Tech Support Forum banner
Cancel

Infected with Worms and Trojans Help Please!

3588 Views 19 Replies 2 Participants Last post by  fredmh
B
Hello

I am sure that there is a trojan/worm/virus on my PC. i am running winxp PRO S2, and there are multiple users on the PC. It was my brother who ran a suspicous file he found on the net. As he is into the warez community he wanted something called a kegen and then told me what happened, and i intervened. Should i punish him......

Anyway I saw a red nod32 window, and it said it had detected some trojans and worms in real time. i have included a picture of the threat log http://img102.imageshack.us/img102/8381/nod32threatlogwz0.jpg

After this i noticed in the task manager the follwoing files running game1.exe game2.exe game3.exe game4.exe and psoqyl.exe (not sure how this was spelt) i ended these processes.

After this Winpatrol popped up with some alerts. i have also included a picture for this. http://img68.imageshack.us/img68/9374/winpatrolca0.jpg

I then started to scan my PC with some anti-spyware sotware which i had, details below:

Spyware Defense Scan
When running a scan with this SpyDefense found the following threats, Trojan.KillAV.DB and Trojan.Downloader.Small.1004, all of which were removed.

CWS Shredder & Bazooka Scanner
CWS found nothing, but Bazooka found three things, Exploit maiden4u.biz, Exploit Vxiframe.biz and Exploit Beehappyy.biz. i am not sure if this is directly linked to the main threat.

NOTE: Before running scans with spybot and adaware, i used CC cleaner for the scans to be quicker, the results were are detailed below:

SPYBOT
For spybot i recieved an alert from nod32, i have included some images, but these windows continually opened up and i print screened only 2. i stopped the spybot scan, nothing was found at the time.

http://img251.imageshack.us/img251/701/spybotinterferesv4.jpg
http://img251.imageshack.us/img251/7881/spybot2xo5.jpg

Ad-Aware
Onto the ad-aware scan, another window popped up when scanning i have included an image for this as well. The scan only found tracking cookies and mru lists. I am sure the status screen looks changed, but it could just be me after all these scans Smile (see here:http://img249.imageshack.us/img249/6923/adwarechangeax8.jpg)

http://img122.imageshack.us/img122/7962/adawarexo0.jpg

AVG anti-spyware
After this i used AVG anti-spyware. the same thing happened (image included). for all of these windows that appeared i selected rename.

http://img443.imageshack.us/img443/8692/ewidotx1.jpg

Just wondering but does this mean that my ad-aware, spybot and avg are all corrupt now?? surpised that newcomer to the anti-spyware scene Spydefense was not attacked!

NOD32 SCAN (Did i select the right options for quarantining and deleting files??)

Finally i used nod32 and it found the following:

C:\bqcb.VVVexe - Win32/PSW.Sinowal.BH trojan - quarantined - deleted
C:\qbsoqyl.Vexe - Win32/Nuwar.gen worm - deleted
C:\System Volume Information\_restore{F5A9FDAE-A1E1-4098-8741-1062325F4464}\RP209\A0540780.exe - a variant of Win32/TrojanDownloader.Small.NRS trojan (i selected rename)
C:\WINDOWS\system32\adirss.VVexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\game0.exe.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\game1.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\game2.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\game3.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\game4.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\game5p.exe.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\Jrf6F6S.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\lnwin.Vexe - Win32/Nuwar.gen worm - quarantined - deleted
C:\WINDOWS\system32\taskdir.Vexe - Win32/Nuwar.gen worm (for this file i accidentaly selected leave, so when scan finished i searched for it and scanned it with nod32 and quarantined & deleted it)

it also detected this, should it be removed?
C:\System Volume Information\_restore{F5A9FDAE-A1E1-4098-8741-1062325F4464}\RP209\A0540780.exe - a variant of Win32/TrojanDownloader.Small.NRS trojan

After doing this scan, i can help but think i may have done this in the wrong order!! AV scan first, then anti spyware!

Just wondering but on the file path C:\ there is the following file ytkd.exe created 28 January 2007, 14:46:11.

Below is my hijack this log.

So can anyone help me out plzz. i really want to remove the threats! I also have TrojanHunter but will have to install and run it later. Have i done everything correctly?? should i do more? Thanks for reading, i hope i have made it easy to read this message Smile

Logfile of HijackThis v1.99.1
Scan saved at 17:14:33, on 28/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Suleman\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer secured by EverestLabs
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1938521650.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1938521650.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [RapidCheck] C:\Program Files\RapidCheck\RapidCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpyDefense] C:\Program Files\Everest Labs\Spydefense\sdc.exe /service
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Suleman\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Load WebShots 1999x1333 - C:\Documents and Settings\Suleman\My Documents\Webshots Premium Photos\WebShotsLoader.htm
O8 - Extra context menu item: Note this (Google Note&book) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1938521650.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1938521650.dll/gn_menu2.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149438398297
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/selftest/en/Prg/ESTPTest.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37840.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
See less See more
Save
Like
Status
Not open for further replies.
1 - 20 of 20 Posts
F
Hello bauer24, and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the end!

Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.

----------------------------------------

I see nothing malicious in yur HJT log, but with all the malware you listed in your scane, I think we need to go deeper for hidden malware.
One of your scans picked up a varient of Rustock which is a hidden rootkit. We'll check for that.
Keygen is related to crack software, which outside of being illegal in someplaces, is a great way to invite nasty stuff into your system.
Lastly, the file in System Volume Restore will not harm your computer. We'll deal with that later. Now let's go digging.


----------------------------------------

DOWNLOADS


ComboFix



1. Download this file - You MUST save it to your desktop

COMBOFIX




2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




SYSTEM REPAIR ENGINEER

Please download this tool >http://www.kztechs.com/sreng/sreng2.zip]System Repair Engineer


  • Extract it to it's own folder & double click SREng.exe to run it

  • Select 'Smart Scan' & tick "Verify Digital Signatures"

  • Click on the [Scan] button

  • When finished, click on the [Save Reports] button & save the log to Desktop

  • Attach the log in your next reply. Dont post it


Note: You may have to rename SREngLog.log to SREngLog.txt before attaching

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:

c:\combofix.txt
SREng attachment
See less See more
Save
Like
B
Hi

Thanks for helping me out. I will be able to perform the requests tommorow, as my brother needs the PC to complete his college coursework. Nevertheless i will do what you have said after i come back from university tommorow.

I just have a question, is there a risk of data loss when carrying out what you have said?

Thanks :)
Save
Like
F
You should not experience any data loss. ComboFix will delete any malware it may find, but will let us know what,if anything it deletes.
The main thing these tools are going to do is show me if there is any malware hiding on your system.
Save
Like
B
Sorry for the delay, I have done what you have asked and have attached SYSTEM REPAIR ENGINEER and Combofix Report

ComboFix Report

"Suleman" - 07-01-30 19:22:52 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\Suleman\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\zlbw.dll


((((((((((((((((((((((((((((((( Files Created from 2006-12-30 to 2007-01-30 ))))))))))))))))))))))))))))))))))


2007-01-29 22:28 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-01-29 22:28 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-01-29 22:28 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-01-29 21:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-29 16:46 <DIR> d-------- C:\DOCUME~1\Mohammed\Application Data\SiteAdvisor
2007-01-29 16:03 <DIR> d-------- C:\DOCUME~1\Test\Application Data\SiteAdvisor
2007-01-29 15:23 <DIR> d-------- C:\DOCUME~1\Suleman\Application Data\TrojanHunter
2007-01-29 15:17 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-01-29 14:25 <DIR> d-------- C:\FastSplitterOutput
2007-01-29 14:24 <DIR> d-------- C:\Program Files\Fast AVI MPEG Splitter
2007-01-29 12:55 <DIR> d-------- C:\Program Files\Everest Labs
2007-01-28 22:11 <DIR> d-------- C:\DOCUME~1\Sufyaan\Application Data\SiteAdvisor
2007-01-28 21:22 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\SiteAdvisor
2007-01-28 21:21 <DIR> d-------- C:\DOCUME~1\Suleman\Application Data\SiteAdvisor
2007-01-28 21:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SiteAdvisor
2007-01-28 15:19 <DIR> d-------- C:\Program Files\CCleaner
2007-01-28 14:46 3,072 --a------ C:\ytkd.exe
2007-01-18 00:20 <DIR> d-------- C:\Program Files\FM Modifier 2.1
2007-01-17 21:41 12,288 --a------ C:\WINDOWS\impborl.dll
2007-01-15 13:02 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-01-15 13:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\McAfee
2007-01-13 00:23 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-06 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trymedia
2007-01-06 20:31 <DIR> d-------- C:\Program Files\Sierra
2007-01-04 22:30 <DIR> d-------- C:\DOCUME~1\Mohammed\Application Data\Spyware Terminator
2007-01-04 13:58 <DIR> d-------- C:\Program Files\NCH Swift Sound
2006-12-31 16:11 <DIR> d-------- C:\Program Files\Doom 3
2006-12-31 12:56 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Spyware Terminator
2006-12-30 21:55 <DIR> d-------- C:\DOCUME~1\Suleman\Application Data\Everest Labs


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-30 19:06 -------- d-------- C:\Program Files\mozilla firefox
2007-01-30 13:17 -------- d-------- C:\Program Files\mirc
2007-01-29 21:34 -------- d-------- C:\DOCUME~1\Suleman\Application Data\lavasoft
2007-01-29 15:17 -------- d-------- C:\DOCUME~1\Suleman\Application Data\utorrent
2007-01-28 21:20 -------- d-------- C:\Program Files\flashget
2007-01-25 12:20 -------- d-------- C:\Program Files\google
2007-01-24 00:42 -------- d-------- C:\DOCUME~1\Suleman\Application Data\vso
2007-01-18 00:19 -------- d-------- C:\Program Files\sports interactive
2007-01-17 13:48 -------- d---s---- C:\DOCUME~1\Suleman\Application Data\microsoft
2007-01-16 14:37 -------- d-------- C:\Program Files\tuneup utilities 2007
2007-01-12 14:31 -------- d-------- C:\DOCUME~1\Suleman\Application Data\mozilla
2007-01-09 16:09 -------- d-------- C:\Program Files\opera
2007-01-05 23:32 -------- d--h----- C:\Program Files\installshield installation information
2006-12-29 18:42 -------- d-------- C:\DOCUME~1\Suleman\Application Data\rapidget
2006-12-28 22:51 -------- d-------- C:\DOCUME~1\Suleman\Application Data\lionhead studios
2006-12-27 16:21 -------- d-------- C:\DOCUME~1\Suleman\Application Data\ahead
2006-12-27 16:18 -------- d-------- C:\Program Files\wmr11
2006-12-23 15:07 -------- d-------- C:\Program Files\spywareblaster
2006-12-21 15:04 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2006-12-20 21:59 1996 --a------ C:\WINDOWS\system32\sdbackup.reg
2006-12-19 16:53 24072 --a------ C:\WINDOWS\system32\uxtuneup.dll
2006-12-19 16:16 -------- d-------- C:\Program Files\ea sports
2006-12-18 15:10 -------- d-------- C:\Program Files\msn messenger
2006-12-18 15:04 -------- d-------- C:\Program Files\Common Files\epson
2006-12-17 00:09 -------- d-------- C:\DOCUME~1\Suleman\Application Data\limewire
2006-12-15 15:30 -------- d-------- C:\Program Files\vso
2006-12-15 15:29 87608 --a------ C:\DOCUME~1\Suleman\Application Data\ezpinst.exe
2006-12-15 15:29 7824 --a------ C:\DOCUME~1\Suleman\Application Data\pcouffin.cat
2006-12-15 15:29 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2006-12-15 15:29 47360 --a------ C:\DOCUME~1\Suleman\Application Data\pcouffin.sys
2006-12-15 15:29 34 --a------ C:\DOCUME~1\Suleman\Application Data\pcouffin.log
2006-12-15 15:29 1144 --a------ C:\DOCUME~1\Suleman\Application Data\pcouffin.inf
2006-12-15 14:09 -------- d-------- C:\Program Files\proxyfinder
2006-12-11 11:36 -------- d-------- C:\Program Files\unh solutions
2006-12-10 14:01 -------- d-------- C:\Program Files\avisplit
2006-12-04 13:48 -------- d-------- C:\Program Files\limewire
2006-12-03 20:54 -------- d-------- C:\Program Files\Common Files\macromedia
2006-12-03 20:53 -------- d-------- C:\Program Files\macromedia
2006-12-02 21:02 -------- d-------- C:\Program Files\datel
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\system32\msxml6.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RapidCheck"="C:\\Program Files\\RapidCheck\\RapidCheck.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"SpyDefense"="C:\\Program Files\\Everest Labs\\Spydefense\\sdc.exe /service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinPatrol"="\"C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\WinPatrol.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"EPSON Stylus C44 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S10IC2.EXE /P23 \"EPSON Stylus C44 Series\" /O6 \"USB001\" /M \"Stylus C44\""
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6009\\SiteAdv.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{85d79fe8-31f4-11db-b5bb-00138f2faecb}]
Shell\AutoRun\command E:\autorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job

Completion time: 07-01-30 19:27:05

Attachments

See less See more
Save
Like
B
One More thing do you know anything about this file: ytkd.exe located at C:\

I visited this site http://www.virustotal.com/en/indexf.html to scan it and here is the result:

Antivirus Version Update Result
AntiVir 7.3.1.33 01.30.2007 TR/Dldr.Small.agq.4
Authentium 4.93.8 01.30.2007 could be a corrupted executable file
eSafe 7.0.14.0 01.30.2007 suspicious Trojan/Worm
Sunbelt 2.2.907.0 01.26.2007 VIPRE.Suspicious

And just thought i let you know about this, according to Esets Virus Radar (http://www.virusradar.com/) Win32/Nuwar.gen worm is the no.1 threat. Is Win32/Nuwar.gen new?
See less See more
Save
Like
F
The Nuwar trojan is relatively new, about 2 months old. You had a good eye onytkd.exe. It is bad and we will delete it. Your hosts file
also contains a lot of junk, so we will reset the default values on that


----------------------------------------

Launch System Repair Engineer (SREng)




Select 'System Repair' from the left pane
- Click on 'HOSTS File'
-- Click on 'Reset'
--- You must click the 'Save' when you're done

----------------------------------------

Delete the following files in red


C:\ytkd.exe

C:\WINDOWS\system32\wincom32.sys


If the files resist deletion, boot into Safe Mode and delete.

----------------------------------------

Kaspersky - Extended

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
        [*]Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect.
    We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items in the order listed:



Kaspersky scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode

Please let me know how your system is behaving.
See less See more
Save
Like
B
The reason why my host files has many entries is because i use a program called Koffix (http://koffix.com/) its designed by Kephyr makers of Bazooka Adware and Spyware Scanner. Do you advise against using it???

And regarding wincom32.sys, i cant seem to find it. I search with agent ransack, nothing came up. Are you referring to win.com located in C:\WINDOWS\system32
Save
Like
F
If your comfortable with the size and content of the hosts file, then leave it.

As for the wincom32.sys file >> Try My computer>>Tools>>Folder Options>>View and Unhide files and folders.

Do not delete anything in System32.
Save
Like
B
I cant find wincom32.sys . I have looked everywhere. Could it only be viewable in Safe Mode??

Also does having a cluttered host file affect the performance of a PC??
Save
Like
B
i have include an image of C:\WINDOWS\system32, with no file named wincom32.sys

http://img241.imageshack.us/img241/6740/wincomwherequ7.jpg
Save
Like
F
Since the wincom32 file is not there, it must have been deleted. Don't worry about it.

The hosts file shouldn't affect the performance of your PC.

Please continue with the Kaspersky scan and the HJT log.
Save
Like
B
I have done both things, but have to attach the kaspersky log, as it is quite large. Below is my Hijack This Log.

Logfile of HijackThis v1.99.1
Scan saved at 16:38:42, on 01/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SiteAdvisor\6009\SAService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Documents and Settings\Suleman\Desktop\emergency\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer secured by EverestLabs
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--1295889672.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--1295889672.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6009\SiteAdv.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [RapidCheck] C:\Program Files\RapidCheck\RapidCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpyDefense] C:\Program Files\Everest Labs\Spydefense\sdc.exe /service
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Suleman\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Load WebShots 1999x1333 - C:\Documents and Settings\Suleman\My Documents\Webshots Premium Photos\WebShotsLoader.htm
O8 - Extra context menu item: Note this (Google Note&book) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1938521650.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--1295889672.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.17--1295889672.dll/gn_menu2.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149438398297
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://esupport.epson-europe.com/selftest/en/Prg/ESTPTest.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37840.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6009\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6009\SAService.exe

Attachments

See less See more
Save
Like
F
You have a software monitor on your system: SpyAgent

You also have a keylogger: spybuddy

Did you knowingly install these programs?
Save
Like
B
yes but i uninstalled them 4-6 months ago. I suspected that inappropriate content was being viewed on the PC. Should these traces be removed?
Save
Like
F
That would be at your option. I always ask first before removing in case they were installed knowingly. If you want them removed, I will post instructions.
They were listed in Kaspersky.
Save
Like
B
ok yes, because i had no use for the applications, and didn't think that some traces would remain. So could you give me the instructions?

By the way, could you notify me if i have to backup any data for any future intructions that you give me.

Thanks :)
Save
Like
F
The instructions for removal are below. Any backups needed will always be included in the fix instructions. This usually occurs
when working with the registry. However, I prefer to post a registry fix, rather than send someone into the registry. This poses less of a danger
that the wrong item will be deleted.

----------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.



C:\Documents and Settings\Mohammed\Local Settings\Temp\0ee6hb1m.exe>>>Empty the folder contents - leave folder intact.

C:\Documents and Settings\Suleman\My Documents\ADDspy\1\SpyAgent5FULL.exe

C:\Documents and Settings\Suleman\My Documents\ADDspy\spybuddy-setup-sw.exe

C:\Documents and Settings\Suleman\My Documents\ADDspy\Spytech_SpyAgent_v5.38_Full_by_warezonly.com(2).rar


If the files resist deletion, boot into Safe Mode and delete

----------------------------------------


Your logs are now clean. Please complete the next "housekeeping" steps and read through the information below.


----------------------------------------

Windows XP - Reset Hidden Files


  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Deselect the Show hidden files and folders option.
  • Select the Hide file extensions for known types option.
  • Select the Hide protected operating system files option.
  • Click Yes to confirm.
  • Click OK.

----------------------------------------

Clean-out and Reset System Restore

This will clean out any junk or malicious files left behind in System Restore

  • To turn off System Restore click Start > Right Click My Computer > Properties.
  • Click the System Restore tab and Check
  • "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply.
  • When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

  • Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties.
  • Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
  • Click Apply, and then OK.

This will create a new Restore Point.

----------------------------------------

RE-ENABLE ANTI-SPYWARE APPLICATIONS

If you were instructed to dis-able Anti-spyware applications during this fix, you may re-enable them

----------------------------------------

JAVA OUT OF DATE

We need to update your Java as it is out of date. The older version is a security risk, as malware writers
exploit the weaknesses in it's code. The current version is JRE 6


Updating Java
:

  • Download the latest version of Java Runtime Environment (JRE) 6 - http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.



  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.

----------------------------------------

Please read through the following information to help protect your computer in the future.


KEEP YOUR OPERATING SYSTEM UPDATED

Please ensure that you have already patched your system against the recent WMF exploit. Go to this page to get the KB912919 patch

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser
up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft
and download all the critical updates to help prevent possible re-infection.


ENABLE WINDOWS AUTO UPDATE

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".


ENABLE WINDOWS AUTO UPDATE

From within Internet Explorer click on the Tools menu and then click on Internet Options.
  • Select the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Select Custom Level .
      • Change 'Download signed ActiveX controls' to Prompt
      • Change 'Download unsigned ActiveX controls' to Disable
      • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
      • Change 'Installation of desktop items' to Prompt
      • Change 'Launching programs and files in an IFRAME' to Prompt
      • Change 'Navigate sub-frames across different domains' to Prompt
      • When all these changes have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Select OK to exit the Internet Properties page.



TOOLS TO HELP KEEP YOUR SYSTEM CLEAN

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
  • After you have updated, click the button - enable protection for all unprotected items


SpywareGuard to catch and block spyware before it can execute.


SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its
TeaTimer option.
This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with
the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


AD-AWARE Download and install Ad-Aware. You should use this program to scan
your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product
can be found here


IE-SPYAD IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Download IE-SpyAD - Extract the contents to a new folder
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list.
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain

A tutorial for IE-SPYAD can be found here


MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file
with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to
those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
  • Click Next, click Next, select the option:
    "Show Extracted files"
  • Click Finish

This will open the newly created hosts folder on your Desktop.

Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated
HOSTS file to the correct location on your machine.


MCAFEE SITE ADVISOR SITE ADVISOR is a free IE plug-in (also suport for Firefox browser)
which is used in conjunction with the Google search engine. It advises which web sites are considered safe and which sites could pose a problem.
It also shows what problems were encountered with each site, such as malicious downloads, spam, and related links.


ANTI-VIRUS AND FIREWALL PROGRAMS


ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine.
This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial

Here are some very good free Antivirus products which are available:




If you do not have a firewall, here are 4 free ones available for personal use:

Understanding and Using Firewalls



INFORMATIONAL READING


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:




Please respond one more time and let me know you received this post so it can be marked resolved



If you feel that we have helped you, please help us keep this site free for all. Please visit our DONATION PAGE.
See less See more
2
Save
Like
B
Regarding the old version of Java, according to my Lecturer at University i need that version on order for BlueJ(http://www.bluej.org/) to work.

I use Windows Firewall, and but will change to ZoneAlarm or Kerio Personal Firewall. Which of these 2 would you recommend ??
Save
Like
F
Certain applications work only with a specific Java version. If you have one of those applications, then leave the old version.

Windows firewall monitors only incoming traffic and not outgoing. For optimal protection, you need one which does both. The firewalls you mentioned are both excellent. You might want to browse the Security & Firewalls and Computer Security News forums for opinions.
Save
Like
1 - 20 of 20 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top