[sheba123]

Okay, I don't know where to start.....

As near as I can figure - someone who shall die a slow painful death turned off my Zone Alarm and it resulted in some type of infection that is affecting everything - I'm getting cannot validate ZA and WMI cannot initialize and the Postmortem Debugger keeps popping up.

I did manage- once- in safe mode to access my computer - and I was going to run all the standard checks and scans that I have used with you before and I found a whole bunch of files with the extension .t throughout my computer.

I know can get into safe mode but the only way to do anything is to open the task manager and use the run command to access any program.

My only access to you at this time is an old gateway that only has a floopy drive to save to to transfer files if necessary.

Where can I start?

[Advertisements]

Hi sheba123 and Welcome to GeekstoGo!


I cant gurantee you this system is repairable,I just recently started testing this infection with some others and it can do some real damage.

You will have to use a floopy or maybe 2,whatever it takes to get all the components listed below to the infected machine.

When you transfer these,I need you to make sure you copy the primary folder to the Root Drive (Usually C:\)

Please do not run this from the floopy drive.


This may not remove all the files that are infected but it may clean enough to get the system somewhat stable.

You must keep the infected machine off the Internet and keep shutdowns and startups to a minimum.


Right Click the Desktop and Select New--> Folder--> Name it SysClean

• Download the Sysclean Package to the folder you made.
• Next,download the Virus Pattern Files (Official Pattern Release) to your desktop from Here
• Right Click and Select Extract All to unzip the folder.
• Now,from the unzipped folder,move lpt$vpn.XXX file to the SysClean folder.
• Restart in SAFE MODE(Tap F8 when restarting)
• Open the SysClean Folder and doubleclick sysclean.com
• Be sure Automatically clean or delete detected files is checked.
• Click the Scan button to begin,please be patient,it will take a little bit to finish.
• Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
• Copy&Paste those results in the next reply.

Tutorial from Trend
http://esupport.tren...entID=en-125991



After SysClean has run,I need you to download DrWebs CureIt to a floopy.

I hope it will fit,Ive never tried it.

You wont be able to update it but it should have recent enough definitions to suffice.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

Post those 2 logs if you are able to complete the steps.

Edited by Cretemonster, 10 November 2006 - 10:02 PM.

[Wizard]

Hi sheba123 and Welcome to GeekstoGo!


I cant gurantee you this system is repairable,I just recently started testing this infection with some others and it can do some real damage.

You will have to use a floopy or maybe 2,whatever it takes to get all the components listed below to the infected machine.

When you transfer these,I need you to make sure you copy the primary folder to the Root Drive (Usually C:\)

Please do not run this from the floopy drive.


This may not remove all the files that are infected but it may clean enough to get the system somewhat stable.

You must keep the infected machine off the Internet and keep shutdowns and startups to a minimum.


Right Click the Desktop and Select New--> Folder--> Name it SysClean

• Download the Sysclean Package to the folder you made.
• Next,download the Virus Pattern Files (Official Pattern Release) to your desktop from Here
• Right Click and Select Extract All to unzip the folder.
• Now,from the unzipped folder,move lpt$vpn.XXX file to the SysClean folder.
• Restart in SAFE MODE(Tap F8 when restarting)
• Open the SysClean Folder and doubleclick sysclean.com
• Be sure Automatically clean or delete detected files is checked.
• Click the Scan button to begin,please be patient,it will take a little bit to finish.
• Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
• Copy&Paste those results in the next reply.

Tutorial from Trend
http://esupport.tren...entID=en-125991



After SysClean has run,I need you to download DrWebs CureIt to a floopy.

I hope it will fit,Ive never tried it.

You wont be able to update it but it should have recent enough definitions to suffice.


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.

Post those 2 logs if you are able to complete the steps.

Edited by Cretemonster, 10 November 2006 - 10:02 PM.

[sheba123]

Well,

Here's what I'm gonna have to do - I downloaded the requested files to this computer to check how big the files were- There are over 25Mbs of compressed files that would need to be transferred. I don't think the floppy option will work

I will have to sneak into work and download all of this onto a CD and bring it back here - It will take about 4 hours to get all this completed.

I have kept the infected system shut down as soon as I realized that each shutdown and restart was spreading whatever this nasty thing is.

As soon as I get back I will try this and get as much info to you as possible.

Thank you for trying to help!

[Wizard]

Do whatever you need to do!

I actually did fit the SysClean package onto a floppy.

I just made the zip folder put sysclean.com in there and then the pattern file.

Moved the compressed folder to floppy,barely fit,and then transferred to other machine.

When I went to unzip,the folder SysClean was created with sysclean.com and the pattern file.

Even if you get the data on CD,please make sure to tranfer to Root Drive of infected machine.

Crank the infected machine up into Safe Mode.

Use both SysClean and CureIt without rebooting.

Before shutting down the infected machine

Download HijackThis on the good machine,transfer to a floopy disc.

Take to the infected machine and transfer to root drive.

Scan and Save a logfile.

Transfer all 3 logs to floopy and bring back to good machine.

Post all 3 logs.

[sheba123]

Okay.... I'm back

battered and bruised but back.


I ran the sysclean and 6 1/2 hours laters I had a 25MB log file. I tried to compress it down but it still won't fit on a disk. The main virus on it showed worm. nuwar.ch. and pe_luder.a and Troj_small.ack It cleaned and deleted about 140,000 files.
Please let me know the specific parts of the log and I'll copy them and get it to you.

Now I ran HJT and Cure-it as asked and did get those logs on disk - hopefully this is not infected - I am worried about spreading it to this computer I am on now.


I have not shut down nor rebooted into safe mode at this time.


HJT says:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:15 AM, on 11/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\System32\dwwin.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:/HP/REGION/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HP/REGION/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/30...0...mp;m=0&vm=0
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {8c33d0d0-5261-4591-8a52-f8a6371b5553} - C:\WINDOWS\System32\bfc42u.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {A40D9D65-5C09-421A-AFF8-2160D7ABD4E7} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Startup: AutoPlay.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movi.../altpmtscab.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {666E4D35-E955-11D0-A707-000000521958} - http://ads.dropspam....aab/upgrade.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8349EA6-D911-4E6D-93C4-9DDB9A84C87C}: NameServer = 62.217.54.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC3327B8-2B86-4331-AFD7-5C51EAE90275}: NameServer = 62.217.54.69
O17 - HKLM\System\CCS\Services\Tcpip\..\{E261D78B-D5D0-4514-B3D0-AF709AD230CD}: NameServer = 62.217.54.69
O20 - AppInit_DLLs:
O20 - Winlogon Notify: bfc42u - C:\WINDOWS\SYSTEM32\bfc42u.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Cure it says:

autoplay.exe;c:\documents and settings\administrator\start menu\programs\startup;Win32.Dref;Cured.;
mdm.exe;c:\program files\common files\microsoft shared\vs7debug;Win32.Dref;Cured.;
realsched.exe;c:\program files\common files\real\update_ob;Trojan.LowZones.192;Will be cured after reboot.;
lxbrbmgr.exe;c:\program files\lexmark 3100 series;Trojan.LowZones.192;Will be cured after reboot.;
mcagent.exe;c:\program files\mcafee.com\agent;Trojan.LowZones.192;Will be cured after reboot.;
mcupdate.exe;c:\program files\mcafee.com\agent;Trojan.LowZones.192;Will be cured after reboot.;
mcupdmgr.exe;c:\program files\mcafee.com\agent;Win32.Dref;Cured.;
mcmnhdlr.exe;c:\program files\mcafee.com\vso;Trojan.LowZones.192;Will be cured after reboot.;
mcshield.exe;c:\program files\mcafee.com\vso;Win32.Dref;Cured.;
mcvsshld.exe;c:\program files\mcafee.com\vso;Trojan.LowZones.192;Will be cured after reboot.;
oasclnt.exe;c:\program files\mcafee.com\vso;Trojan.LowZones.192;Will be cured after reboot.;
msmsgs.exe;c:\program files\messenger;Win32.Dref;Cured.;
point32.exe;c:\program files\microsoft intellipoint;Trojan.LowZones.192;Will be cured after reboot.;
osa.exe;c:\program files\microsoft office\office10;Win32.Dref;Cured.;
qwdlls.exe;c:\program files\quicken;Win32.Dref;Cured.;
qttask.exe;c:\program files\quicktime;Trojan.LowZones.192;Will be cured after reboot.;
zlclient.exe;c:\program files\zone labs\zonealarm;Trojan.LowZones.192;Will be cured after reboot.;
unregmp2.exe;c:\windows\inf;Win32.Dref;Cured.;
aspnet_state.exe;c:\windows\microsoft.net\framework\v1.1.4322;Win32.Dref;Cured.;
adirss.exe;c:\windows\system32;Win32.Dref;Will be cured after reboot.;
ctfmon.exe;c:\windows\system32;Trojan.LowZones.192;Will be cured after reboot.;
dwwin.exe;c:\windows\system32;Win32.Dref;Will be cured after reboot.;
lexbces.exe;c:\windows\system32;Win32.Dref;Cured.;
mnmsrvc.exe;c:\windows\system32;Win32.Dref;Cured.;
msdtc.exe;c:\windows\system32;Win32.Dref;Cured.;
nvsvc32.exe;c:\windows\system32;Win32.Dref;Cured.;
sltchhxg.t;c:\windows\system32;Win32.Dref;Will be cured after reboot.;
wservice.exe;c:\windows\system32;Win32.Dref;Deleted.;
vsmon.exe;c:\windows\system32\zonelabs;Win32.Dref;Cured.;

Edited by sheba123, 12 November 2006 - 10:52 AM.

[sheba123]

Oops! I meant rebooted into normal mode

[Wizard]

First things first.

Does the IP seem to be correct for your location?

62.217.54.64 - 62.217.54.71
ACI Computer + Internet
Uferstr.7
D-42659 Solingen

Is the PC on or off at this point?

[sheba123]

I don't think that is the correct IP address?!?!? But I couldn't say for sure - I go through InsighBB in Illinois.


I have the PC on in safe mode and the Internet is physically disconnected from the CPU

[Wizard]

This is going to take some doing and I can promise you anything.

The machine has been severly compromised and has some nasties in there that dont play well with others.

Many applications on the machine are failing to launch because the files were cleaned but not replaced.

I have to see that SysClean log,I will send you an Private Message with an email address you can send it to.

You will have to transfer the log via a CD,do you think thats possible?

If possible,you may be able to contact me one to one on MSN Messenger and we can plan things from there.

[sheba123]

I understand - no promises

(But if you promise me anything - I may just take you up on it!LOL I've always wanted a paid vacation to an exotic locale)

Here's what I'm going to do - the compressed sysclean. log is just over 1 floppy. I will break it into two parts and attach them to the next post.

That should give you what you need.

I'll get it done as quickly as the poor thing will let me

Now, as I do this - I'm not infecting my good computer am I?

[sheba123]

Okay - I've got them compressed into Pt 1 and Pt2

[sheba123]

Okay - I've got them compressed into Pt 1 and Pt2

[sheba123]

Okay - I've got them compressed into Pt 1 and Pt2

[sheba123]

 Log_Pt1.zip   214.99KB   172 downloadsOkay - I've got them compressed into Pt 1 and Pt2

[Wizard]

Just transferring logs is fine I need you to transfer another program over and scan the machine while its in Safe Mode

The scan will take a pretty long time but I wanna be sure we find any hidden items before we do much else.

First scan is easy enough and wont take long.

Download CatchMe to disc and transfer it over to the infected machines desktop.

Instructions for usage on are the webpage,when it completes the scan successfully a log will be generated on the desktop.

Post that log in the next reply.


Download GMER from Here

Right Click the Zip and Select "Extract All"

Double Click gmer.exe to launch the program.

Once its loaded and provided it doesnt flag any rootkit activity.

Click the >>> tab to expand the gmer menu.

Click the Autostart tab and then check the box for Show All.

Click Scan and then click Copy.

Copy the results to Notepad and post them as well.


Once I get a view of all that,I should have some more instructions.

Chances are,if the machine survives,some if the applications such as your Antivirus and Firewall will have to be reinstalled.


Post all the logs and let me go through them and we will go from there.