• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Hawkfan

Trojan Removal Assistance

Recommended Posts

Hi,

 

I have virus/trojans on my pc.

 

I have used Superantispyware, Ad-Aware SE and Avast to remove most of them.

 

I will post logs from the programs below.

 

I have seemed to get most of the infections off my computer.

 

I still have a virus sending internet mail thru my pc I can see it sending thru avast's On-access scanner.

 

Please Help Me.

 

Thanks

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Wednesday, January 17, 2007 11:50:54 AM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R145 17.01.2007

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie(TAC index:3):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

1-17-2007 11:50:54 AM - Scan started. (Full System Scan)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 152

ThreadCreationTime : 1-17-2007 6:53:51 PM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINNT\system32\

ProcessID : 176

ThreadCreationTime : 1-17-2007 6:54:02 PM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINNT\system32\

ProcessID : 196

ThreadCreationTime : 1-17-2007 6:54:04 PM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINNT\system32\

ProcessID : 224

ThreadCreationTime : 1-17-2007 6:54:05 PM

BasePriority : Normal

FileVersion : 5.00.2195.7035

ProductVersion : 5.00.2195.7035

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINNT\system32\

ProcessID : 236

ThreadCreationTime : 1-17-2007 6:54:05 PM

BasePriority : Normal

FileVersion : 5.00.2195.7011

ProductVersion : 5.00.2195.7011

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Executable and Server DLL (Export Version)

InternalName : lsasrv.dll and lsass.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : lsasrv.dll and lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 396

ThreadCreationTime : 1-17-2007 6:54:08 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 468

ThreadCreationTime : 1-17-2007 6:54:38 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:8 [spoolsv.exe]

FilePath : C:\WINNT\system32\

ProcessID : 476

ThreadCreationTime : 1-17-2007 6:54:38 PM

BasePriority : Normal

FileVersion : 5.00.2195.7059

ProductVersion : 5.00.2195.7059

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolss.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : spoolss.exe

 

#:9 [aswupdsv.exe]

FilePath : C:\Program Files\Alwil Software\Avast4\

ProcessID : 592

ThreadCreationTime : 1-17-2007 6:54:46 PM

BasePriority : Normal

 

 

#:10 [ashserv.exe]

FilePath : C:\Program Files\Alwil Software\Avast4\

ProcessID : 608

ThreadCreationTime : 1-17-2007 6:54:46 PM

BasePriority : High

FileVersion : 4, 7, 936, 0

ProductVersion : 4, 7, 0, 0

ProductName : avast! Antivirus

FileDescription : avast! antivirus service

InternalName : aswServ

LegalCopyright : Copyright © 2007 ALWIL Software

OriginalFilename : aswServ.exe

 

#:11 [cvpnd.exe]

FilePath : C:\Program Files\Cisco Systems\VPN Client\

ProcessID : 628

ThreadCreationTime : 1-17-2007 6:54:48 PM

BasePriority : Normal

FileVersion : 3.6.1 (Rel)

ProductVersion : 3.6.1 (Rel)

ProductName : Cisco Systems VPN Client

CompanyName : Cisco Systems, Inc.

FileDescription : Cisco Systems VPN Client

InternalName : cvpnd

LegalCopyright : Copyright © 1998-2002 Cisco Systems, Inc.

OriginalFilename : CVPND.EXE

 

#:12 [svchost.exe]

FilePath : C:\WINNT\System32\

ProcessID : 652

ThreadCreationTime : 1-17-2007 6:54:57 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:13 [ntrtscan.exe]

FilePath : C:\Program Files\Trend Micro\OfficeScan Client\

ProcessID : 692

ThreadCreationTime : 1-17-2007 6:54:58 PM

BasePriority : Normal

FileVersion : 5.58.0.1063

ProductVersion : 5.58

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

LegalCopyright : Copyright © 1999-2004 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro, Inc.

 

#:14 [regsvc.exe]

FilePath : C:\WINNT\system32\

ProcessID : 748

ThreadCreationTime : 1-17-2007 6:54:59 PM

BasePriority : Normal

FileVersion : 5.00.2195.6701

ProductVersion : 5.00.2195.6701

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Remote Registry Service

InternalName : regsvc

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : REGSVC.EXE

 

#:15 [mstask.exe]

FilePath : C:\WINNT\system32\

ProcessID : 808

ThreadCreationTime : 1-17-2007 6:54:59 PM

BasePriority : Normal

FileVersion : 4.71.2195.6972

ProductVersion : 4.71.2195.6972

ProductName : Microsoft® Windows® Task Scheduler

CompanyName : Microsoft Corporation

FileDescription : Task Scheduler Engine

InternalName : TaskScheduler

LegalCopyright : Copyright © Microsoft Corp. 1997

OriginalFilename : mstask.exe

 

#:16 [tmlisten.exe]

FilePath : C:\Program Files\Trend Micro\OfficeScan Client\

ProcessID : 856

ThreadCreationTime : 1-17-2007 6:55:00 PM

BasePriority : Normal

 

 

#:17 [winmgmt.exe]

FilePath : C:\WINNT\System32\WBEM\

ProcessID : 940

ThreadCreationTime : 1-17-2007 6:55:02 PM

BasePriority : Normal

FileVersion : 1.50.1085.0100

ProductVersion : 1.50.1085.0100

ProductName : Windows Management Instrumentation

CompanyName : Microsoft Corporation

FileDescription : Windows Management Instrumentation

InternalName : WINMGMT

LegalCopyright : Copyright © Microsoft Corp. 1995-1999

 

#:18 [winvnc4.exe]

FilePath : C:\Program Files\RealVNC\VNC4\

ProcessID : 948

ThreadCreationTime : 1-17-2007 6:55:09 PM

BasePriority : Normal

FileVersion : 4.0

ProductVersion : 4.0

ProductName : VNC Server 4.0

CompanyName : RealVNC Ltd.

FileDescription : VNC Server for Win32

InternalName : WinVNC 4.0

LegalCopyright : Copyright © RealVNC Ltd. 2002-2004

LegalTrademarks : RealVNC

OriginalFilename : winvnc4.exe

 

#:19 [svchost.exe]

FilePath : C:\WINNT\system32\

ProcessID : 1064

ThreadCreationTime : 1-17-2007 6:55:12 PM

BasePriority : Normal

FileVersion : 5.00.2134.1

ProductVersion : 5.00.2134.1

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : svchost.exe

 

#:20 [ofcdog.exe]

FilePath : C:\Program Files\Trend Micro\OfficeScan Client\

ProcessID : 1228

ThreadCreationTime : 1-17-2007 6:55:36 PM

BasePriority : Normal

 

 

#:21 [ashmaisv.exe]

FilePath : C:\Program Files\Alwil Software\Avast4\

ProcessID : 1232

ThreadCreationTime : 1-17-2007 6:55:36 PM

BasePriority : Normal

 

 

#:22 [ashwebsv.exe]

FilePath : C:\Program Files\Alwil Software\Avast4\

ProcessID : 1252

ThreadCreationTime : 1-17-2007 6:55:43 PM

BasePriority : Normal

 

 

#:23 [explorer.exe]

FilePath : C:\WINNT\

ProcessID : 1260

ThreadCreationTime : 1-17-2007 6:55:43 PM

BasePriority : Normal

FileVersion : 5.00.3700.6690

ProductVersion : 5.00.3700.6690

ProductName : Microsoft® Windows ® 2000 Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : Copyright © Microsoft Corp. 1981-1999

OriginalFilename : EXPLORER.EXE

 

#:24 [igfxtray.exe]

FilePath : C:\WINNT\System32\

ProcessID : 1152

ThreadCreationTime : 1-17-2007 6:55:59 PM

BasePriority : Normal

FileVersion : 3,0,0,1918

ProductVersion : 7,0,0,1918

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : igfxTray Module

InternalName : IGFXTRAY

LegalCopyright : Copyright 1999-2002, Intel Corporation

OriginalFilename : IGFXTRAY.EXE

 

#:25 [hkcmd.exe]

FilePath : C:\WINNT\System32\

ProcessID : 1136

ThreadCreationTime : 1-17-2007 6:55:59 PM

BasePriority : Normal

FileVersion : 3,0,0,1918

ProductVersion : 7,0,0,1918

ProductName : Intel® Common User Interface

CompanyName : Intel Corporation

FileDescription : hkcmd Module

InternalName : HKCMD

LegalCopyright : Copyright 1999-2002, Intel Corporation

OriginalFilename : HKCMD.EXE

 

#:26 [pccntmon.exe]

FilePath : C:\Program Files\Trend Micro\OfficeScan Client\

ProcessID : 1516

ThreadCreationTime : 1-17-2007 6:55:59 PM

BasePriority : Normal

FileVersion : 5.58.0.1063

ProductVersion : 5.58

ProductName : Trend Micro OfficeScan

CompanyName : Trend Micro Inc.

FileDescription : I/O Monitor

InternalName : PCCNTMON

LegalCopyright : Copyright © 1999-2004 Trend Micro Incorporated. All rights reserved.

LegalTrademarks : Copyright © Trend Micro, Inc.

OriginalFilename : PCCNTMON.EXE

 

#:27 [qttask.exe]

FilePath : C:\Program Files\QuickTime\

ProcessID : 1524

ThreadCreationTime : 1-17-2007 6:55:59 PM

BasePriority : Normal

FileVersion : 7.1.3

ProductVersion : QuickTime 7.1.3

ProductName : QuickTime

CompanyName : Apple Computer, Inc.

FileDescription : QuickTime Task

InternalName : QuickTime Task

LegalCopyright : Copyright Apple Computer, Inc. 1989-2006

OriginalFilename : QTTask.exe

 

#:28 [ituneshelper.exe]

FilePath : C:\Program Files\iTunes\

ProcessID : 1556

ThreadCreationTime : 1-17-2007 6:56:01 PM

BasePriority : Normal

FileVersion : 7.0.2.16

ProductVersion : 7.0.2.16

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iTunesHelper Module

InternalName : iTunesHelper

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iTunesHelper.exe

 

#:29 [ashdisp.exe]

FilePath : C:\PROGRA~1\ALWILS~1\Avast4\

ProcessID : 1564

ThreadCreationTime : 1-17-2007 6:56:01 PM

BasePriority : Normal

FileVersion : 4, 7, 936, 0

ProductVersion : 4, 7, 0, 0

ProductName : avast! Antivirus

FileDescription : avast! service GUI component

InternalName : aswDisp

LegalCopyright : Copyright © 2007 ALWIL Software

OriginalFilename : aswDisp.exe

 

#:30 [upnp.exe]

FilePath : C:\winnt\system32\

ProcessID : 1572

ThreadCreationTime : 1-17-2007 6:56:01 PM

BasePriority : Normal

FileVersion : 5.1.2600.2180

ProductVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductName : upnp manager Microcoft® Windows®

CompanyName : Microcoft Corporation

FileDescription : upnp manager

InternalName : unker

LegalCopyright : © Microcoft Corporation. All rights reserved

LegalTrademarks : Microsoft ®

OriginalFilename : unker.EXE

 

#:31 [ipodservice.exe]

FilePath : C:\Program Files\iPod\bin\

ProcessID : 1648

ThreadCreationTime : 1-17-2007 6:56:08 PM

BasePriority : Normal

FileVersion : 7.0.2.16

ProductVersion : 7.0.2.16

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iPodService Module

InternalName : iPodService

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iPodService.exe

 

#:32 [wf_scheduler.exe]

FilePath : C:\Program Files\AceBIT\WISE-FTP\

ProcessID : 1692

ThreadCreationTime : 1-17-2007 6:56:09 PM

BasePriority : Normal

FileVersion : 3.0.0.7

ProductVersion : 3.0.0.7

CompanyName : AceBIT GmbH

LegalCopyright : © 1998-2003 by AceBIT GmbH

 

#:33 [superantispyware.exe]

FilePath : C:\Program Files\SUPERAntiSpyware\

ProcessID : 1668

ThreadCreationTime : 1-17-2007 6:56:13 PM

BasePriority : Normal

FileVersion : 3, 5, 0, 1016

ProductVersion : 3, 5, 0, 1016

ProductName : SUPERAntiSpyware

CompanyName : SUPERAntiSpyware.com

FileDescription : SUPERAntiSpyware

InternalName : SUPERAntiSpyware

LegalCopyright : Copyright © 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com

OriginalFilename : SUPERAntiSpyware.exe

 

#:34 [wzqkpick.exe]

FilePath : C:\Program Files\WinZip\

ProcessID : 1272

ThreadCreationTime : 1-17-2007 6:56:30 PM

BasePriority : Normal

FileVersion : 1.0 (32-bit)

ProductVersion : 8.1 (4319)

ProductName : WinZip

CompanyName : WinZip Computing, Inc.

FileDescription : WinZip Executable

InternalName : WZQKPICK.EXE

LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2001 - All Rights Reserved

LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc

OriginalFilename : WZQKPICK.EXE

Comments : StringFileInfo: U.S. English

 

#:35 [googletoolbarnotifier.exe]

FilePath : C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\

ProcessID : 1144

ThreadCreationTime : 1-17-2007 7:09:00 PM

BasePriority : Normal

FileVersion : 1, 2, 908, 5008

ProductVersion : 1, 2, 908, 5008

ProductName : GoogleToolbarNotifier

CompanyName : Google Inc.

FileDescription : GoogleToolbarNotifier

LegalCopyright : Copyright © 2005-2006

OriginalFilename : GoogleToolbarNotifier.exe

 

#:36 [iexplore.exe]

FilePath : C:\Program Files\Internet Explorer\

ProcessID : 992

ThreadCreationTime : 1-17-2007 7:30:15 PM

BasePriority : Normal

FileVersion : 6.00.2800.1106

ProductVersion : 6.00.2800.1106

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Internet Explorer

InternalName : iexplore

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : IEXPLORE.EXE

 

#:37 [ad-aware.exe]

FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\

ProcessID : 2688

ThreadCreationTime : 1-17-2007 7:50:00 PM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 1-12-2027 11:31:10 AM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 1

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

 

 

Scanning Hosts file......

Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 1

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 1

 

11:55:58 AM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:05:04.547

Objects scanned:88376

Objects identified:1

Objects ignored:0

New critical objects:1

 

 

 

*** Next ***

 

SUPERAntiSpyware Scan Log

Generated 01/17/2007 at 10:50 AM

 

Application Version : 3.5.1016

 

Core Rules Database Version : 3165

Trace Rules Database Version: 1176

 

Scan type : Complete Scan

Total Scan Time : 00:44:17

 

Memory items scanned : 347

Memory threats detected : 4

Registry items scanned : 3749

Registry threats detected : 24

File items scanned : 36213

File threats detected : 181

 

Trojan.Downloader-Gen/Win

C:\WINNT\SYSTEM32\KERNELS88.EXE

C:\WINNT\SYSTEM32\KERNELS88.EXE

[system] C:\WINNT\SYSTEM32\KERNELS88.EXE

 

Trojan.VXGame-Gen

C:\WINNT\SYSTEM32\DLH9JKD1Q2.EXE

C:\WINNT\SYSTEM32\DLH9JKD1Q2.EXE

C:\WINNT\SYSTEM32\DLH9JKD1Q6.EXE

C:\WINNT\SYSTEM32\DLH9JKD1Q6.EXE

C:\WINNT\SYSTEM32\DLH9JKD1Q7.EXE

C:\WINNT\SYSTEM32\DLH9JKD1Q7.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\2.DLLB

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\6.DLLB

C:\WINNT\SYSTEM32\VXG6AME4.EXE

C:\WINNT\SYSTEM32\VXGA1ME4T1.EXE

C:\WINNT\SYSTEM32\VXGA4ME1.EXE

 

Trojan.Downloader-Gen/MultiBot

[WinUpgrade] C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\130406.EXE

C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\130406.EXE

[WinUpdate] C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\131546.EXE

C:\DOCUME~1\TFRENCH\LOCALS~1\TEMP\131546.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\12038593.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\12038734.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\129296.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\130406.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\131546.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\152125.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\152343.EXE

C:\DOCUMENTS AND SETTINGS\TFRENCH\LOCAL SETTINGS\TEMP\152531.EXE

 

Trojan.Downloader-WS2F

Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg

C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\WINSYS2F.DLL

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#DllName

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Startup

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Impersonate

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Asynchronous

 

Adware.Tracking Cookie

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][3].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected]e[1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Cookies\[email protected][1].txt

C:\Documents and Settings\Administrator.WENATCHEE\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][2].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][1].txt

C:\Documents and Settings\Tfrench\Local Settings\Temp\Cookies\[email protected][2].txt

 

Adware.SideStep Toolbar

HKCR\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6}

HKCR\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6}\InprocServer32

HKCR\CLSID\{D714A94F-123A-45CC-8F03-040BCAF82AD6}\InprocServer32#ThreadingModel

HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}

HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories

HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\Implemented Categories\{00021493-0000-0000-C000-000000000046}

HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32

HKCR\CLSID\{83B28A74-640D-48F4-9F51-E80EED7CC7E0}\InprocServer32#ThreadingModel

 

Trojan.BraveSentry

C:\Program Files\BraveSentry\BraveSentry.exe

C:\Program Files\BraveSentry\BraveSentry.lic

C:\Program Files\BraveSentry\Uninstall.exe

C:\Program Files\BraveSentry

 

Trojan.Haxdoor-P79

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#DllName

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#Startup

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#Impersonate

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#Asynchronous

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#MaxWait

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\pasksa#2sksid

 

Trojan.Downloader/SmitF

C:\WINNT\DESKTOP.HTML

 

Trojan.Unknown Origin

C:\WINNT\SYSTEM32\VX.TLL

Share this post


Link to post
Share on other sites

Hello,Hawkfan & Welcome

 

Nice work

 

 

Please download HijackThis v1.99.1 from the following link:

http://www.merijn.org/files/hijackthis.zip

 

Then, create a folder like: C:\Program Files\HijackThis, or, if you want to keep it on the Desktop, right click an empty area, select New>Folder, name the folder HijackThis, and place the program in it.

 

Run the program, and click on the Scan button

 

When the Scan finishes click: Save Log

The log opens in Notepad

Click on: Edit>Select All

Click on: Edit>Copy, and the Paste the log in your reply

 

Please do not fix anything showing up on the log. Just have the program create it, and copy/paste it to this thread.

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi

 

Ok here it is.

 

Logfile of HijackThis v1.99.1

Scan saved at 08:51, on 07-01-18

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\winnt\system32\upnp.exe

C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINNT\system32\services.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot

O4 - HKLM\..\Run: [] -HideWindow

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Edited by Hawkfan

Share this post


Link to post
Share on other sites

Hi,Hawkfan

 

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

 

============

 

View hidden files and folders:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

============

 

Restart your computer in Safe Mode.

  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.

If you need further assistance with Safe Mode, see Symantec

 

============

 

Run HijackThis

Scan and when it finishes, put a check mark only next to these following items : (if present)

 

O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe

O4 - HKLM\..\Run: [] -HideWindow

 

Close all browsers and any open Windows, making sure that only HijackThis is open

Click Fix Checked

Close HijackThis

 

============

 

Next, please find and delete the following files/folders (if present):

c:\winnt\system32\upnp.exe<---This file

C:\DOCUME~1\Tfrench\LOCALS~1\Temp\<---Clean out this folder don't delete the folder it's self

 

============

 

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

 

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

 

===========

 

Then do a reboot and do this for me and show me a new HijackThis logfile.

 

Please download Rootkit Revealer

http://www.sysinternals.com/utilities/rootkitrevealer.html

 

(link is at the very bottom of the page)

Unzip it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)

It may take a while to scan (don't do anything else while it's running - leave the PC idle during the scan)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

 

 

Gogo :P

Share this post


Link to post
Share on other sites

Hi,

 

OK I Followed your instructions to a T.

 

I rebooted and ran the Hijackthis and Root Kit Revealer.

 

here are the logs

 

***Root Kit Revealer***

 

HKU\.DEFAULT\Control Panel\International 1/17/2007 2:33 PM 0 bytes Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC* 4/1/2004 9:30 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 4/1/2004 9:30 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\XATM:da7bd468-d998-4c51-a7e0-f6d21b3c7898* 4/1/2004 9:13 PM 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\Command Processor 1/17/2007 2:33 PM 0 bytes Security mismatch.

 

***HIJACKTHIS***

Logfile of HijackThis v1.99.1

Scan saved at 13:49, on 07-01-18

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot

O4 - HKLM\..\Run: [] -HideWindow

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe

O4 - HKCU\..\RunOnce: [iCQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Share this post


Link to post
Share on other sites

Hi,Hawkfan

 

 

Download The Avenger Copyright © Swandog46

You must extract avenger.exe to your desktop, before you run it.

 

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!

 

 

Copy all the text contained in the code box below to your Clipboard.

NOTE: don't copy the word quote

 

Files to delete:

c:\winnt\system32\upnp.exe

C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe

 

The above script is for this user only, if you need help please start your own thread.

 

Start the Avenger.

Under "Script file to execute" choose "Input Script Manually".

Click on the Magnifying Glass icon which will open a new window titled "View/edit script".

Paste the entire text in into this window.

Click done, now click on the Green Light

Answer "Yes" twice when prompted.

Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

 

After the restart, it will create a log file that should open.

This log file will be located at C:\avenger.txt

 

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

 

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.

 

=============

 

Please download ComboFix and save it to your desktop.

 

Double click combofix.exe and follow the prompts.

 

When it's done running it will produce a log for you. Please post that log in your next reply.

 

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

 

 

Gogo :P

Share this post


Link to post
Share on other sites

Hi,

 

Ok I have the logs from Avenger, Highjackthis, and combofix below.

 

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\cvcktvos

 

*******************

 

Script file located at: \??\C:\WINNT\hlmutjux.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

 

 

File c:\winnt\system32\upnp.exe not found!

Deletion of file c:\winnt\system32\upnp.exe failed!

 

Could not process line:

c:\winnt\system32\upnp.exe

Status: 0xc0000034

 

 

 

File C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe not found!

Deletion of file C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe failed!

 

Could not process line:

C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe

Status: 0xc0000034

 

 

Completed script processing.

 

*******************

 

Finished! Terminate.

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 16:01, on 07-01-18

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\ICQLite\ICQLite.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot

O4 - HKLM\..\Run: [] -HideWindow

O4 - HKLM\..\Run: [iCQ Lite] "C:\Program Files\ICQLite\ICQLite.exe" -minimize

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [upp] c:\winnt\system32\upnp.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Tfrench\LOCALS~1\Temp\12038156.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

 

 

 

 

"kylem" - Thu 2007-01-18 16:04:43 Service Pack 4

ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\Tfrench\Desktop"

 

((((((((((((((((((((((((((((((( Files Created from 2006-12-18 to 2007-01-18 ))))))))))))))))))))))))))))))))))

 

 

2007-01-18 15:58 0 --a------ C:\backup.reg

2007-01-18 15:58 <DIR> d-------- C:\avenger

2007-01-18 15:54 126,976 --a------ C:\zip.exe

2007-01-17 14:11 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-01-17 13:35 <DIR> d-------- C:\Program Files\SpywareBot

2007-01-17 11:49 <DIR> d-------- C:\Program Files\Lavasoft

2007-01-17 11:26 0 --a------ C:\WINNT\STANDARD_MONITOR_DRIVER_UNSIGNED.EXE

2007-01-17 11:26 0 --a------ C:\WINNT\STANDARD_MONITOR_DRIVER_SIGNED_W2K.EXE

2007-01-17 10:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware

2007-01-17 10:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-01-17 10:01 <DIR> d-------- C:\DOCUME~1\Tfrench\Application Data\SUPERAntiSpyware.com

2007-01-17 10:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com

2007-01-16 19:50 <DIR> d--h----- C:\WINNT\PIF

2007-01-16 18:51 91,110 --a------ C:\WINNT\u2.exe

2007-01-16 18:51 3,072 --a------ C:\WINNT\system32\p81eskse.sys

2007-01-16 18:51 10,789 --a------ C:\WINNT\system32\pasksa.dll

2007-01-16 18:51 10,137 --a------ C:\WINNT\i2.exe

2007-01-16 18:22 94,424 --a------ C:\WINNT\system32\drivers\aswmon2.sys

2007-01-16 18:22 85,952 --a------ C:\WINNT\system32\drivers\aswmon.sys

2007-01-16 18:22 43,176 --a------ C:\WINNT\system32\drivers\aswTdi.sys

2007-01-16 18:22 31,560 --a------ C:\WINNT\system32\drivers\aavmker4.sys

2007-01-16 18:22 23,352 --a------ C:\WINNT\system32\drivers\aswRdr.sys

2007-01-16 18:21 90,112 --a------ C:\WINNT\system32\AVASTSS.scr

2007-01-16 18:21 689,280 --a------ C:\WINNT\system32\aswBoot.exe

2007-01-16 18:21 1,060,864 --a------ C:\WINNT\system32\MFC71.dll

2007-01-16 18:21 <DIR> d-------- C:\Program Files\Alwil Software

2007-01-16 17:41 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Application Data\Help

2007-01-16 13:51 425,984 --a------ C:\WINNT\system32\wodKeys.dll

2007-01-16 13:51 385,024 --a------ C:\WINNT\system32\wodSFTP.dll

2007-01-16 13:51 1,079,808 --a------ C:\WINNT\system32\we.dll

2007-01-16 13:51 <DIR> d-------- C:\Program Files\AceBIT

2007-01-15 13:24 <DIR> d-------- C:\DOCUME~1\Kallie\Application Data\U3

2007-01-10 10:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP

2007-01-10 09:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL

2007-01-10 09:57 <DIR> d-------- C:\Program Files\Common Files\AOL

2007-01-10 09:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL Downloads

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-01-18 15:58 -------- d-------- C:\Program Files\steam

2007-01-18 13:14 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\event

2007-01-17 11:50 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\lavasoft

2007-01-17 11:36 -------- d-------- C:\Program Files\aim

2007-01-17 11:36 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\aim

2007-01-17 10:57 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\skype

2007-01-16 17:41 7952 --a------ C:\WINNT\system32\svchost.exe

2007-01-16 13:51 -------- d--h----- C:\Program Files\installshield installation information

2007-01-10 13:31 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\apple computer

2007-01-02 15:31 -------- d-------- C:\DOCUME~1\Tfrench\Application Data\adobeum

2006-12-07 17:02 2174976 --a------ C:\WINNT\system32\wmvcore.dll

2006-11-06 12:47 596480 --a------ C:\WINNT\system32\inetcomm.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"

"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"

"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

"Wise-FTP Scheduler"="C:\\Program Files\\AceBIT\\WISE-FTP\\WF_Scheduler.exe"

"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"Synchronization Manager"="mobsync.exe /logon"

"IgfxTray"="C:\\WINNT\\System32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINNT\\System32\\hkcmd.exe"

"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"TkBellExe"="\"realsched.exe\" -osboot"

@=" -HideWindow"

"ICQ Lite"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"Wise-FTP Scheduler"=""

"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

"upp"="c:\\winnt\\system32\\upnp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"WinMedia"="C:\\WINNT\\TEMP\\9571812.exe"

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

rpcss REG_MULTI_SZ RpcSs\0\0

wugroup REG_MULTI_SZ wuauserv\0\0

BITSgroup REG_MULTI_SZ BITS\0\0

 

HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*

WmdmPmSN

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINNT\tasks\AppleSoftwareUpdate.job

 

Completion time: Thu 2007-01-18 16:06:47

C:\ComboFix2.txt ... 07-01-17 14:33

Share this post


Link to post
Share on other sites

Hey,Hawkfan

 

 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

 

Backup the Registry:

 

Navigate to Start | Run and paste the following:

 

regedit /e c:\registrybackup.reg

 

Now click OK

It won't appear to be doing anything, that's normal.

Your mouse pointer may turn to an hour glass for a minute.

Please continue when it no longer has the hour glass.

 

============

 

 

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!) don't copy the word quote

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"upp"=-

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"WinMedia"=-

 

Save this as fix.reg Choose to save as *all files and place it on your Desktop.

It should look like this:reg.gif

Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

 

 

============

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

 

Gogo :)

Share this post


Link to post
Share on other sites

Hi,

 

Ok here is the SDFix report and the new Hijackthis log.

 

Rebooting

 

Normal Mode:

 

Checking Files:

 

 

No Files Found..

 

 

 

 

Alternate Stream Check:

 

 

Final Check:

 

Remaining Services:

------------------

 

Rootkit PE386 Found!

Rootkit lzx32 Found!

Rootkit msguard Found!

 

Remaining Files:

---------------

 

Backups Folder: - i:\\backups\backups.zip

 

Checking For Files with Hidden Attributes :

 

C:\NTDETECT.COM

C:\Documents and Settings\Tfrench\Favorites\Business\The Quicken.com Channel\desktop.ini

C:\arcldr.exe

C:\arcsetup.exe

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

C:\CONFIG.SYS

C:\IO.SYS

C:\MSDOS.SYS

C:\pagefile.sys

C:\Documents and Settings\Tfrench\Application Data\Microsoft\Office\Shortcut Bar\Off182.tmp

C:\Documents and Settings\Tfrench\Application Data\Microsoft\Office\Shortcut Bar\Off182h.tmp

C:\Documents and Settings\Tfrench\Application Data\Microsoft\Office\Shortcut Bar\Off182s.tmp

C:\Documents and Settings\Tfrench\Application Data\Microsoft\Word\~WRL2118.tmp

C:\Documents and Settings\Tfrench\My Documents\~WRL3174.tmp

 

Finished

 

Logfile of HijackThis v1.99.1

Scan saved at 18:28, on 07-01-18

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINNT\system32\notepad.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

C:\Documents and Settings\Tfrench\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "realsched.exe" -osboot

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [steam] "C:\Program Files\Steam\Steam.exe" -silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [Wise-FTP Scheduler] C:\Program Files\AceBIT\WISE-FTP\WF_Scheduler.exe

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\system32\shdocvw.dll

O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb028.cab

O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{BABBEB24-52A8-4782-A0E2-DCC7864D85B2}: NameServer = 66.45.212.21,64.146.171.130

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Share this post


Link to post
Share on other sites

Hi,Hawkfan

 

Please run this tool for me.

 

 

Download - rustbfix.exe ...and save it to your desktop.

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.

After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log.

 

 

Gogo :)

Share this post


Link to post
Share on other sites

Hi,

 

I ran the rustbfix.exe and here is the log

 

************************* Rustock.b-fix -- By ejvindh *************************

Thu 2007-01-18 8:06:57.59

 

No Rustock.b-rootkits found

 

******************************* End of Logfile ********************************

 

 

 

Looks like most everything is running correctly. Thank You Very Much!!!

 

Only having problems with my Date & Time stuck on military time and wont change to standard time which started when I received the viruses.

Share this post


Link to post
Share on other sites

Hey,Hawkfan

 

Yes i don't see them files anymore if all is good i will now have you

do my last steps here.but first see if this helps with the time.

 

 

Have you gone into the control panel, clicked on regional options and then the time tab and changed the time format to h:mm:ss tt or hh:mm:ss if you don't want AM or PM to be displayed.

 

 

=============

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

 

Next, let's clean your restore points and set a new one

 

 

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

 

1. Turn off System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* CHECK Turn off System Restore.

* Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

* On the Desktop, right-click My Computer.

* Click Properties.

* Click the System Restore tab.

* UN-Check Turn off System Restore.

* Click Apply, and then click OK.

 

System Restore will now be active again.

 

 

Then create a new restore point once you have System Restore back on.

To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.

When the System Restore Utility opens, click "Create a Restore Point" then click Next.

Enter a name for this Restore Point, and click Create.

 

 

 

Clean out your Temporary Internet files.

Internet Explorer

Close Internet Explorer and close any instances of Windows Explorer.

Click Start -> Control Panel and then double-click Internet Options.

On the General tab, click Delete Files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Click OK.

 

Firefox (In case you also have Firefox installed)

Open Firefox and go to Tools -> Options.

Click Privacy in the menu on the left side of the Options window.

Click the Clear button located to the right of each option (History, Cookies, Cache).

Click OK to close the Options window.

Alternatively, you can clear all information stored while browsing by clicking Clear All.

A confirmation dialog box will be shown before clearing the information.

 

 

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.

2. Click once on the Security tab

3. Click once on the Internet icon so it becomes highlighted.

4. Click once on the Custom Level button.

a. Change the Download signed ActiveX controls to Prompt

b. Change the Download unsigned ActiveX controls to Disable

c . Change the Initialize and script ActiveX controls not marked as safe to Disable

d. Change the Installation of desktop items to Prompt

e. Change the Launching programs and files in an IFRAME to Prompt

f. Change the Navigate sub-frames across different domains to Prompt

g. When all these settings have been made, click on the OK button.

h. If it prompts you as to whether or not you want to save the settings, press the Yes button.

5. Next press the Apply button and then the OK to exit the Internet Properties page.

 

And please have a look at the great info by Mr,TK

So how did I get infected in the first place

 

 

Gogo ;)

Share this post


Link to post
Share on other sites

Hi Gogo,

 

Ok I am trying to get administrator account on my windows2000pro os.

 

The Regional Date and Time Adjustment did work... Thanks again for all your time, Assistance and Knowledge. I will follow your instructions as soon as I get admin account on my workstation.

 

KC

Share this post


Link to post
Share on other sites

Hi Gogo,

 

Ok I have administrator access, but I do not think windows2000 has any kind of system restore built into it.

 

let me know if you have any info on that.

 

Other than that everything is working great... Thanks for your help and time... Very Much Appreciated!!!

Share this post


Link to post
Share on other sites
Sign in to follow this