[Andrey K]

I am trying to fix a friends computer which was loaded with various malware. Using several different AV's and Anti-Spyware programs, I removed most of them. After those were deleted, Spy Doc keeps finding the Smitfraud-C registry value and DLL files. My current problem is not being able to run Windows in regular mode without having it crash and go to blue 'beginning dump of physical memory' screen. The only time it is stable is when I use it in Safe Mode. Is Smitfraud tied with my crashing problem? Can someone help me out and let me know what other info you need to assist me with this.



This is for a girl who came from Russia for treatment after the 2003 Beslan school shooting which killed more than 300 children. She is handicapped as she was hit with a lot of shrapnel from an explosion. I really want to help her out before she leaves in Feb. Please help ASAP! Thanks to all in advance!

[Advertisements]

Hi,

The fact that the computer Bluescreens in normal mode is most probably because of the pe386 rootkit present... because that one comes in 90% of the cases with the Winsys2f.dll as you mention in your title.

I'll need some extra logs as well, but first, perform next step..

Download
http://www.uploads.e...et/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). I need those logs later.

Download a copy of HJTsetup.exe from here and save it to your Desktop.

• Double click HJTsetup.exe to begin installation.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the prompts from there.
• When HJT opens, click on the Do a system scan and save a log file button.
• When HJT has finished scanning, a window entitled "hijackthis.log" will open - when you close this window the log will be saved into the hijackthis folder.
• Copy and paste this into your next reply together with the logs C:\Avenger.txt and C:\rustbfix\pelog.txt (assuming Windows is installed on your C:\

Then we'll deal with the rest.

[miekiemoes]

Hi,

The fact that the computer Bluescreens in normal mode is most probably because of the pe386 rootkit present... because that one comes in 90% of the cases with the Winsys2f.dll as you mention in your title.

I'll need some extra logs as well, but first, perform next step..

Download
http://www.uploads.e...et/rustbfix.exe
...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). I need those logs later.

Download a copy of HJTsetup.exe from here and save it to your Desktop.

• Double click HJTsetup.exe to begin installation.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the prompts from there.
• When HJT opens, click on the Do a system scan and save a log file button.
• When HJT has finished scanning, a window entitled "hijackthis.log" will open - when you close this window the log will be saved into the hijackthis folder.
• Copy and paste this into your next reply together with the logs C:\Avenger.txt and C:\rustbfix\pelog.txt (assuming Windows is installed on your C:\

Then we'll deal with the rest.

[Andrey K]

Do I do this in Safe Mode or regular? If I ever try to do anything in regular, it "bluescreens" within a couple minutes.

[miekiemoes]

Try in normal mode first.. rustbfix.exe will only take a few seconds to run and if that doesn't work, try from safe mode.

Normally after a successful removal with rustbfix.exe, you should be able to stay in normal mode without bluescreening. Then scan with Hijackthis in normal mode and post the log together with the other logs.

Edited by miekiemoes, 30 January 2007 - 12:19 PM.

[Andrey K]

Alright I did the scan in normal mode right before the blue screen popped out.

Avenger.txt:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xsipruwy

*******************

Script file located at: \??\C:\Documents and Settings\diachapx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Registry key \Registry\Machine\System\CurrentControlSet\Services\huy32 not found!
Unload of driver huy32 failed!

Could not process line:
huy32
Status: 0xc0000034

Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

Rustbfix pelog:
************************* Rustock.b-fix -- By ejvindh *************************
31.01.2007 7:01:35,93

******************* Pre-run Status of system *******************

Rootkit driver huy32 is found. Starting the unload-procedure....
******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: PE386
YOU NEED TO CONSULT MORE ADVANCED TOOLS!!
The Gmer-rootkitscanner may be a good place to start.
Gmer rootkit-scanner may be found here: http://www.gmer.net

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 7:08:57, on 31.01.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\f2d877a2628e12df3cf3c3f5413c0f79\update\update.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: winlogon - C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe


The laptop is installed with a russian version of Window's XP. I hope this doesn't interfere with what you're looking for.

Thanks!

[miekiemoes]

Hi,

The fact that this is a russion system makes it indeed a littlebit harder.. and that explains why legit services are also showing in your log while they don't show in other logs... this because Hijackthis has problems with reading the "russian" displaynames.

Anyway, you'll need your original Hijackthislog to copy and paste some entries from, since the forum software doesn't display it properly for me.

Do next please..

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll
C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll

To copy above, copy and paste it from your original Hijackthislog, you'll find it here:

O20 - Winlogon Notify: winlogon - C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

I really hope that these tools can handle Russian versions.

Then , after reboot,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O20 - Winlogon Notify: winlogon - C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Äîêóìåíòû\Settings\winsys2f.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by miekiemoes, 31 January 2007 - 02:57 AM.

[Andrey K]

I followed each step as you wrote them. After combofix got done, it just showed me the log file. But I reboot it myself anyway. Was that right thing to do? Seems like it's getting better though. I appreciate your help with this...

Combofix Log File:

"Orbita" - 07-02-01 5:44:33 Service Pack 2
ComboFix 07.01.31 - Running from: "C:\Documents and Settings\Orbita\� ¡®ç¨© á⮫"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\test.dll
C:\WINDOWS\system32\zlbw.dll
C:\WINDOWS\dembat.tm
C:\WINDOWS\emdat.tm
C:\WINDOWS\hook.txt
C:\WINDOWS\ie-hook.txt


((((((((((((((((((((((((((((((( Files Created from 2007-01-01 to 2007-02-01 ))))))))))))))))))))))))))))))))))


2007-02-01 05:30 <DIR> d-------- C:\!KillBox
2007-01-31 09:54 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-31 09:54 <DIR> d-------- C:\WINDOWS\system32\ru-ru
2007-01-31 09:50 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-31 09:48 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-31 09:47 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-01-31 09:45 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-01-31 07:50 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-31 07:50 <DIR> d-------- C:\7ebd0360584f5b25b1e292026088bc
2007-01-31 07:32 80 --a------ C:\WINDOWS\gmer_uninstall.cmd
2007-01-31 07:08 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-31 07:05 <DIR> d-------- C:\avenger
2007-01-31 07:01 <DIR> d-------- C:\Rustbfix
2007-01-30 02:09 <DIR> d-------- C:\DOCUME~1\Orbita\Application Data\PC Tools
2007-01-29 10:38 <DIR> d--hs---- C:\INCINERATE
2007-01-29 08:06 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2007-01-29 08:06 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-01-29 08:06 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-01-29 08:06 1,212,416 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-01-29 08:06 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-01-29 08:06 <DIR> d-------- C:\Program Files\Common Files\Kaspersky Lab
2007-01-29 08:06 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Kaspersky Anti-Virus Personal
2007-01-29 07:30 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-01-29 07:30 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-01-29 06:25 <DIR> d-------- C:\DOCUME~1\9335~1\Application Data\Lavasoft
2007-01-28 11:21 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-28 11:21 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-28 11:20 34,304 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2007-01-28 11:20 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2007-01-28 11:20 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2007-01-28 11:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AntiVir PersonalEdition Classic
2007-01-28 11:15 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-28 09:25 <DIR> d-------- C:\DOCUME~1\Orbita\Application Data\Lavasoft
2007-01-28 09:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-28 07:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-27 00:05 18,938 --a------ C:\WINDOWS\system32\6523462ld.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-31 08:01 -------- d-------- C:\Program Files\messenger
2007-01-29 08:49 -------- d-------- C:\Program Files\java
2007-01-29 08:06 -------- d-------- C:\Program Files\iolo
2007-01-28 07:23 -------- d--h----- C:\Program Files\installshield installation information
2007-01-28 07:19 -------- d-------- C:\Program Files\Common Files\ulead systems
2007-01-28 01:50 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-07 09:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-08 08:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"LtMoh"="C:\\Program Files\\ltmoh\\Ltmoh.exe"
"MagicKeyboard"="C:\\Program Files\\SAMSUNG\\MagicKBD\\PreMKBD.exe"
"EPSON Stylus C65 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3S2.EXE /P23 \"EPSON Stylus C65 Series\" /O6 \"USB001\" /M \"Stylus C65\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"=""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


Completion time: 07-02-01 5:47:01


HJT Log File:

Logfile of HijackThis v1.99.1
Scan saved at 5:52:27, on 01.02.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

[miekiemoes]

Hello,

Yes, combofix doesn't always reboot, only when it finds files that have to get deleted after reboot.

Your Hijackthislog looks clean again.

Delete next file:

C:\WINDOWS\system32\6523462ld.exe

Can you tell me what is present in next folder? Or if you know with what next folder is related?:

C:\WINDOWS\system32\ru-ru

According to combofix, the rootkit is gone as well, so also let me know if your system still bluescreens in normal mode.
It wouldn't hurt to run the rustbfix.exe once again though..

Also do next:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

[Andrey K]

Alright, this is a long one but here's what I've done:

- "C:\WINDOWS\system32\6523462ld.exe" - Deleted
- "C:\WINDOWS\system32\ru-ru" - See attached screen shot of this folder.
- No, the system no longer 'bluescreens'. It's running much smoother now.
- The "Move incurable" steps you listed for the files found does not work as the button you say to press is not available. So I will provide you with the following log. I'll just provide you with the needed info:

CureIt Log file:

=============================================================================
Dr.Web® Scanner for Windows v4.33.2 (4.33.2.10060)
Copyright © Igor Danilov, 1992-2006
As of: 2007-02-02, 02:57:28 [Orbita]
Command line: "C:\DOCUME~1\Orbita\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng:ru-cureit.dwl /ini:cureit_XP.ini
Operating System:Windows XP Home Edition x86 (Build 2600), Service Pack 2
-----------------------------------------------------------------------------

[Scanned Path] C:\
C:\hiberfil.sys - read error
C:\Documents and Settings\LocalService\NTUSER.DAT - read error
C:\Documents and Settings\LocalService\NTUSER~1.LOG - read error
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\Orbita\NTUSER.DAT - read error
C:\Documents and Settings\Orbita\NTUSER~1.LOG - read error
C:\Documents and Settings\Orbita\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\Orbita\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\Orbita\Local Settings\Temp\BCG1.tmp - read error
C:\RECYCLER\S-1-5-21-1512057416-4013038344-2811116878-1005\Dc1.exe èíôèöèðîâàí Win32.HLLM.Bid - deleted
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP49\A0081672.dll - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP49\A0081673.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP49\A0081674.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP49\A0081675.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP49\snapshot\MFEX-21.DAT infected Trojan.Spambot - deleted
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081752.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081756.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081757.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081759.dll - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081760.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081761.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081762.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081763.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081764.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081765.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081766.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081767.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081768.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081769.sys - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081770.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081771.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081772.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081773.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081774.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081775.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081776.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP51\A0081777.exe - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP71\A0101243.dll - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP75\A0104529.dll - read error
C:\System Volume Information\_restore{B1784203-DD72-468B-9268-2CC31BE9B886}\RP75\A0104575.exe infected Win32.HLLM.Bid - deleted
C:\WINDOWS\system32\CatRoot2\edb.log - read error
C:\WINDOWS\system32\CatRoot2\tmp.edb - read error
C:\WINDOWS\system32\config\default - read error
C:\WINDOWS\system32\config\default.LOG - read error
C:\WINDOWS\system32\config\SAM - read error
C:\WINDOWS\system32\config\SAM.LOG - read error
C:\WINDOWS\system32\config\SECURITY - read error
C:\WINDOWS\system32\config\SECURITY.LOG - read error
C:\WINDOWS\system32\config\software - read error
C:\WINDOWS\system32\config\software.LOG - read error
C:\WINDOWS\system32\config\system - read error
C:\WINDOWS\system32\config\system.LOG - read error

[Scan path] E:\
-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 59462
Infected objects found: 3
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 3
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 1229 Kb/s
Scan time: 00:40:29
-----------------------------------------------------------------------------

While CureIt was scanning the above files, AntiVir kept popping up with warnings of about 40 infected files which I either told it to delete or quarantine. I noticed that the CUreIt files with read errors are the same ones as AntiVir warned me about and which I quarantined. Here is the log file after I did another scan when CureIt was done and after I quarantined the ones that popped up...

Avira Antivir log file:

AntiVir PersonalEdition Classic
Report file date: 2 февраля 2007 г. 03:43

Scanning for 657587 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: Orbita
Computer name: YOUR-263F73F1BF

Version information:
BUILD.DAT : 217 12749 Bytes 05.12.2006 17:00:00
AVSCAN.EXE : 7.0.3.5 208936 Bytes 28.01.2007 08:22:54
AVSCAN.DLL : 7.0.3.1 35880 Bytes 05.12.2006 14:00:22
LUKE.DLL : 7.0.3.2 143400 Bytes 31.10.2006 14:07:46
LUKERES.DLL : 7.0.2.0 9256 Bytes 05.12.2006 14:00:22
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 31.05.2006 13:30:06
ANTIVIR1.VDF : 6.37.0.153 3131392 Bytes 12.01.2007 08:22:55
ANTIVIR2.VDF : 6.37.0.235 374784 Bytes 29.01.2007 05:08:12
ANTIVIR3.VDF : 6.37.1.1 36352 Bytes 30.01.2007 05:08:12
AVEWIN32.DLL : 7.3.1.33 2281984 Bytes 31.01.2007 05:08:13
AVPREF.DLL : 7.0.2.0 23592 Bytes 03.11.2006 08:53:44
AVREP.DLL : 6.37.1.1 1105960 Bytes 31.01.2007 05:08:13
AVRPBASE.DLL : 7.0.0.0 2162728 Bytes 30.03.2006 06:43:31
AVPACK32.DLL : 7.2.0.5 368680 Bytes 23.10.2006 13:21:31
AVREG.DLL : 7.0.1.2 30760 Bytes 28.01.2007 08:22:53
NETNT.DLL : No Information!
RCIMAGE.DLL : 7.0.1.3 2097192 Bytes 08.11.2006 10:26:26
RCTEXT.DLL : 7.0.12.1 77864 Bytes 05.12.2006 14:00:21

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2 февраля 2007 г. 03:43

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Modules have been scanned
Scan process 'avscan.exe' - '1' Modules have been scanned
Scan process 'avcenter.exe' - '1' Modules have been scanned
Scan process 'cureit.exe' - '1' Modules have been scanned
Scan process '_start.exe' - '1' Modules have been scanned
Scan process 'drweb-cureit.exe' - '1' Modules have been scanned
Scan process 'MagicKBD.exe' - '1' Modules have been scanned
Scan process 'KAVPF.exe' - '1' Modules have been scanned
Scan process 'ctfmon.exe' - '1' Modules have been scanned
Scan process 'avgnt.exe' - '1' Modules have been scanned
Scan process 'SMax4PNP.exe' - '1' Modules have been scanned
Scan process 'PDVDServ.exe' - '1' Modules have been scanned
Scan process 'E_S4I3S2.EXE' - '1' Modules have been scanned
Scan process 'ltmoh.exe' - '1' Modules have been scanned
Scan process 'AGRSMMSG.exe' - '1' Modules have been scanned
Scan process 'atiptaxx.exe' - '1' Modules have been scanned
Scan process 'explorer.exe' - '1' Modules have been scanned
Scan process 'alg.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'SMAgent.exe' - '1' Modules have been scanned
Scan process 'IoloSGCtrl.exe' - '1' Modules have been scanned
Scan process 'avguard.exe' - '1' Modules have been scanned
Scan process 'sched.exe' - '1' Modules have been scanned
Scan process 'spoolsv.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'svchost.exe' - '1' Modules have been scanned
Scan process 'ati2evxx.exe' - '1' Modules have been scanned
Scan process 'lsass.exe' - '1' Modules have been scanned
Scan process 'services.exe' - '1' Modules have been scanned
Scan process 'winlogon.exe' - '1' Modules have been scanned
Scan process 'csrss.exe' - '1' Modules have been scanned
Scan process 'smss.exe' - '1' Modules have been scanned
35 processes with 35 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( 16 files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{54C4A701-CA65-40D4-A507-CDE348ABBCD5}\{34CAAE70-A13E-4526-8ABF-49E7827FA54F}.hpv
[0] Archive type: ZIP
--> {34CAAE70-A13E-4526-8ABF-49E7827FA54F}.hpv
[DETECTION] Is the Trojan horse TR/Small.DBY.R
[INFO] The file was moved to '45f68a13.qua'!
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D0316EC0-8A1C-4573-95C6-CC28F56B1FDB}\{4AB14226-1C3D-4C5F-8C72-7290E318E59F}.tmp
[0] Archive type: ZIP
--> {4AB14226-1C3D-4C5F-8C72-7290E318E59F}.tmp
[DETECTION] Is the Trojan horse TR/Small.DBY.R
[INFO] The file was moved to '46038b2d.qua'!
C:\Program Files\iolo\System Mechanic Professional 6\Undo\Manual\{D0316EC0-8A1C-4573-95C6-CC28F56B1FDB}\{FF68C807-4DA4-4044-B6E1-B93320C57D49}.tmp
[0] Archive type: ZIP
--> {FF68C807-4DA4-4044-B6E1-B93320C57D49}.tmp
[DETECTION] Is the Trojan horse TR/Small.DBY.R
[INFO] The file was moved to '46088b42.qua'!


End of the scan: 2 февраля 2007 г. 04:08
Used time: 25:12 min

The scan has been done completely.

2908 Scanning directories
111939 Files were scanned
3 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
111936 Files not concerned
8478 Archives were scanned
2 Warnings
1 Notes

=================================================================

I have the quarantine of all those other files but I can't get a log file of that quarantine section of AntiVir. It just shows a list within the program. If you know of a way of getting them to you if you need them, please let me know.

Sorry for loading you with information today! I hope everything up there made sense! But again, thanks for your time and efforts in assisting me with this girls computer. I'll think about you little donations note in your signature

-Andrey K.

Attached Thumbnails

• 

[miekiemoes]

Hi,

Don't worry about the files with a read error.... DrWeb and Avira just "show" them as a warning because they can't access it because they are in use. But those ones are ok.

DrWeb CureIt removed what it found:

3 viruses and/or unwanted programs were found
3 files were moved to quarantine

The ru-ru folder looks like a part of the upgrade to IE7... where it contains the russian components.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6.0.
• Scroll down to where it says "Java Runtime Environment (JRE) 6".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  - Examples of older versions in Add or Remove Programs:
  • Java 2 Runtime Environment, SE v1.4.2
  • J2SE Runtime Environment 5.0
  • J2SE Runtime Environment 5.0 Update 6
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

* Clean your Cache and Cookies in IE:

• Close all instances of Outlook Express and Internet Explorer
• Go to Control Panel > Internet Options > General tab
• Under Browsing History, click "Delete".
• Click "Delete Files", "Delete cookies" and "Delete history"
• Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu..
• Click the Clear now button below.. A new window will popup what to clear.
• Select all and click the Clear button again.
• Click OK to close the Options window

* Clean other Temporary files + Recycle bin

• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Can you post a new Hijackthislog as a final check please.

[Andrey K]

Hi,
For some reason when in normal mode, the computer can not connect to the internet; neither via ethernet nor wireless adapter. It works in Safe Mode with Networking but not in normal mode ... any ideas? Could it be because of the bold files missing below?

Here's the new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 6:37:24, on 03.02.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAMSUNG\MagicKBD\MagicKBD.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ru.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [MagicKeyboard] C:\Program Files\SAMSUNG\MagicKBD\PreMKBD.exe
O4 - HKLM\..\Run: [EPSON Stylus C65 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3S2.EXE /P23 "EPSON Stylus C65 Series" /O6 "USB001" /M "Stylus C65"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Samsung Update Plus - Unknown owner - C:\Program Files\Samsung\Samsung Update Plus\SLUBackgroundService.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

Also,
I have a couple antivirus programs installed on the laptop currently. Kaspersky and AntiVir. Which one do you recommend removing? And can I uninstall all programs which you previously told me to install?

Thank you,
Andrey K.

[miekiemoes]

Hi Andrey,

No, the bold ones have nothing to do with the loss of your Internet Connection in normal mode.

This is your problem:

I have a couple antivirus programs installed on the laptop currently. Kaspersky and AntiVir.

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

And that also explains why you do have connection in Safe mode, since no Antivirus and Firewall is running in Windows Safe mode.
Also, check your settings in your Kaspersky Antihacker, because it could be possible that you set something to block there while it should be enabled.

So what to choose? Kaspersky is great but I don't know if you purchased it (Antivirus and AntiHacker). When a trial, it will expire and won't protect this system anymore.

Avira is also a great Antivirus.. and FREE, which is an advantage.

So in case you didn't purchase Kaspersky, I recommend you uninstall it (both AV and Firewall) and install a Free firewall instead. (Look in my signature under Firewalls)

[Andrey K]

I did not purchase Kaspersky. It came free with Iolo System Mechanic 6.0 which I purchased. It's not a trial version or anything. Basically it's the same thing as I would have as if I purchased it. Do you recommend keeping Kaspersky on since this is the case?

Also, what should I do with all the programs you told me to install earlier? Should I keep any of them?

[miekiemoes]

Hi,

So Kaspersky Antivirus and Kaspersky AntiHacker is a full licensed version and is still able to update?
In that case, keep it and uninstall Avira.

If you still don't have Internet Connection in Windows normal mode, then look in the Kaspersky Antihacker options if anything is blocked in there, or maybe uninstall and reinstall it again (since something maybe got corrupted in there as well).

The other programs I asked you to download and use, well, you can delete them again since you won't need them anymore

[Andrey K]

Yes it's licensed. I had to type in a key with it and it's updatable. Alright, in that case I guess that's it? Anything else I should do before I take the computer back? Should I remove System Mechanic?

Edited by Andrey K, 03 February 2007 - 01:18 PM.