Tech Support banner

Status
Not open for further replies.
1 - 20 of 36 Posts

·
Registered
Joined
·
22 Posts
Discussion Starter #1
Hi, I was wonderin if anyone could help me. I am experiencing the same problem as normadant at http://www.techsupportforum.com/showthread.php?t=68330: I get random restarts and my AVG repeatedly detects SdBot HLV. So here's my HijackThis log. Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 5:52:13 PM, on 23/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\Shared\lsass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Winamp\winamp.exe
C:\WINNT\System32\cidaemon.exe
D:\KaZaA\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\prefs.js)
O1 - Hosts: 66.118.176.28 tracker.boxtorrents.com
O1 - Hosts: 66.118.176.28 forums.boxtorrents.com
O1 - Hosts: 66.118.176.28 www.boxtorrents.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {45B38607-634F-4632-8114-06A76EF36948} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AxFilter] Rundll32.exe C:\WINNT\DOWNLO~1\AxFilter.dll,Rundll32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MediaPeek] C:\Program Files\MediaPeek\mptrial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ota.com/vehicles/2004/camrysolara/ext360.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27ffe49c8c9bb42d4b00/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125470352717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38006.7370949074
O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6F2F57C-3696-44E6-A26F-7F13B3B96E53}: NameServer = 127.0.0.1
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:
1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

I require a new HJT log to be from this newer version
 

·
Registered
Joined
·
22 Posts
Discussion Starter #3
Logfile of HijackThis v1.99.1
Scan saved at 9:15:27 PM, on 24/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\Shared\lsass.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\Rundll32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Winamp\winamp.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\System32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\WINNT\system32\.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\prefs.js)
O1 - Hosts: 66.118.176.28 tracker.boxtorrents.com
O1 - Hosts: 66.118.176.28 forums.boxtorrents.com
O1 - Hosts: 66.118.176.28 www.boxtorrents.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {45B38607-634F-4632-8114-06A76EF36948} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AxFilter] Rundll32.exe C:\WINNT\DOWNLO~1\AxFilter.dll,Rundll32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MediaPeek] C:\Program Files\MediaPeek\mptrial.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ota.com/vehicles/2004/camrysolara/ext360.html
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27ffe49c8c9bb42d4b00/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125470352717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6F2F57C-3696-44E6-A26F-7F13B3B96E53}: NameServer = 127.0.0.1
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: dllhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DNS - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NTFSprotect (ntfsdiscman) - Unknown owner - C:\WINNT\ntfsprotect.exe (file missing)
O23 - Service: NtService - Unknown owner - C:\WINNT\SYSTEM32\ntservice.exe (file missing)
O23 - Service: nvscv - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: scvhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: FireDaemon Service: secureNt (secureNt) - Unknown owner - C:\winnt\system32\haha\FireDaemon.EXE (file missing)
O23 - Service: syslock - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)
O23 - Service: FireDaemon Service: WinF (WinF) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: WinI (WinI) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: WinP (WinP) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: WinS (WinS) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)
O23 - Service: Windows UDP Communication (wudpcom) - Unknown owner - C:\WINNT\system32\wudpcom.exe
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Hello and Welcome to TSF!

You're badly infested with worms. You're a threat to yourself & everybody else who shares the same network with you. I strongly recommend that you install a firewall immeaditely. Click here to download Zone Alarm.

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp! - Install.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

DelO15Domains.inf - Right click & choose "Save As..." DelO15Domains.inf.

Host.zip
Extract the file & overwrite the existing copy located at C:\WINNT\SYSTEM32\DRIVERS\ETC\host

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Launch KillBox.exe & select the following options:
  • delete on Reboot
Select all the filenames listed below & then right-click & select Copy
  • C:\winnt\system32\Shared\lsass.exe
    C:\WINNT\system32\.exe
    C:\WINNT\DOWNLO~1\AxFilter.dll
    C:\WINNT\ntfsprotect.exe
    C:\WINNT\SYSTEM32\ntservice.exe
    C:\WINNT\system32\wudpcom.exe
* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * **

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Click Start->Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Windows UDP Communication (wudpcom)
  2. Double-click on it to open the Properties dialog.
    • Under the General tab, note down the name of "Service name". We shall need it later.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
  3. Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  4. In the popup box that appears, type in "Service name" & then click on the OK button
Answer No when prompted to reboot
Repeat steps 1-4 for the following services :-
  • dllhost
    DNS
    NTFSprotect (ntfsdiscman)
    NtService
    nvscv
    scvhost
    FireDaemon Service: secureNt (secureNt)
    syslock
    FireDaemon Service: WinF (WinF)
    FireDaemon Service: WinI (WinI)
    FireDaemon Service: WinP (WinP)
    FireDaemon Service: WinS (WinS)

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.sympatico.ca/iesearchpane.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 66.118.176.28 tracker.boxtorrents.com
O1 - Hosts: 66.118.176.28 forums.boxtorrents.com
O1 - Hosts: 66.118.176.28 www.boxtorrents.com
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {45B38607-634F-4632-8114-06A76EF36948} - (no file)
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Program Files\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [AxFilter] Rundll32.exe C:\WINNT\DOWNLO~1\AxFilter.dll,Rundll32
O4 - HKLM\..\Run: [MediaPeek] C:\Program Files\MediaPeek\mptrial.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ara/ext360.html
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27ffe49...ip/RdxIE601.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6F2F57C-3696-44E6-A26F-7F13B3B96E53}: NameServer = 127.0.0.1
O23 - Service: dllhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: DNS - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: NTFSprotect (ntfsdiscman) - Unknown owner - C:\WINNT\ntfsprotect.exe (file missing)
O23 - Service: NtService - Unknown owner - C:\WINNT\SYSTEM32\ntservice.exe (file missing)
O23 - Service: nvscv - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: scvhost - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: FireDaemon Service: secureNt (secureNt) - Unknown owner - C:\winnt\system32\haha\FireDaemon.EXE (file missing)
O23 - Service: syslock - Unknown owner - C:\WINNT\system32\srvany.exe
O23 - Service: FireDaemon Service: WinF (WinF) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: WinI (WinI) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: WinP (WinP) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: FireDaemon Service: WinS (WinS) - Unknown owner - C:\winnt\system32\qossrv\FireDaemon.EXE (file missing)
O23 - Service: Windows UDP Communication (wudpcom) - Unknown owner - C:\WINNT\system32\wudpcom.exe



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\winnt\system32\haha\
    C:\winnt\system32\qossrv\

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Download SpywareBlaster 3.4
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

Download IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
    [*] Online Scan
    [*] Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
22 Posts
Discussion Starter #5
Here's my new Hijack This log and Kapersky log. I forgot to save the log for Ewido, but it didn't detect anything anyway. C:\WINNT\system32\dhcp\files doesn't show even when viewing of hidden files is turned one. I can get to the folder if I type that into the address bar though.

Logfile of HijackThis v1.99.1
Scan saved at 8:20:22 AM, on 27/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\EnterNet.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "about:blank"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll (file missing)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/27ffe49c8c9bb42d4b00/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125470352717
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)
O23 - Service: WMP54GSVC - Unknown owner - C:\Program Files\WMPCI54G WLAN Monitor\WLService.exe" "WMP54G.exe (file missing)

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 08:18:42
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 156509
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 78704
Number of viruses found: 11
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 8454 sec

Infected Object Name - Virus Name
C:\WINNT\system32\dhcp\files\copy\fire.reg Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\fire.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\LOCKREG.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\lsass.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.20.a
C:\WINNT\system32\dhcp\files\copy\scv.reg Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\SCVREG.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\sys.reg Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\SYSREG.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\mdll.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
C:\WINNT\system32\dhcp\files\runrg.txt Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\temp.bat Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\windebuger.exe/data.rar/task.exe Infected: Backdoor.Win32.mIRC-based
C:\WINNT\system32\windebuger.exe/data.rar Infected: Backdoor.Win32.mIRC-based
C:\WINNT\system32\windebuger.exe Infected: Backdoor.Win32.mIRC-based
C:\WINNT\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINNT\msapps\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13
C:\WINNT\msapps\KILL.EXE Infected: not-a-virus:NetTool.Win32.PsKill
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text/[From Ellen<[email protected]>][Date Fri,13 Feb 2004 08:34:27 PM]/BlueMountaineCard.pif Infected: Email-Worm.Win32.Cult.b
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text/[From Ellingboe<[email protected]>][Date Wed,18 Feb 2004 14:31:21 PM]/UNNAMED/BlueMountaineCard.pif Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text/[From Ellingboe<[email protected]>][Date Wed,18 Feb 2004 14:31:21 PM]/UNNAMED Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox Infected: Email-Worm.Win32.Cult.c
C:\My Downloads\acdseestandartretail50_WeLsIjGcEvYaJnAq.zip/install_cheat_001.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ki
C:\My Downloads\acdseestandartretail50_WeLsIjGcEvYaJnAq.zip/install_cheat_001.exe Infected: Trojan-Downloader.Win32.IstBar.ki
C:\My Downloads\acdseestandartretail50_WeLsIjGcEvYaJnAq.zip Infected: Trojan-Downloader.Win32.IstBar.ki
D:\KaZaA\backup-20040621-131605-935.dll Infected: not-a-virus:AdWare.Win32.Lop

Scan process completed.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
ciel- said:
C:\WINNT\system32\dhcp\files doesn't show even when viewing of hidden files is turned one. I can get to the folder if I type that into the address bar though.
Smart thinking. That's commendable. I'll just assume that you you have deleted the rest of the infected files found by Kaspersky.

If so, you should be good to go. Your system is clean.
Please follow these simple steps in order to keep your computer clean and secure:


  1. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  2. SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.


  3. ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  4. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  5. Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  6. SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  7. AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here


  8. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here


  9. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here


  10. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.


Please respond to this thread one more time so we can mark this thread as resolved.
 

·
Registered
Joined
·
22 Posts
Discussion Starter #7
Alas :dead: I deleted all the files in C:\WINNT\system32\dhcp\files but after scanning again with Kapersky, the files seems to have come back in C:\WINNT\system32\dhcp\files\copy. Is there any way to delete the entire directory when I cannot see it in the Explorer (viewing of hidden files and folders is already turned on but it's just as if it isn't there and it also doesn't come up when I use the search function either).
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
You mentioned that you did another KAspersky scan.

Please show me the the report from that.
 

·
Registered
Joined
·
22 Posts
Discussion Starter #9
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 20:57:33
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/10/2005
Kaspersky Anti-Virus database records: 156724
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\Documents and Settings\
C:\WINNT\

Scan Statistics:
Total number of scanned objects: 21779
Number of viruses found: 4
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 1390 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text/[From Ellen<[email protected]>][Date Fri,13 Feb 2004 08:34:27 PM]/BlueMountaineCard.pif Infected: Email-Worm.Win32.Cult.b
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text/[From Ellingboe<[email protected]>][Date Wed,18 Feb 2004 14:31:21 PM]/UNNAMED/BlueMountaineCard.pif Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text/[From Ellingboe<[email protected]>][Date Wed,18 Feb 2004 14:31:21 PM]/UNNAMED Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED/[From Henry Theunissen <[email protected]>][Date Fri, 13 Feb 2004 04:07:19 -0500]/text Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text Infected: Email-Worm.Win32.Cult.c
C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\pop8.sympatico.ca\Inbox Infected: Email-Worm.Win32.Cult.c
C:\WINNT\system32\dhcp\files\copy\fire.reg Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\fire.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\LOCKREG.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\lsass.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.20.a
C:\WINNT\system32\dhcp\files\copy\scv.reg Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\SCVREG.TXT Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\sys.reg Infected: Backdoor.IRC.Digarix.a
C:\WINNT\system32\dhcp\files\copy\SYSREG.TXT Infected: Backdoor.IRC.Digarix.a

Scan process completed.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I would like to have a better look at those infected files. Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following list of bad files into the Suspicious File Packer window:

C:\WINNT\system32\dhcp\files\copy\fire.reg
C:\WINNT\system32\dhcp\files\copy\fire.TXT
C:\WINNT\system32\dhcp\files\copy\LOCKREG.TXT
C:\WINNT\system32\dhcp\files\copy\lsass.exe
C:\WINNT\system32\dhcp\files\copy\scv.reg
C:\WINNT\system32\dhcp\files\copy\SCVREG.TXT
C:\WINNT\system32\dhcp\files\copy\sys.reg
C:\WINNT\system32\dhcp\files\copy\SYSREG.TXT


Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please email the files to this address sUBs[at]techsupportforum.com (replace [at] with @)

Please include a link to this topic in the message.


In the meanwhile, please delete the infected mail found by Kaspersky:

C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\j0s7v9xo.slt\Mail\po p8.sympatico.ca\Inbox/[From tom grossman <[email protected]>][Date Mon, 09 Feb 2004 09:08:45 -0500]/text/[From Charlotte Yeung <[email protected]>][Date Thu, 12 Feb 2004 14:20:24 -0500]/UNNAMED
 

·
Registered
Joined
·
22 Posts
Discussion Starter #11
I have looked over the emails and searched using date and sender but I cannot find the specific email that Kapersky found. But still, after deleting all emails from [email protected], Kapersky still detected the same virus.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
It appears that we're dealing with a rootkit here.

Please download RootKitRevealer.zip

Unzip it to the desktop, run it, and click Scan. This will generate a log file.
Please post the entire contents of the log file in your next reply.
 

·
Registered
Joined
·
22 Posts
Discussion Starter #13
HKLM\SOFTWARE\Classes\CHROME\shell\open\ddeexec 10/30/2005 6:23 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\ftp\shell\open\ddeexec 10/30/2005 6:23 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\gopher\shell\open\ddeexec 10/30/2005 6:23 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\http\shell\open\ddeexec 10/30/2005 6:23 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\https\shell\open\ddeexec 10/30/2005 6:23 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10/30/2005 6:24 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ 10/27/2005 9:11 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ 10/2/2005 5:54 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\�á 10/2/2005 5:53 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\{B4301126-817D-4582-B19E-7C18CBA447FA} 10/30/2005 6:26 PM 172 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer 10/30/2005 6:26 PM 24 bytes Windows API length not consistent with raw hive data.
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpDomain 10/30/2005 6:26 PM 50 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oj9cmek9.default\parent.lock 10/30/2005 6:58 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\_BSPST$_ 10/30/2005 6:32 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temp\_BSPST$_\skin 10/30/2005 6:32 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temp\mpl7.tmp 10/30/2005 6:27 PM 430 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temp\mpl8.tmp 10/30/2005 6:27 PM 26 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temp\mpl9.tmp 10/30/2005 6:36 PM 40 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temp\mplC.tmp 10/30/2005 6:55 PM 456 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF6E79.tmp 10/30/2005 6:25 PM 32.00 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\60223[1] 10/30/2005 6:27 PM 9.51 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CA06KIMO.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CA0F64HE.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CA8RUNI5.BIN 10/30/2005 6:49 PM 22.21 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CAEFEFWH.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CAHK02NX.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CAJZLRIC.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CAM48J9W.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CANFLKT8.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CARBVU5S.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CATA89Y3.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CAUBF0ME.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\01EBSLQB\CAUTJ4TT.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CA0NCQMY.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CA3R2BQZ.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CACOSLAJ.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAG38OGC.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAI9RQ37.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAK9YNW1.bin 10/30/2005 6:36 PM 16.87 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAL2J32V.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CALXKZ6F.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAQDM2F1.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAX2C3GU.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\6D29MBI1\CAZB9JG4.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CA0JKYPH.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CA31FTD3.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CA6DBRMZ.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAACK5E2.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CACBKIVY.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAEBCXI7.bin 10/30/2005 6:34 PM 15.50 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CALL669S.BIN 10/30/2005 6:58 PM 812 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAMHZO3M.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAMJWP2V.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CANBBU5J.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAO4SPRR.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAV3DVA8.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAV3PP0O.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\CAXR5VS1.bin 10/30/2005 6:27 PM 272 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\AHA50RGD\schematizedstore[1].asmx 10/30/2005 6:27 PM 5.17 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IFW9U9U5\CAK5QJ0T.bin 10/30/2005 6:27 PM 15.14 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IFW9U9U5\CARN9EHB.BIN 10/30/2005 6:56 PM 15.52 KB Hidden from Windows API.
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\$UYTC.AVG 10/30/2005 6:52 PM 19.80 MB Hidden from Windows API.
C:\WINNT\SYSTEM32\Perflib_Perfdata_4a0.dat 10/30/2005 6:33 PM 16.00 KB Hidden from Windows API.
C:\WINNT\SYSTEM32\Perflib_Perfdata_6bc.dat 10/30/2005 6:34 PM 16.00 KB Hidden from Windows API.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
The files you sent me contains information to the location of other hidden files in your machine. Unfortunately, that's not the complete list. All these files need to be deleted in one go as they rely on each other to regenerate any lost copies.

Please run the Suspicious File Packer again & paste the following list of bad files into the SFP's window:

C:\winnt\system32\dhcp\files\hiddenrun.exe
C:\winnt\system32\dhcp\files\mdll.exe
C:\winnt\system32\firewall.exe
C:\winnt\system32\dhcp\files\copy\hiddenrun.exe
C:\winnt\system32\dhcp\files\copy\sr.bat
C:\winnt\system32\hiddenrun.exe
C:\winnt\system32\lock.bat
C:\winnt\system32\drivers\scvhost.exe
C:\winnt\system32\drivers\sample.config
C:\winnt\system32\strings.bat
C:\winnt\system32\dhcp\files\copy\sr.bat
C:\winnt\system32\lock.bat
C:\winnt\system32\drivers\sample.config
C:\winnt\system32\strings.bat


We'll go after these files after I have fully compiled the info.
 

·
Registered
Joined
·
22 Posts
Discussion Starter #15
A few of the files that you asked for weren't there, at least at first glance. I'll go ahead and delete all the files in C:\WINNT\system32\dhcp\files\copy seeing as how the whole \dhcp directory isn't supposed to exist.
 

·
Registered
Joined
·
22 Posts
Discussion Starter #17
Oh darn. Sorry, I deleted it already. Ah. I'll stop doing things without asking first. The actual dhcp folder doesn't show up in system32 even if hidden files and folders are viewable. Even when you go into the dhcp folder, it says there are 0 folders and files even though there is a files folder. But yes, sorry for that.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK


Download the file I've attached to this post - fixIRC.zip
From within it, double click on fixIRC.bat & allow it to run it's course
It shall produce a log located at C:\sUBs.txt for you to post back to me.

Please do a search of your drive C for these files:

strings.bat
lock.bat
hiddenrun.exe


Do not delete them. Just let meknow if you found them.
 

·
Registered
Joined
·
22 Posts
Discussion Starter #19 (Edited)
The files aren't there.

And this happened: This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY/SYSTEM .. services.exe unexpectedly terminated.


Volume in drive C is LOCAL DISK
Volume Serial Number is B0CB-44AB

Directory of c:\sUBs

30/10/2005 09:53p <DIR> .
30/10/2005 09:53p <DIR> ..
28/09/2003 02:57p 1,334 sample.config.bak
1 File(s) 1,334 bytes
2 Dir(s) 9,428,074,496 bytes free
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
If you have rebooted since then, please verify if C:\WINNT\system32\dhcp\files\copy gets recreated.
 
1 - 20 of 36 Posts
Status
Not open for further replies.
Top