Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hi help about my log

Started by shinkyle , Nov 09 2006 08:45 PM

  • This topic is locked This topic is locked

#1
shinkyle
Posted 09 November 2006 - 08:45 PM

shinkyle

    New Member

  • Member
  • Pip
  • 3 posts
hi i already done the procedures in the sticky thread before posting hijacklog here's my log hope you can help me find the source of the infections

Logfile of HijackThis v1.99.1
Scan saved at 10:44:41 AM, on 11/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\System32\mysvcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\gtdusyslo.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O1 - Hosts: .geohead rightside
O1 - Hosts: .geohead rightside #welcome {width:50%;display:block; float:left; text-align:left;}
O1 - Hosts: .geohead rightside #wlinks {width:50%;display:block; float:right; text-align:right;}
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: - <a
O1 - Hosts: - <a
O1 - Hosts: - <a
O1 - Hosts: - <a
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [hdlpscom] regrxmpv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [hdlpscom] regrxmpv.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\WINDOWS\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [NetGuard Lite] "C:\WINDOWS\NetGuard Lite.exe" -STARTUP
O4 - HKCU\..\Run: [hpdlisys] C:\WINDOWS\system32\gtdusyslo.exe
O4 - HKCU\..\Run: [chsr] C:\WINDOWS\system32\lssrvc.exe
O4 - HKCU\..\Run: [vssl2] C:\WINDOWS\system32\winsrcv.exe
O4 - Global Startup: winlogin.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163123262234
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163124052015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://account.level...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA5DF09B-D292-4C52-B8EB-3A04E2136916}: NameServer = 58.69.254.70 58.69.254.134
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_w5x.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Debug Config System - Unknown owner - C:\WINDOWS\system32\lrsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Process Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINDOWS\winmgr.exe (file missing)

here is the result of the panda scan


Incident Status Location

Virus:W32/Sdbot.IQY.worm Disinfected
operating system
Adware:adware/superspider Not disinfected c:\windows\system32\a.exe
Spyware:spyware/bridge Not disinfected c:\windows\system32\bridge.dll
Adware:adware/startpage.id Not disinfected c:\msdos.exe
Adware:adware/dollarrevenue Not disinfected c:\windows\keyboard1.dat
Adware:adware/cws.searchmeup Not disinfected c:\windows\mstasks1.exe
Adware:adware/msxmidi Not disinfected c:\windows\msxmidi.exe
Adware:adware/powerstrip Not disinfected Windows Registry
Virus:trj/qhost.gen Disinfected Operating system
Adware:adware/xplugin Not disinfected Windows Registry
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Ronnie\Cookies\ronnie@apmebf[2].txt
Virus:Trj/Slaper.B Disinfected C:\Documents and Settings\Ronnie\l2.exe
Virus:Trj/Spammer.CX Disinfected C:\Documents and Settings\Ronnie\l3.exe
Possible Virus. Not disinfected C:\Documents and Settings\Ronnie\Local Settings\Temporary Internet Files\Content.IE5\Q3VGOHRS\skwonwua[1].jpg
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{3CAFCC1B-0960-1033-0529-021223050001}\Uninst.exe
Possible Virus. Not disinfected C:\WINDOWS\dlibdunmo.exe
Possible Virus. Not disinfected C:\WINDOWS\fkosysme.exe
Possible Virus. Not disinfected C:\WINDOWS\sysms4lio.exe
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\a
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Possible Virus. Not disinfected C:\WINDOWS\system32\systh.exe
Virus:W32/Gaobot.MHQ.worm Disinfected C:\WINDOWS\system32\TFTP1528
Possible Virus. Not disinfected C:\WINDOWS\system32\win_3l.exe
Virus:W32/IrcBot.AHF.worm Disinfected C:\WINDOWS\wlibdures.exe
  • 0

Advertisements

#2
JSntgRvr
Posted 09 November 2006 - 10:34 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, shinkyle :whistling:

Welcome to Geeks to go.

You must logon in an account with Administrative rights.

Right click Here and select "Save as" to download Dougknox regtools.vbs . Save the file to the desktop. Once downloaded, double click the VBS file. The VB Script file will check for the appropriate value and if not found will create it. If the value was found, it will be toggled to its opposite state and you will be informed that you need to log off/back on or restart your computer.

One note:
This change is made in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System. Disabling the tools takes effect immediately. Enabling requires a restart. This script can be viewed in Notepad or any text editor, as to the specific Registry key and value that are updated. Your antivirus software may report this script as potentially malicious, or a possible virus. This is because the script writes to the System Registry.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
Please click Here to download the Spyware.Dotcomtoolbar removal tool. Once downloaded doubleclick on the FxDtcmtb.exe and follow the prompts.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [hdlpscom] regrxmpv.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [hdlpscom] regrxmpv.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\WINDOWS\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [NetGuard Lite] "C:\WINDOWS\NetGuard Lite.exe" -STARTUP
O4 - HKCU\..\Run: [hpdlisys] C:\WINDOWS\system32\gtdusyslo.exe
O4 - HKCU\..\Run: [chsr] C:\WINDOWS\system32\lssrvc.exe
O4 - HKCU\..\Run: [vssl2] C:\WINDOWS\system32\winsrcv.exe
O4 - Global Startup: winlogin.exe
O23 - Service: Microsoft Windows Man Service (Windows Man Service) - Unknown owner - C:\WINDOWS\winmgr.exe (file missing)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

Go to Start->Run, type CMD and click Ok. The MSDOS window will be displayed. At the prompt type the following (Including the quotes) and press Enter after each line:

SC Stop "Windows Man Service"
SC Delete "Windows Man Service"
Exit

Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Print View

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Print View
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
    C:\WINDOWS\system32\regrxmpv.exe
    C:\WINDOWS\system32\mysvcc.exe
    C:\WINDOWS\system32\regrxmpv.exe
    C:\WINDOWS\system32\mysvcc.exe
    C:\WINDOWS\regrxmpv.exe
    C:\WINDOWS\mysvcc.exe
    C:\WINDOWS\regrxmpv.exe
    C:\WINDOWS\mysvcc.exe
    C:\WINDOWS\ZeroSpyware Lite.exe
    C:\WINDOWS\NetGuard Lite.exe
    C:\WINDOWS\system32\gtdusyslo.exe
    C:\WINDOWS\system32\lssrvc.exe
    C:\WINDOWS\system32\winsrcv.exe
    C:\WINDOWS\winmgr.exe
    c:\windows\system32\a.exe
    c:\windows\system32\bridge.dll
    c:\msdos.exe
    c:\windows\keyboard1.dat
    c:\windows\mstasks1.exe
    c:\windows\msxmidi.exe
    C:\Program Files\Common Files\{3CAFCC1B-0960-1033-0529-021223050001}\Uninst.exe
    C:\WINDOWS\dlibdunmo.exe
    C:\WINDOWS\fkosysme.exe
    C:\WINDOWS\sysms4lio.exe
    C:\WINDOWS\system32\a
    C:\WINDOWS\system32\i
    C:\WINDOWS\system32\systh.exe
    C:\WINDOWS\system32\TFTP1528
    C:\WINDOWS\system32\win_3l.exe
    C:\WINDOWS\wlibdures.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post a fresh Hijackthis log and let me know how is the computer doing?
  • 0

#3
shinkyle
Posted 10 November 2006 - 10:16 AM

shinkyle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi here's my new log after i done what you ask me to do.. does my computer still has malwares in it ?
Thank you

Logfile of HijackThis v1.99.1
Scan saved at 12:19:21 AM, on 11/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svcchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: .geohead rightside
O1 - Hosts: .geohead rightside #welcome {width:50%;display:block; float:left; text-align:left;}
O1 - Hosts: .geohead rightside #wlinks {width:50%;display:block; float:right; text-align:right;}
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: <div class="adtable">
O1 - Hosts: <div class="adttl"
O1 - Hosts: <div class="addescr"
O1 - Hosts: <div class="adlink"
O1 - Hosts: - <a
O1 - Hosts: - <a
O1 - Hosts: - <a
O1 - Hosts: - <a
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163123262234
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163124052015
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://account.level...Crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA5DF09B-D292-4C52-B8EB-3A04E2136916}: NameServer = 58.69.254.70 58.69.254.134
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_w5x.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Debug Config System - Unknown owner - C:\WINDOWS\system32\lrsys.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Process Manager - Unknown owner - C:\WINDOWS\system32\vcmon.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

#4
JSntgRvr
Posted 10 November 2006 - 12:40 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, shinkyle :blink:

does my computer still has malwares in it ?

Yes! I would let you know when the log is clear. Trust me. :whistling:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Please click here to download HOSTER.ZIP.
  • Save it to a new folder on your desktop
  • Open the new folder and unzip the file hoster.zip
  • Run Hoster.exe
  • If your host file is marked as "read only", click the button "Make Hosts Writable"
  • Click the "Restore Original Hosts" button
  • Click OK to restore the original Hosts file
  • Click OK
  • Close The Hoster
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as Service.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the Service.bat.
  • The MSDOS window will flash for a second. That is normal

SC Stop "Debug Config System"
SC Delete "Debug Config System"
SC Stop MSDisk
SC Delete MSDisk
SC Stop "Remote Process Manager"
SC Delete "Remote Process Manager"
Exit

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_w5x.dll
O21 - SSODL: DCOM Server 2240 - {2C1CD3D7-86AC-4068-93BC-A02304BB2240} - (no file)

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\svcchost.exe
    C:\WINDOWS\System32\mysvcc.exe
    C:\WINDOWS\svcchost.exe
    C:\WINDOWS\mysvcc.exe
    C:\WINDOWS\System32\tmp_w5x.dll
    C:\WINDOWS\system32\lrsys.exe
    C:\WINDOWS\System32\irdvxc.exe
    C:\WINDOWS\system32\vcmon.exe

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post a fresh Hijackthis log.
  • 0

#5
shinkyle
Posted 10 November 2006 - 07:53 PM

shinkyle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
thanks i've done what you said.. but im having a problem with the killbox procedure 2 files we're only showned namely
C:\WINDOWS\System32\svcchost.exe
C:\WINDOWS\System32\mysvcc.exe

while the other files that you ask me to delete.. i didn't found them even if i search them one by one
C:\WINDOWS\svcchost.exe
C:\WINDOWS\mysvcc.exe
C:\WINDOWS\System32\tmp_w5x.dll
C:\WINDOWS\system32\lrsys.exe
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\system32\vcmon.exe

here's my new hijack log.. anyproblem within it? thank you

Logfile of HijackThis v1.99.1
Scan saved at 10:16:23 AM, on 11/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\VM303_STI.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svcchost.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [UMonit] C:\WINDOWS\System32\umonit.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [msvcc25] svcchost.exe
O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163123262234
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163124052015
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://my.levelupga...crypt/npkcx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FA5DF09B-D292-4C52-B8EB-3A04E2136916}: NameServer = 58.69.254.70 58.69.254.134
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


svcchost.exe and mysvcc.exe always comes back after i delete it.. but i can't find the source ><

Edited by shinkyle, 10 November 2006 - 08:13 PM.

  • 0

#6
JSntgRvr
Posted 15 November 2006 - 08:44 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Hi, shinkyle :whistling:

Sorry for the delay, but somehow I did not receive an e-mail notification on your last reply.

Please post a fresh Hijackthis log and let me know how is the computer doing?
  • 0

#7
JSntgRvr
Posted 27 November 2006 - 08:16 PM

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,591 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP