unwanted shutdown!

[bughunta]

I have a shutdown problem with my PC.

A bit like the sasser worm thing a few years ago, my PC suddenly shuts down by itself, gives me 60 secs to do something about it.

Pops up with a grey box which says something like, ‘…Shutdown was instigated by NT Authority\System. The system processes system32\services exe’ terminated unexpectedly with status code 128’

I click Start->Run, then type shutdown –a to try to stop it but that doesn’t work.

I’m doing that from memory, is that what you type to stop it from shutting down?

I need to do that 1st so I have time to follow instructions in the sticky thread at the start of the security centre on this forum.

I have managed to update and run Ad-aware ok, but have failed with a virus scan as it takes too long and PC shuts down.

I have AVG updated and have run it. It found and healed some Trojans but how successfully I do not know.

Luckily I have an internet connection, but only for 2-10 mins

Initially I decided just to do a clean install (its overdue), but to my horror when I insert my W2K CD in the CD drive it will not run. When I go to My Computer and double click on the CD drive it says 'Please insert disk' but does not do anything when I do.

Have not recently had the side off the PC so doubt cables are loose. Doesn’t play Audio Cd’s or anything

Please help, many thanks in advance

bug

[bughunta]

Sorry, meant to add this log from HijackThis;


Logfile of HijackThis v1.99.1
Scan saved at 23:24:42, on 20/08/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\A.tmp
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\A.tmp
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122417509964
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/t...ivePreQual.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/23...CX/FlashAX.cab
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe


Hope that helps

Thankyou

Bug

[MicroBell]

Hi and Welcome to TSF

You have the Zotob worm. Please follow the instructions here....
http://www.microsoft.com/security/incident/zotob.mspx

Once complete and Windows2000 has been updated to SP4...follow the instructions below and post a new hijackthis log.


Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

[bughunta]

Ok, thank you good people for help so far.

I followed instructions, very difficult to update W2K to SP4 due to intermittent shutting down of the PC, but did it eventually about 20mins ago.

Ran all the programs mentioned.

The Microsoft/zotob tool says nothing is present on my system.

CWShredder the same.

Ad-aware and Spybot found a small number of things; Ad-aware removed what it found, Spybot said it couldn't remove the 2 things it found (DSO entries, and LSA, 1 of each)

My CD player is still not recognised, although Device manager says all is well with it, drivers are fine, have uninstalled and re-installed them.

Here is the latest HijackThis log;

Logfile of HijackThis v1.99.1
Scan saved at 22:22:47, on 21/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\B.tmp
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122417509964
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/t...ivePreQual.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/23...CX/FlashAX.cab
O19 - User stylesheet: (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe

Hope this helps, I really appreciate your help, thank you

bug

[MicroBell]

Next pass....

Open My Computer-->Tools-->Folder Options-->View-->Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files and click YES and then OK..

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download, install, and update Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Go to Start->Run and type Services.msc then hit Ok

Scroll down and find the service called: Microsoft SSL (ssl)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [Services] C:\WINNT\system32\B.tmp
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/2...OCX/FlashAX.cab
O19 - User stylesheet: (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe

C:\WINNT\system32\ssl.exe<--delete that file

C:\WINNT\system32\B.tmp <--delete that file

Run Ewido:

• Click [Scanner]
• Click [Complete System Scan] to begin scanning.
• Click [OK] when prompted to clean files
• With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
• Once finished, click the [Save report] button
• Save the report to your desktop

Close Ewido

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted

Once back to normal windows....

Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log and the log for the Ewido scan.

[bughunta]

Phew...starting to feel like Homer Simpson ('Hit any key', oh no, where's the Any key!?)

Here's the reports in the order you asked for them;

Activescan.


Incident Status Location

Spyware:spyware/betterinet No disinfected C:\WINNT\INF\biini.inf
Adware:adware/stoolbar No disinfected Windows Registry




New HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 21:51:32, on 22/08/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://search.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://search.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122417509964
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/t...ivePreQual.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe


Log for the Ewido scan.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:04:17, 22/08/2005
+ Report-Checksum: B7348DC4

+ Scan result:

HKLM\SOFTWARE\VB and VBA Program Settings\MyGeek -> Spyware.SearchCentrix : Cleaned with backup
HKU\S-1-5-21-484763869-813497703-1708537768-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{C431BF1E-9E71-4BB6-9C4E-8496D158DB1F} -> Spyware.SearchCentrix : Cleaned with backup
C:\WINNT\system32\.exe -> Backdoor.IRCBot.ex : Cleaned with backup
C:\WINNT\system32\1.tmp -> TrojanProxy.Small : Cleaned with backup
C:\WINNT\system32\13.tmp -> TrojanProxy.Small : Cleaned with backup
C:\WINNT\system32\ssl.exe -> Backdoor.IRCBot.ex : Cleaned with backup
C:\WINNT\system32\updater.pif -> Backdoor.SdBot.adr : Cleaned with backup
C:\Documents and Settings\pete\Local Settings\Temp\betsavys.exe -> Backdoor.SdBot.adr : Cleaned with backup
C:\Documents and Settings\pete\Local Settings\Temp\Cookies\pete@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@www.popuptraffic[2].txt -> Spyware.Cookie.Popuptraffic : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@vip2.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@cz5.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\pete\Cookies\pete@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\chantelle\Cookies\chantelle@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\chantelle\Cookies\chantelle@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\chantelle\Cookies\chantelle@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\chantelle\Cookies\chantelle@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End


Hope this is all good news, keeping them crossed!

bug

[MicroBell]

C:\WINNT\INF\biini.inf <--delete that file.

Then give me one more Ewido scan log...so I can confirmed it removed those files.

[bughunta]

Removed that file and here is the result of the scan;

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:20:54, 23/08/2005
+ Report-Checksum: B9B601DE

+ Scan result:

No infected objects found.


::Report End



The computer is no longer shutting down so I thank you for that. A paypal donation will follow shortly!

My CD is still not working although the drawer operates normally. Once the disc is in a green light comes on but then goes off and thats it. It doesn't read anything, including audio.

AVG pops up now and again to say it has found something infected. I just click heal and it does.

Do you think the AVG thing and the CD problem are connected?

New CD player is about £10 so might just replace it to eliminate that from the puzzle, although it does seem a bit of a coincidence.

Thank you

bug

[greyknight17]

What is the file that AVG finds and what's the infection (if it tells you)?

[bughunta]

The last 2 entries in the Virus Vault are;

Trojanhorse IRC/Backdoor.SdBot.HLV

They were found on 22/8/05. However, there were a couple of others yesterday (23/8) that I clicked 'heal' with, so I guess they wouldn't be in the Virus Vault.

If they occur again I will take a note of what they are before healing and let you know

Thank you


bug

[MicroBell]

Well done. Your logs are clean. As your security settings are low I'm going to post my clean speech. Please download and install the programs in the recommend section and get a firewall up. I will leave the thread open..so we can address that trojan if it shows again.

We still have a few more items to address so please follow the instructions below.


Reset hidden/system files and folders

Windows XP
===============

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 95/98/98SE
===============

• Open My Computer.
• Select the View
• Select the Folder Options option.
• Select the View tab. option.
• Select the Advance Advanced settings box option.
• Select the Hidden files folder.
• Deselect the Show all files option
• Click Apply to confirm.
• Click OK.

Create a new System Restore point

Windows XP
===============

• Click Start >> Run - type SYSDM.CPL & press Enter
• Select the System Restore Tab
• Tick on the checkbox - "Turn off System Restore on all drives"
• Click Apply
• Then untick the same checkbox & click OK
• This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

• Click the Start tab.
• Select the Settings option.
• Select the Control Panel option.
• Double Click the System icon Performance tab option.
• Select File System
• Select the Troubleshooting tab
• Check the Disable System Restore box
• Click Apply to confirm.
• Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

• Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

• Click the Start button.
• Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
• Choose Create a restore point, and then click Next.
• In the Restore point description box, type a name for your restore point, and then click Next.
  Click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• Tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Sygate Personal Firewall
• Kerio Personal Firewall
• OutPost Firewall

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

• Grisoft AVG Anti-Virus System
• Alwil Avast 4 Home Edition
• Softwin BitDefender Free Edition Version 7

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

[bughunta]

I really appreciate this guys, thank you very much.

I have not at this stage been able to do as you suggested (Firewalls etc) but I will do if it will help prevent this chaos happening again.

AVG (free edition) continues to pop up telling me a Virus has been detected. I just restarted the PC, updated AVG, and ran a full test about an hour ago. It found 3 viruses and it says it deleted them. The test result;

1) C:\WINNT\system32\.exe Trojanhorse IRC/BackDoor.SdBot.HLV

2) C:\WINNT\system32\A.tmp Trojanhorse Proxy.YH

3) C:\WINNT\system32\B.tmp Trojanhorse Proxy.YH

Despite this, AVG has again (in the last 5mins) told me that it has detected Trojanhorse backdoor.SdBot.HLV

I told it to 'heal' and it says it has. Although obviously it has not/ cannot.

bug

[MicroBell]

Well that's not good news Bug. Let's dig deeper to see what the heck is going on....

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan




Download WinPFInd http://www.bleepingcomputer.com/file...r/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Kaspersky log

[bughunta]

At last, after a long night' here are the logs you requested;

WinPFind

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 07/11/2003 23:22:18 3489441 C:\Program Files\WinNingPo_setup.exe
FSG! 29/11/2004 17:27:02 10156943 C:\Program Files\avg70free_289a392.exe

Checking %WinDir% folder...
PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791
qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791
SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\LPT$VPN.791
UPX! 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll
aspack 18/02/2005 18:40:14 1044560 C:\WINNT\vsapi32.dll
UPX! 10/01/2005 16:17:24 170053 C:\WINNT\tsc.exe
UPX! 03/05/2005 11:44:44 25157 C:\WINNT\RMAgentOutput.dll
PECompact2 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791
qoologic 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791
SAHAgent 18/08/2005 14:24:00 15636721 C:\WINNT\VPTNFILE.791

Checking %System% folder...
UPX! 30/10/2003 23:46:52 H 50588 C:\WINNT\SYSTEM32\o78kdov0.tmp
UPX! 11/08/2003 18:30:42 R 1024 C:\WINNT\SYSTEM32\TFTP1212
winsync 26/07/2000 12:00:00 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
Umonitor 19/06/2003 20:05:04 529168 C:\WINNT\SYSTEM32\RASDLG.DLL

Checking %System%\Drivers folder and sub-folders...
UPX! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys
FSG! 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys
PEC2 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys
aspack 24/08/2005 20:31:34 726016 C:\WINNT\SYSTEM32\drivers\avg7core.sys

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
27/08/2005 00:26:38 H 917762 C:\WINNT\ShellIconCache
26/08/2005 22:42:50 HS 8275 C:\WINNT\system32\.exe
27/08/2005 00:33:58 H 1024 C:\WINNT\system32\config\software.LOG
27/08/2005 00:27:10 H 1024 C:\WINNT\system32\config\default.LOG
27/08/2005 00:28:30 H 1024 C:\WINNT\system32\config\SECURITY.LOG
27/08/2005 00:30:32 H 1024 C:\WINNT\system32\config\SAM.LOG
29/07/2005 16:27:32 H 0 C:\WINNT\inf\oem3.inf
31/07/2005 23:11:42 H 10820 C:\WINNT\Help\update.GID
27/08/2005 00:26:50 H 6 C:\WINNT\Tasks\SA.DAT
21/08/2005 21:13:54 S 64 C:\WINNT\CSC\csc1.tmp
27/08/2005 00:26:48 S 64 C:\WINNT\CSC\00000001
22/08/2005 07:53:16 S 64 C:\WINNT\CSC\00000002

Checking for CPL files...
Microsoft Corporation 26/07/2000 12:00:00 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 26/07/2000 12:00:00 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 26/07/2000 12:00:00 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 26/07/2000 12:00:00 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 26/07/2000 12:00:00 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 26/07/2000 12:00:00 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 26/07/2000 12:00:00 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 19/06/2003 20:05:04 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 19/06/2003 20:05:04 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 26/07/2000 12:00:00 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 26/07/2000 12:00:00 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 19/06/2003 20:05:04 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 19/06/2003 20:05:04 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 19/06/2003 20:05:04 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 26/07/2000 12:00:00 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 30/10/2001 08:10:00 326144 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 19/06/2003 20:05:04 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 29/08/2002 07:14:40 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 26/07/2000 12:00:00 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 26/05/2005 04:16:30 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl
IBM Corporation 23/09/1999 18:44:36 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
27/03/2005 21:48:02 1478 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
07/08/2003 19:34:58 0 C:\Documents and Settings\pete\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{e0d79300-84be-11ce-9641-444553540000} = C:\PROGRA~1\WinZip\wzshlext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\system32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\system32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
EPSON Stylus C82 Series C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Windows Security Service windows.pif
Microsoft System Checkup libsys32.exe
NT Logging Service syslog32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Security Service windows.pif
Microsoft System Checkup libsys32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
internat.exe internat.exe
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 27/08/2005 00:52:58




Track qoo log

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"EPSON Stylus C82 Series"="C:\\WINNT\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C82 Series\" /O6 \"USB001\" /M \"Stylus C82\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"Windows Security Service"="windows.pif"
"Microsoft System Checkup"="libsys32.exe"
"NT Logging Service"="syslog32.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7}
0

Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG Free\avgse.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINNT\system32\shell32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINNT\system32\shell32.dll

Subkey --- WinZip
{e0d79300-84be-11ce-9641-444553540000}
C:\PROGRA~1\WinZip\wzshlext.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINNT\system32\shell32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINNT\System32\docprop2.dll

Subkey --- {7f9609be-af9a-11d1-83e0-00c04fb6e984}
C:\WINNT\system32\faxshell.dll

Subkey --- {884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
C:\WINNT\System32\docprop2.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Microsoft Office.lnk
==============================
C:\Documents and Settings\pete\Start Menu\Programs\Startup

Microsoft Office.lnk
==============================
C:\WINNT\system32 cpl files


fax.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
nwc.cpl Microsoft Corporation
DESK.CPL Microsoft Corporation
SYSDM.CPL Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
access.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
sticpl.cpl Microsoft Corporation



Kaspersky log

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, August 27, 2005 00:14:32
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 26/08/2005
Kaspersky Anti-Virus database records: 137184
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 43226
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 2
Duration of the scan process: 6996 sec

Infected Object Name - Virus Name
C:\WINNT\system32\windows.pif Infected: Backdoor.Win32.IRCBot.fq
C:\WINNT\submit.exe/submithook.dll Infected: Trojan-Downloader.Win32.Agent.az
C:\WINNT\submit.exe Infected: Trojan-Downloader.Win32.Agent.az
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SearchCentrix7.zip/somaticCAB.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SearchCentrix7.zip Suspicious: Password-protected-EXE

Scan process completed.


So there you have it. Hope it helps.

Thanks

bug

[MicroBell]

Ok.....

First open Spybot. Open the recovery center. IN the bottom window..click all the entrys...and at the top click the "Purge" button. We want to clean out it's recovery folder.

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Download Hoster http://www.greyknight17.com/spy/Hoster.exe

Run the Cleanup utility and reboot/logoff when prompted.

Reboot into safe mode.

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Security Service windows.pif
Microsoft System Checkup libsys32.exe
NT Logging Service syslog32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Security Service windows.pif
Microsoft System Checkup libsys32.exe

Now run the Hoster program and select "Restore Orginal Hosts File"

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\Program Files\WinNingPo_setup.exe
C:\WINNT\SYSTEM32\o78kdov0.tmp
C:\WINNT\system32\.exe
C:\Documents and Settings\pete\Application Data\dm.ini
C:\WINNT\system32\windows.pif
C:\WINNT\submit.exe
C:\WINNT\submithook.dll
C:\???libsys32.exe
C:\???syslog32.exe <--these two ??? you need to locate the files path and put it into killbox. Likely path will be either the C:\WINNT folder or C:\WINNT\system or system32 folders. Check them all!

Once you reboot..post another set of those logs.

I also need you to have a look here...C:\WINNT\SYSTEM32\TFTP1212

Is that entry in bold a file or folder?

[bughunta]

Managed the first three steps in your last post. But after that you say 'Run the Cleanup utility'. Where is that? I only know of the disk clean up thingy in System Tools.

bug

[MicroBell]

Quote:

Originally Posted by bughunta

Managed the first three steps in your last post. But after that you say 'Run the Cleanup utility'. Where is that? I only know of the disk clean up thingy in System Tools.

bug

Please tell me your following directions!!

On my second (2nd) post in this thread..I had you download and install a utility called Cleanup. I then had you run it in safe mode before you rebooted back to normal mode. Did you do it?

[bughunta]

Yup, I did download it and now I've found it, thanks!

bug

[bughunta]

Got up to the bit where it says 'Run KILL Box'.

Umm, don't seem to see that on Hoster. In fact I can only see the Re... of Restore. It's like the page has more over to the right hand side of it, that I cannot see?

Tried meddling with my display settings, to no avail.

bug

[MicroBell]

Run the fix from normal mode then. That should display the tools in normal view. Understand Hoster and KILLBOX are 2 different tools.