About a week ago I went onto the blog site, http://xxxemofreakxxx.blogspot.com The site crashed and I restarted the computer to find out that I could not connect to the network. I downloaded AVG and downloaded definitions for AVG, Spybot, and Adaware. Did full system scans and found some labeled trojans and some worms. Instead of getting better, my firewall started to turn off. After I could not get it back on, it disconnected me from my network at school, including wireless. The Internal NIC card is off. I then got XosftspySE v4.31 and deep scanned, finding more viruses and trojans. I deleted them all but the Trojan Iteka would come back, saying it changed the registry value, and spawning Trojan BHO NTLDRs. I have tried disabling system restore, booting up with safe mode and deep scanning, but the Trojan iteka will not be removed.
It is located in C:\WINDOWS\system32\ntos.exe
I am in college and finals week is a week away. I cannot do most of my homework and am having serious issues without my laptop, because much of our work is online. I want to hear back from you guys before taking it to the school's IT because I do not want to have to completely wipe it clean yet.
Thank you,
Ben
Logfile of HijackThis v1.99.1
Scan saved at 12:47:41 AM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng1.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl]
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\eqtldvyddwkqr.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\syst1f8.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe