Tech Support banner
Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
Hi

Need help

Tried steps as per mentioned earlier before posting here but to no avail.

It seems like even my safe mode with command prompt is also infected.

Also, unable to install any new softwares.

Am running WinXP with SP2.

Suspected culprits: j6148622.exe & zh59211508.exe

Tired deleted them in safe mode but it's either they couldn't be found or they'll keep reappearing.


Help is very much appreciated

TQ!
 

Attachments

·
Registered
Joined
·
6 Posts
Discussion Starter · #2 ·
Trojan horse TR/Dldr.Smal.coc.2

hi, im back :wave:

Was infected by Trojan horse TR/Dldr.Smal.coc.2 (termed by AntiVir PersonalEdition Classic)

Not a guru here but just would like to share some pain and gain for those who might find this info useful. Certain steps might be overly done but I was just being extra cautious :grin:

steps taken in clearing TR/Dldr.Smal.coc.2;

00. isolate infected pc from internet or any connection to pc/writable media
01. download 'AntiVir PersonalEdition Classic' (free for personal use only)
02. start winxp, press F8, choose safe mode with command prompt
03. choose 'Administrator'
04. press 'ctrl+alt+del' task manager will appear
05. at the 'File' pulldown menu, click and choose 'New Task (Run)'
06. 'Create New task' dialog appears, type 'explorer' in the blank space
07. 'start' button on the lower left appears with windows taskbar
08. install 'AntiVir PersonalEdition Classic' and scan
09. run 'msconfig' and disable 'uninvited guests', in my case, here are
some: 'o4148627.exe', 'j6148622.exe', 'zh59887484y.exe' and many more exe with random alphanumerics
10. restart to normal mode
11. scan with 'AntiVir PersonalEdition Classic' again
12. install and run ccleaner, fix issues
13. recheck 'msconfig' for any uninvited guests
14. restart again
15. scan with 'AntiVir PersonalEdition Classic' again
16. turn off 'system restore'
17. restart and turn 'system restore' on

voila! it's cleared!

did alota reading from this forum as well as alota trial and errors till I arrive at this solution, may not be the best, might seem clumsy but it works for me :smile:
any comments/feedbacks are welcomed

and thanks to tech support forum :pray:
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello greensinnerz and welcome to TSF,

Glad to hear you got it sorted out. :sayyes: I still highly recommend doing the following:

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

Panda results
New HijackThis log


Please copy/paste the logs directly into the reply box--do not attach.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #4 ·
Hi Ried :wave:

Sorry late reply, was occupied last week.

Here's my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:28 AM, on 18-Dec-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Imation\ImationFlashDetect.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kim\Desktop\hijackthis\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Program Files\Imation\ImationFlashDetect.exe
O4 - Startup: stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D0187F0-A818-4FF4-B580-14EBC04AEF47}: NameServer = 202.188.0.133,202.188.1.11
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

There wasn't any internet access for this pc. So, would it be alrite if I were to get downloadable Panda antivirus?


Thanks :smile:
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello greensinnerz,

You have a nasty worm on this system and conventional tools will not completely eradicate it, as you've just seen. :sayno:

Do not install a second AV program. You never want more than 1 AV program installed as they will conflict with one another as well as cause system instability. We'll find another way to reveal any malware that may be lurking.

At what point did you lose internet access? Please use another computer to download the following tool and transfer to this PC.

Download Combofix and save it to your desktop. (transfer it to the desktop of the troubled PC)

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------


Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Post the ComboFix.txt in your next reply along with a new HijackThis log and an update on system behavior.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #6 ·
Hi Ried

Here they are:

Combofix log:

"Kim" - 06-12-29 9:06:31.62 Service Pack 2
ComboFix 06-12-28.3W-BetaE2 - Running from: "C:\Documents and Settings\Kim\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-29 to 2006-12-29 ))))))))))))))))))))))))))))))))))


2006-12-28 15:57 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-21 12:54 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-12-21 12:54 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-12-21 12:54 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-12-21 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-12-15 19:07 <DIR> d-------- C:\Program Files\CCleaner
2006-12-14 16:00 <DIR> dr-hs---- C:\WINDOWS\SY20118
2006-12-14 16:00 <DIR> dr-hs---- C:\WINDOWS\Ad22098
2006-12-14 08:55 <DIR> dr-hs---- C:\WINDOWS\system32\s8787
2006-12-13 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-11 11:03 <DIR> dr-hs---- C:\WINDOWS\system32\n8127
2006-12-08 17:11 <DIR> dr-hs---- C:\WINDOWS\system32\s4695
2006-12-08 17:11 <DIR> dr-hs---- C:\WINDOWS\Ki9822
2006-12-04 10:26 <DIR> d-------- C:\Program Files\RDPSoftware
2006-12-02 12:58 21,888 -ra------ C:\WINDOWS\system32\drivers\vmusb.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-28 15:58 -------- d-------- C:\Program Files\winamp
2006-12-22 17:21 -------- d-------- C:\DOCUME~1\Kim\Application Data\vmware
2006-12-20 12:52 -------- d-------- C:\DOCUME~1\Kim\Application Data\openoffice.org2
2006-12-15 18:29 -------- d-------- C:\Program Files\stickies
2006-12-12 08:04 -------- d-------- C:\Program Files\Common Files\adobe
2006-11-24 12:03 -------- d-------- C:\DOCUME~1\Kim\Application Data\adobe
2006-11-18 12:36 -------- d--h----- C:\Program Files\installshield installation information
2006-11-18 09:35 -------- d-------- C:\DOCUME~1\Kim\Application Data\adobeum
2006-11-16 17:33 -------- d-------- C:\Program Files\vbuster
2006-11-07 16:23 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2006-10-31 12:24 -------- d-------- C:\DOCUME~1\Kim\Application Data\openoffice.org1.9.79
2006-10-31 12:21 -------- d-------- C:\Program Files\openoffice.org 2.0


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"$Volumouse$"="\"C:\\Program Files\\Volumouse\\volumouse.exe\" /nodlg"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^ImationFlashDetect.lnk]
"path"="C:\\Documents and Settings\\Kim\\Start Menu\\Programs\\Startup\\ImationFlashDetect.lnk"
"backup"="C:\\WINDOWS\\pss\\ImationFlashDetect.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Imation\\IMATIO~1.EXE "
"item"="ImationFlashDetect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 7]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CobBU"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cobian Backup 7\\CobBU.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f1398Kim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zh59887484y"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\s4695\\zh59887484y.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f3444Adm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zh592115084y"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\s8787\\zh592115084y.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\N2238c]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="j6148622"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\j6148622.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Seticon"
"hkey"="HKLM"
"command"="\\Program Files\\SMSC\\Seticon.exe"
"inimapping"="0"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"y3114SYS"="\"C:\\WINDOWS\\system32\\n8127\\sv711917030r.exe\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"y3114SYS"="\"C:\\WINDOWS\\system32\\n8127\\sv711917030r.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"N2238c"="\"C:\\WINDOWS\\_default14862.pif\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"f1398Kim"="\"C:\\Documents and Settings\\Kim\\Local Settings\\Application Data\\dv688740x\\yesbron.com\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job

Completion time: 06-12-29 9:07:48.40


Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:52 AM, on 29-Dec-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Imation\ImationFlashDetect.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AutoCAD 2007\acad.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Kim\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Program Files\Imation\ImationFlashDetect.exe
O4 - Startup: stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D0187F0-A818-4FF4-B580-14EBC04AEF47}: NameServer = 202.188.0.133,202.188.1.11
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thanks!
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello,

We have a lot to do here. I'd like you to run this tool first and we'll see what's left:

If you are using another computer to download and transfer tools, please disable the autorun feature of ALL removable drives to prevent a reinfection.

Download & run this tool - http://www.techsupportforum.com/sectools/CleanX-II.exe

Then post the log it produces.

If the log doesn't come back clean after the first pass, reboot & run it again.

---------------------------

Run combofix.exe once again.

---------------------------

Run a new scan with HijackThis and save the log.

---------------------------

Please include all reports in your next reply along with an update on your system's behavior.
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #8 ·
:partytime happee new yr!!

cleanx log:

#######################################################################

Brontok Worm Removal Tool - (Version - 06.08.14)
by sUBs

#######################################################################

Current date: 03-Jan-07 Current time: 8:05:03.06

=== PRE RUN ANALYSIS ===================================

...............



=== POST RUN ANALYSIS ==================================



NOTE
The post-run analysis portion should be empty. If it's not, reboot and run the tool a second time.

======================================================


combofix log:

"Kim" - 07-01-03 7:56:42.95 Service Pack 2
ComboFix 06-12-28.3W-BetaE2 - Running from: "C:\Documents and Settings\Kim\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))


2006-12-30 11:52 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2006-12-30 11:52 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2006-12-30 11:52 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2006-12-28 15:57 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-21 12:54 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-12-21 12:54 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-12-21 12:54 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-12-21 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-12-15 19:07 <DIR> d-------- C:\Program Files\CCleaner
2006-12-13 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-08 17:11 <DIR> dr-hs---- C:\WINDOWS\Ki9822
2006-12-04 10:26 <DIR> d-------- C:\Program Files\RDPSoftware


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-29 15:53 -------- d-------- C:\DOCUME~1\Kim\Application Data\openoffice.org2
2006-12-28 15:58 -------- d-------- C:\Program Files\winamp
2006-12-22 17:21 -------- d-------- C:\DOCUME~1\Kim\Application Data\vmware
2006-12-15 18:29 -------- d-------- C:\Program Files\stickies
2006-12-12 08:04 -------- d-------- C:\Program Files\Common Files\adobe
2006-11-18 12:36 -------- d--h----- C:\Program Files\installshield installation information
2006-11-16 17:33 -------- d-------- C:\Program Files\vbuster
2006-11-07 16:23 -------- d-------- C:\Program Files\Common Files\wise installation wizard


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"$Volumouse$"="\"C:\\Program Files\\Volumouse\\volumouse.exe\" /nodlg"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^ImationFlashDetect.lnk]
"path"="C:\\Documents and Settings\\Kim\\Start Menu\\Programs\\Startup\\ImationFlashDetect.lnk"
"backup"="C:\\WINDOWS\\pss\\ImationFlashDetect.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Imation\\IMATIO~1.EXE "
"item"="ImationFlashDetect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 7]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CobBU"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cobian Backup 7\\CobBU.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f1398Kim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zh59887484y"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\s4695\\zh59887484y.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f3444Adm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zh592115084y"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\s8787\\zh592115084y.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\N2238c]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="j6148622"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\j6148622.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Seticon"
"hkey"="HKLM"
"command"="\\Program Files\\SMSC\\Seticon.exe"
"inimapping"="0"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


Completion time: 07-01-03 7:58:00.17
C:\ComboFix2.txt ... 06-12-29 09:07



hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:27 AM, on 03-Jan-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Imation\ImationFlashDetect.exe
C:\Program Files\stickies\stickies.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Kim\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Program Files\Imation\ImationFlashDetect.exe
O4 - Startup: stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D0187F0-A818-4FF4-B580-14EBC04AEF47}: NameServer = 202.188.0.133,202.188.1.11
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Lately, my pc hasn't been acting strangely.

Any comments?
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
It will be acting up again if we don't finish this. :sayyes:

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download the attached green.zip file to your desktop.

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now.

--------------------------------------------------------------------

Double click on the green.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders if they still exist.

C:\WINDOWS\system32\s4695
C:\WINDOWS\system32\s8787
C:\WINDOWS\j6148622.exe
C:\Documents and Settings\LocalService\Local Settings\Application Data\dv6191700x


**If any of the above resist deletion, boot into Safe Mode to delete.

--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

The Ki9822 folder looks suspicious as well. Let's see what's in there. :sayyes:

Go to Start>Run and type cmd then press Enter

Type the following instruction at the command prompt:

dir /s /a "C:\WINDOWS\Ki9822" > c:\find.txt & start notepad c:\find.txt

You may find it easier to copy/paste it into the command prompt. If you're unfamiliar with this, you can paste into the command prompt by clicking on the upper left icon on the command shell window, referred to as the system menu, and along with Move, Size, and so on, you'll see a sub menu called Edit. Click on that, and you'll find Copy, Paste and other clipboard related commands. Here's a screen shot of what I mean:



A notepad file will open. Paste the contents of that file in your next reply.

--------------------------------------------------------------------

Run combofix.exe once again.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include those 3 reports in your next reply.

Happy New Year to you as well. :grin:
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #10 ·
hi hi :wave:

find:
Volume in drive C has no label.
Volume Serial Number is 4851-A17D

Directory of c:\windows\ki9822

15-Dec-06 06:47 PM <DIR> .
15-Dec-06 06:47 PM <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
0 File(s) 0 bytes
2 Dir(s) 34,765,320,192 bytes free


combofix:
"Kim" - 07-01-05 9:06:00.95 Service Pack 2
ComboFix 06-12-28.3W-BetaE2 - Running from: "C:\Documents and Settings\Kim\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-05 to 2007-01-05 ))))))))))))))))))))))))))))))))))


2006-12-30 11:52 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2006-12-30 11:52 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2006-12-30 11:52 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2006-12-28 15:57 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-12-21 12:54 32,768 --a------ C:\WINDOWS\system32\drivers\avgntdd.sys
2006-12-21 12:54 14,848 --a------ C:\WINDOWS\system32\drivers\avgntmgr.sys
2006-12-21 12:54 <DIR> d-------- C:\Program Files\AntiVir PersonalEdition Classic
2006-12-21 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-12-15 19:07 <DIR> d-------- C:\Program Files\CCleaner
2006-12-13 17:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-08 17:11 <DIR> dr-hs---- C:\WINDOWS\Ki9822


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-04 17:31 -------- d-------- C:\Program Files\cobian backup 7
2006-12-29 15:53 -------- d-------- C:\DOCUME~1\Kim\Application Data\openoffice.org2
2006-12-28 15:58 -------- d-------- C:\Program Files\winamp
2006-12-22 17:21 -------- d-------- C:\DOCUME~1\Kim\Application Data\vmware
2006-12-15 18:29 -------- d-------- C:\Program Files\stickies
2006-12-12 08:04 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-04 10:26 -------- d-------- C:\Program Files\rdpsoftware
2006-11-18 12:36 -------- d--h----- C:\Program Files\installshield installation information
2006-11-16 17:33 -------- d-------- C:\Program Files\vbuster
2006-11-07 16:23 -------- d-------- C:\Program Files\Common Files\wise installation wizard


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"$Volumouse$"="\"C:\\Program Files\\Volumouse\\volumouse.exe\" /nodlg"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Kim^Start Menu^Programs^Startup^ImationFlashDetect.lnk]
"path"="C:\\Documents and Settings\\Kim\\Start Menu\\Programs\\Startup\\ImationFlashDetect.lnk"
"backup"="C:\\WINDOWS\\pss\\ImationFlashDetect.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Imation\\IMATIO~1.EXE "
"item"="ImationFlashDetect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cobian Backup 7]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CobBU"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Cobian Backup 7\\CobBU.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f1398Kim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zh59887484y"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\s4695\\zh59887484y.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f3444Adm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="zh592115084y"
"hkey"="HKCU"
"command"="\"C:\\WINDOWS\\system32\\s8787\\zh592115084y.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\N2238c]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="j6148622"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\j6148622.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetIcon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Seticon"
"hkey"="HKLM"
"command"="\\Program Files\\SMSC\\Seticon.exe"
"inimapping"="0"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]
"y3114SYS"="\"C:\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\dv6191700x\\yesbron.com\""

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0


Completion time: 07-01-05 9:07:16.25
C:\ComboFix2.txt ... 07-01-03 08:51
C:\ComboFix3.txt ... 07-01-03 07:58


hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 9:09:09 AM, on 05-Jan-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Volumouse\volumouse.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Imation\ImationFlashDetect.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kim\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [$Volumouse$] "C:\Program Files\Volumouse\volumouse.exe" /nodlg
O4 - Startup: CPU Meter.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Startup: ImationFlashDetect.lnk = C:\Program Files\Imation\ImationFlashDetect.exe
O4 - Startup: stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: AutoCAD LT Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4D0187F0-A818-4FF4-B580-14EBC04AEF47}: NameServer = 202.188.0.133,202.188.1.11
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Is there any way I could remove these entries from Msconfig-Startup List:

j6148622.exe
zh592115084y.exe
zh59887484y.exe

or are they harmless if I just leave them there?

Thanks!
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top