2007-03-09 07:28:00 248320 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2007-03-08 11:36:28 577536 ( A.... ) "C:\WINDOWS\system32\user32.dll"
2007-03-08 11:36:28 281600 ( A.... ) "C:\WINDOWS\system32\gdi32.dll"
2007-03-08 11:36:28 40960 ( A.... ) "C:\WINDOWS\system32\mf3216.dll"
2007-03-08 09:47:48 1843584 ( A.... ) "C:\WINDOWS\system32\win32k.sys"
2007-02-28 05:53:04 2137600 ( A.... ) "C:\WINDOWS\system32\ntoskrnl.exe"
2007-02-28 05:16:00 2017280 ( A.... ) "C:\WINDOWS\system32\ntkrnlpa.exe"
2007-02-05 16:17:02 185344 ( A.... ) "C:\WINDOWS\system32\upnphost.dll"
2007-01-29 04:58:06 60416 ( ..... ) "C:\WINDOWS\system32\tzchange.exe"
2007-01-25 08:24:58 616960 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"SigmatelSysTrayApp"="stsystra.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"ShowLOMControl"=dword:00000001
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"EPSON Stylus Photo 820 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S0EIC1.EXE /P29 \"EPSON Stylus Photo 820 Series\" /O6 \"USB001\" /M \"Stylus Photo 820\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ModemOnHold"="C:\\Program Files\\NetWaiting\\netWaiting.exe"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"userinit"="C:\\WINDOWS\\system32\\ntos.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"userinit"="C:\\WINDOWS\\system32\\ntos.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\XoftSpySE 2.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: Tue 04/24/2007 13:00:28.04
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt



LSPFix had 4 things under the Keep section:

mswsock.dll (Tcip)
winrnr.dll (NTDS)
nwprovau.dll (NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
rsvpsp.dll [(Protocol Handler)]
  • 0

#14
Daemon
Posted 24 April 2007 - 12:11 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Double check some files for me - these may or may not be there:

Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\WINDOWS\or3.exe

Click on the submit button. Please post the results in your next reply.

Repeat for:

C:\WINDOWS\system32\eqtldvyddwkqr.dll

C:\WINDOWS\system32\tmp_7k.exe

Go here: http://www.bleepingc...les/sporder.php

Download sporder.dll and save it to C:\Windows\System32\
  • 0

#15
benomoth
Posted 24 April 2007 - 12:27 PM

benomoth

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The only problem with that is I am still not online. Any way for me to do this with my roomate's computer and a jump drive?
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP