Hijack This log Attached

afrocentricity · 02-23-2006, 09:42 PM

Here is my HT Log. There is clearly something wrong with my system even though all the scans have come up relatively clean.
There are 1000+ files in my windows\temp folder called winXXX.tmp and a few of them have flagged mcafee as a 'new malware j'. Mcafee wont let me clean them though also some of these have turned themselves into exe's (winXXX.tmp.exe) and can be found in my running proceses, I am constantly closing them.
Can you help me?

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 04:35:21, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PeerGuardian2\PeerGuardian2\pg2.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\DLMage\DnloadMage.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Sony Ericsson\Mobile\SyncIndicator.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\TEMP\win228.tmp.exe
C:\WINDOWS\TEMP\win20C.tmp.exe
C:\WINDOWS\TEMP\win228.tmp.exe
C:\WINDOWS\TEMP\win20C.tmp.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DLMage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\PeerGuardian2\pg2.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1134678664015
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFB78826-3919-464A-A141-51517B86664A}: NameServer = 194.106.56.6 194.106.33.42
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

sUBs · 02-23-2006, 10:33 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

Download & install CleanUp.exe (not recommended for WinXP64)

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

Download and install Ewido Security Suite

When installing, under "Additional Options",
- uncheck - Install background guard
Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll

* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *

Launch KillBox.exe & select the following options:

replace on Reboot

use dummy

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

C:\WINDOWS\SYSTEM32\winosz32.dll
C:\WINDOWS\TEMP\win228.tmp.exe
C:\WINDOWS\TEMP\win20C.tmp.exe
C:\WINDOWS\TEMP\win228.tmp.exe
C:\WINDOWS\TEMP\win20C.tmp.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

afrocentricity · 02-24-2006, 03:06 AM

I cleaned with ewido anti-malware but forgot to save a report

the other reports follow, also the Temp folder seems to have been succesfully emptied yay.

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:03, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\eHome\ehmsas.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PeerGuardian2\PeerGuardian2\pg2.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\DLMage\DnloadMage.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DLMage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\PeerGuardian2\pg2.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1134678664015
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFB78826-3919-464A-A141-51517B86664A}: NameServer = 194.106.56.6 194.106.33.42
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Quote:

------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, February 24, 2006 10:01:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 24/02/2006
Kaspersky Anti-Virus database records: 178354
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 150730
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:24:26

Infected Object Name / Virus Name / Last Action
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{A0667612-354B-4E86-BA04-59D3C7EFD67C}\RP117\A0050779.exe Infected: Trojan-Dropper.Win32.Agent.aiq skipped
C:\System Volume Information\_restore{A0667612-354B-4E86-BA04-59D3C7EFD67C}\RP117\A0050780.exe Infected: Trojan-Dropper.Win32.Agent.aiq skipped
C:\System Volume Information\_restore{A0667612-354B-4E86-BA04-59D3C7EFD67C}\RP117\A0050781.exe Infected: Trojan-Dropper.Win32.Agent.aiq skipped
C:\System Volume Information\_restore{A0667612-354B-4E86-BA04-59D3C7EFD67C}\RP121\A0052050.dll Infected: Trojan-Clicker.Win32.Small.kb skipped

Scan process completed.

afrocentricity · 02-24-2006, 03:10 AM

Plus where you originally said:

Quote:

Launch KillBox.exe & select the following options:

* replace on Reboot
* use dummy

do I now need to delete these dummies? also could you let me know what viruses I was infected by and how I may have come into contact with them? If possible

afrocentricity · 02-24-2006, 03:34 AM

Plus how do I deal with the viruses flagged by the online scan?

sUBs · 02-24-2006, 09:08 AM

Please verify if this file still exist - C:\WINDOWS\SYSTEM32\winosz32.dll

afrocentricity · 02-24-2006, 09:50 AM

Quote:

Originally Posted by sUBs

Please verify if this file still exist - C:\WINDOWS\SYSTEM32\winosz32.dll

Its still there... thought that got cleaned by HT?

sUBs · 02-24-2006, 10:18 AM

Let'ssee if there's anything else hidden

Download and run Blacklight

After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

afrocentricity · 02-24-2006, 10:53 AM

Quote:

02/24/06 17:50:25 [Info]: BlackLight Engine 1.0.32 initialized
02/24/06 17:50:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/24/06 17:50:25 [Note]: 7019 4
02/24/06 17:50:25 [Note]: 7005 0
02/24/06 17:50:28 [Note]: 7006 0
02/24/06 17:50:28 [Note]: 7011 2676
02/24/06 17:50:28 [Note]: FSRAW library version 1.7.1015
02/24/06 17:52:10 [Note]: 7007 0

nothing found

sUBs · 02-24-2006, 10:56 AM

Please visit this website - http://virusscan.jotti.org
Submit the file for a comprehensive scan & then post the results back here.

afrocentricity · 02-24-2006, 11:04 AM

the files ok apparently

afrocentricity · 02-24-2006, 11:06 AM

wat is that file?

sUBs · 02-24-2006, 11:11 AM

Lol..you have to show me Jotti's report.

afrocentricity · 02-24-2006, 11:14 AM

lol

Quote:

Service
Service load:
0% 100%
File: winosz32.dll
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 cbd7acf2b49878aa92749abf1659c45b
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing

sUBs · 02-24-2006, 11:33 AM

Navigate to the file - C:\WINDOWS\SYSTEM32\winosz32.dll

Right click on it & select Properties.
Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

afrocentricity · 02-24-2006, 11:43 AM

Strangley enough it doesn't have a version tab... Is this file a virus?

sUBs · 02-24-2006, 11:48 AM

Whatever it is, it's highly suspicious & very likely malware.

It's a 020 Hijackthis entry that comes up empty on Google. Any legitimate 020 entry would draw a lot of hits on Google.

I would like a sample of this file so that it can be studied at the labs. Please zip/archive it & placed that as an attachment in your next post

afrocentricity · 02-24-2006, 11:52 AM

Ok here you go... shall I clean this file out then and if so how?

sUBs · 02-24-2006, 11:58 AM

Lol...that's the dummy file created by Killbox. No wonder it came up clean.

Launch Killbox.
Under the File menu, select "Delete all dummy files"

Then Have HijackThis fix the 020 entry.
Reboot & post a fresh HJT log

afrocentricity · 02-24-2006, 04:57 PM

Quote:

Originally Posted by sUBs

Lol...that's the dummy file created by Killbox. No wonder it came up clean.

Launch Killbox.
Under the File menu, select "Delete all dummy files"

Then Have HijackThis fix the 020 entry.
Reboot & post a fresh HJT log

My bad,

Hers the log, hopefully all is well now...

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 23:55:41, on 24/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PeerGuardian2\PeerGuardian2\pg2.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\Program Files\DLMage\DnloadMage.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Sitecom USB ADSL modem DC-204\CnxDslTb.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BE.EXE /P26 "EPSON Stylus CX3600 Series" /O6 "USB001" /M "Stylus CX3600"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SystemGuardAlerter] "C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe"
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\Program Files\Bandwidth Monitor Pro\Bandwidth Monitor Pro.exe" /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: DLMage.lnk = C:\Program Files\DLMage\DnloadMage.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: PeerGuardian.lnk = C:\Program Files\PeerGuardian2\PeerGuardian2\pg2.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1134678664015
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

02-23-2006, 10:33 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Download & install CleanUp.exe (not recommended for WinXP64) Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175) Download and install Ewido Security Suite When installing, under "Additional Options", uncheck - Install background guard Have Ewido update itself & then exit the program. If you are having problems with the updater, you can use this link to manually update Ewido 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O20 - Winlogon Notify: winosz32 - C:\WINDOWS\SYSTEM32\winosz32.dll * * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * * Launch KillBox.exe & select the following options: replace on Reboot use dummy Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy C:\WINDOWS\SYSTEM32\winosz32.dll C:\WINDOWS\TEMP\win228.tmp.exe C:\WINDOWS\TEMP\win20C.tmp.exe C:\WINDOWS\TEMP\win228.tmp.exe C:\WINDOWS\TEMP\win20C.tmp.exe * Go to the File menu, and choose Paste from Clipboard * Click the RED X button. * Click Yes at the Delete on Reboot prompt. * Click Yes at the 'Pending Operations prompt'. If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again. * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! will not create any backups!! * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis log Online Scan Ewido Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

02-24-2006, 09:08 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Please verify if this file still exist - C:\WINDOWS\SYSTEM32\winosz32.dll __________________ Question - what have you done for the community today?

02-24-2006, 10:18 AM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Let'ssee if there's anything else hidden Download and run Blacklight After you start the program and accept the license, you should see the first step (Figure 1), which lets you scan for hidden items. Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this When it finishes, click Next. You may get a screen similar to the picture below. Click on Close BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log __________________ Question - what have you done for the community today?

02-24-2006, 10:56 AM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Please visit this website - http://virusscan.jotti.org Submit the file for a comprehensive scan & then post the results back here. __________________ Question - what have you done for the community today?

02-24-2006, 11:11 AM	#13 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Lol..you have to show me Jotti's report. __________________ Question - what have you done for the community today?

02-24-2006, 03:34 AM	#5 (permalink)
afrocentricity Registered User Join Date: Dec 2004 Posts: 41 OS: xp mce 2005, vista ultimate	Plus how do I deal with the viruses flagged by the online scan?

02-24-2006, 11:04 AM	#11 (permalink)
afrocentricity Registered User Join Date: Dec 2004 Posts: 41 OS: xp mce 2005, vista ultimate	the files ok apparently

02-24-2006, 11:06 AM	#12 (permalink)
afrocentricity Registered User Join Date: Dec 2004 Posts: 41 OS: xp mce 2005, vista ultimate	wat is that file?

02-24-2006, 11:33 AM	#15 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Navigate to the file - C:\WINDOWS\SYSTEM32\winosz32.dll Right click on it & select Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here. __________________ Question - what have you done for the community today?

02-24-2006, 11:43 AM	#16 (permalink)
afrocentricity Registered User Join Date: Dec 2004 Posts: 41 OS: xp mce 2005, vista ultimate	Strangley enough it doesn't have a version tab... Is this file a virus?

02-24-2006, 11:48 AM	#17 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Whatever it is, it's highly suspicious & very likely malware. It's a 020 Hijackthis entry that comes up empty on Google. Any legitimate 020 entry would draw a lot of hits on Google. I would like a sample of this file so that it can be studied at the labs. Please zip/archive it & placed that as an attachment in your next post __________________ Question - what have you done for the community today?

02-24-2006, 11:58 AM	#19 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,409 OS: N/A	Lol...that's the dummy file created by Killbox. No wonder it came up clean. Launch Killbox. Under the File menu, select "Delete all dummy files" Then Have HijackThis fix the 020 entry. Reboot & post a fresh HJT log __________________ Question - what have you done for the community today?