Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Shutting Down Services.exe


  • This topic is locked This topic is locked
33 replies to this topic

#1 masson

masson

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 20 July 2007 - 01:28 AM

Hi this is my first post here at BC so please bear with me. My computer keeps shutting down after 60s, this after a notification that service.exe has encounterd a problem. Im shutting this down by --> Run --> shutdown -a But seems that i cant get rid of the virus/trojan or what it is. Ive tried AVG virus search, AVG root and smithfraud fix. but still have the problem. I post my HJT logg here for any supervirus slayer to find out the problem, thanks alot! One more thing, i just made a AVG 7.5 update before this problems started, may have something to do with this?

Logfile of HijackThis v1.99.1
Scan saved at 08:23:42, on 2007-07-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ASUS\ASUS Live Update\ALU.exe
C:\Program\Wireless Console 2\wcourier.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\iid.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\wuauclt.exe
D:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Zshutdown] c:\sysprep\patch\sysprep.cmd
O4 - HKLM\..\Run: [Power_Gear] C:\Program\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5BF56AD2-E297-416E-BC49-00B304040507} - https://cve.trust.telia.com/testa/iidsetup.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: syshelps - {47CC9C6D-F334-49DB-8085-25570043A3D9} - syshelps.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 22 July 2007 - 11:30 AM

No one wants to help me? I still have the same problem. the wrong message says "services.exe not service.exe as i wrote above.

I appriciate your help please.

#3 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 22 July 2007 - 11:54 AM

Here are some more facts if it my help:

szAppName : services.exe szAppVer : 5.1.2600.2180 szModName : unknown
szModVer : 0.0.0.0 offset : 00a75592

Tech information:
C:\DOCUME~1\THOMAS~1\LOKALA~1\Temp\WERa2b9.dir00\services.exe.mdmp
C:\DOCUME~1\THOMAS~1\LOKALA~1\Temp\WERa2b9.dir00\appcompat.txt

This is what the txt file says:
<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="SYSTEM INFO" FILTER="GRABMI_FILTER_SYSTEM">
<MATCHING_FILE NAME="shell32.dll" SIZE="8461312" CHECKSUM="0x52A30348" BIN_FILE_VERSION="6.0.2900.3051" BIN_PRODUCT_VERSION="6.0.2900.3051" PRODUCT_VERSION="6.00.2900.3051" FILE_DESCRIPTION="DLL-fil för Windows-gränssnittet" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft® Windows®" FILE_VERSION="6.00.2900.3051 (xpsp_sp2_gdr.061219-0316)" ORIGINAL_FILENAME="SHELL32.DLL" INTERNAL_NAME="SHELL32" LEGAL_COPYRIGHT="© Microsoft Corporation. Med ensamrätt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8164E9" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="6.0.2900.3051" UPTO_BIN_PRODUCT_VERSION="6.0.2900.3051" LINK_DATE="12/19/2006 21:51:09" UPTO_LINK_DATE="12/19/2006 21:51:09" VER_LANGUAGE="Svenska [0x41d]" />
<MATCHING_FILE NAME="winsock.dll" SIZE="2864" CHECKSUM="0x73AE8088" BIN_FILE_VERSION="3.10.0.103" BIN_PRODUCT_VERSION="3.10.0.103" PRODUCT_VERSION="3.10" FILE_DESCRIPTION="Windows Socket 16-Bit DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows™ Operating System" FILE_VERSION="3.10" ORIGINAL_FILENAME="WINSOCK.DLL" INTERNAL_NAME="WINSOCK" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1981-1996" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x10001" VERFILETYPE="0x2" MODULE_TYPE="WIN16" S16BIT_DESCRIPTION="BSD Socket API for Windows" S16BIT_MODULE_NAME="WINSOCK" UPTO_BIN_FILE_VERSION="3.10.0.103" UPTO_BIN_PRODUCT_VERSION="3.10.0.103" VER_LANGUAGE="Engelska (USA) [0x409]" />
<MATCHING_FILE NAME="ntdll.dll" SIZE="712704" CHECKSUM="0x46BAD217" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="DLL-fil för NT Layer" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft® Windows® " FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. Med ensamrätt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xBB654" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 08:33:21" UPTO_LINK_DATE="08/04/2004 08:33:21" VER_LANGUAGE="Svenska [0x41d]" />
<MATCHING_FILE NAME="advapi32.dll" SIZE="680960" CHECKSUM="0xD5D4C915" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" FILE_DESCRIPTION="Advanced Windows 32 Base API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft® Windows®" FILE_VERSION="5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)" ORIGINAL_FILENAME="advapi32.dll" INTERNAL_NAME="advapi32.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. Med ensamrätt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xA8190" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 08:30:32" UPTO_LINK_DATE="08/04/2004 08:30:32" VER_LANGUAGE="Svenska [0x41d]" />
<MATCHING_FILE NAME="oleaut32.dll" SIZE="553472" CHECKSUM="0xA19376D7" BIN_FILE_VERSION="5.1.2600.2180" BIN_PRODUCT_VERSION="5.1.2600.2180" PRODUCT_VERSION="5.1.2600.2180" COMPANY_NAME="Microsoft Corporation" FILE_VERSION="5.1.2600.2180" INTERNAL_NAME="OLEAUT32.DLL" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1993-2001." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8CB3C" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2180" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2180" LINK_DATE="08/04/2004 08:33:06" UPTO_LINK_DATE="08/04/2004 08:33:06" VER_LANGUAGE="Engelska (USA) [0x409]" />
<MATCHING_FILE NAME="user32.dll" SIZE="577024" CHECKSUM="0x86F51E2D" BIN_FILE_VERSION="5.1.2600.2622" BIN_PRODUCT_VERSION="5.1.2600.2622" PRODUCT_VERSION="5.1.2600.2622" FILE_DESCRIPTION="Klient-DLL-fil för Windows XP" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft® Windows®" FILE_VERSION="5.1.2600.2622 (xpsp_sp2_gdr.050301-1519)" ORIGINAL_FILENAME="user32" INTERNAL_NAME="user32" LEGAL_COPYRIGHT="© Microsoft Corporation. Med ensamrätt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x8D85A" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2622" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2622" LINK_DATE="03/02/2005 18:19:17" UPTO_LINK_DATE="03/02/2005 18:19:17" VER_LANGUAGE="Svenska [0x41d]" />
<MATCHING_FILE NAME="gdi32.dll" SIZE="280064" CHECKSUM="0xB8240DF1" BIN_FILE_VERSION="5.1.2600.2818" BIN_PRODUCT_VERSION="5.1.2600.2818" PRODUCT_VERSION="5.1.2600.2818" FILE_DESCRIPTION="GDI Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.1.2600.2818 (xpsp_sp2_gdr.051228-1427)" ORIGINAL_FILENAME="gdi32" INTERNAL_NAME="gdi32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4D146" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2818" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2818" LINK_DATE="12/29/2005 02:56:33" UPTO_LINK_DATE="12/29/2005 02:56:33" VER_LANGUAGE="Engelska (USA) [0x409]" />
<MATCHING_FILE NAME="kernel32.dll" SIZE="997888" CHECKSUM="0x182FEB99" BIN_FILE_VERSION="5.1.2600.2945" BIN_PRODUCT_VERSION="5.1.2600.2945" PRODUCT_VERSION="5.1.2600.2945" FILE_DESCRIPTION="Klient-DLL för Windows NT BASE API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft® Windows®" FILE_VERSION="5.1.2600.2945 (xpsp_sp2_gdr.060704-2349)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. Med ensamrätt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xF97D6" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2945" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2945" LINK_DATE="07/05/2006 10:57:10" UPTO_LINK_DATE="07/05/2006 10:57:10" VER_LANGUAGE="Svenska [0x41d]" />
<MATCHING_FILE NAME="ole32.dll" SIZE="1284608" CHECKSUM="0xB1929A5E" BIN_FILE_VERSION="5.1.2600.2726" BIN_PRODUCT_VERSION="5.1.2600.2726" PRODUCT_VERSION="5.1.2600.2726" FILE_DESCRIPTION="Microsoft OLE för Windows" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Operativsystemet Microsoft® Windows®" FILE_VERSION="5.1.2600.2726 (xpsp_sp2_gdr.050725-1528)" ORIGINAL_FILENAME="OLE32.DLL" INTERNAL_NAME="OLE32.DLL" LEGAL_COPYRIGHT="© Microsoft Corporation. Med ensamrätt." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x13B067" LINKER_VERSION="0x50001" UPTO_BIN_FILE_VERSION="5.1.2600.2726" UPTO_BIN_PRODUCT_VERSION="5.1.2600.2726" LINK_DATE="07/26/2005 04:42:49" UPTO_LINK_DATE="07/26/2005 04:42:49" VER_LANGUAGE="Svenska [0x41d]" />
<MATCHING_FILE NAME="wininet.dll" SIZE="822784" CHECKSUM="0x66022A00" BIN_FILE_VERSION="7.0.6000.16414" BIN_PRODUCT_VERSION="7.0.6000.16414" PRODUCT_VERSION="7.00.6000.16414" FILE_DESCRIPTION="Internet Extensions for Win32" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Windows® Internet Explorer" FILE_VERSION="7.00.6000.16414 (vista_gdr.070108-1520)" ORIGINAL_FILENAME="wininet.dll" INTERNAL_NAME="wininet.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xCF778" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="7.0.6000.16414" UPTO_BIN_PRODUCT_VERSION="7.0.6000.16414" LINK_DATE="01/12/2007 17:27:40" UPTO_LINK_DATE="01/12/2007 17:27:40" VER_LANGUAGE="Engelska (USA) [0x409]" />
</EXE>
</DATABASE>




I'm not sure if its ok just to delete them. Sorry of i spamm, just trying to give much information, i will be better if tehre is a next time.

#4 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 27 July 2007 - 04:50 PM

Still having the problem, 1 week later...

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:17 AM

Posted 30 July 2007 - 10:44 PM

Hi,

Sorry for dealy. We get swamped here.

If you still need help, please post new Hijackthis log here.
Let me know also what else you tried to fix this.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 31 July 2007 - 01:11 AM

Hi Blender

Thank you for your reply. I think i managed to fix the problem, it seems that it isent a virus when the file "services.exe" fails but it simply needs cleaning up (well you can probably explain it better) so i first did a defrag on the primary harddrive and then run the program "CCleaner".

I se that many people has been looking at this thread and hope that theese simple things might help you aswell. Note that its services.exe, not, service.exe that failed for me.

All the best :thumbsup:
/Masson - No more auto shutdowns

Edited by masson, 31 July 2007 - 01:13 AM.


#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:17 AM

Posted 31 July 2007 - 02:17 AM

Hi,

There are several different infections that "attack" services.exe since that file runs a fair number of services.
Like svchost runs alot of services.
Normally if something sucessfully stops "services.exe" system will reboot with that warning.

The malware file itself may be gone but I would like to d. check there is not remanents hanging around waiting for the opertunity to rear their ugly head.
The few leftovers I do see usually come with a PILE more garbage including backdoor and keylogging trojans.
If you do any sensitive online stuff like banking and such, I highly suggest you use a known clean machine to change your passwords.



If these lines are still present in your Hijackthis please fix them:

O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe
O21 - SSODL: syshelps - {47CC9C6D-F334-49DB-8085-25570043A3D9} - syshelps.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)


Start Hijackthis
Run system scan and check the above 3 entries (if present)
Reboot if/when told.

Once restarted...If you had to fix the O23 line I pointed out...

Click start> run> type cmd.exe and hit enter.
Type this command exactly as shown and hit enter:

sc delete "COM+ Messeges"

Should get success messege. No need to reboot since file is already missing.

Delete the following folder if present:

C:\Program\DaemonTools_WhenUSaveNow_Installer

Daemon tools will run fine without that WhenU adware nonsense.

Can you post me a startuplist for me please?

open Hijackthis
Click "open misc tools section"
Check both (full) and (complete) options beside "generate startuplist log" and generate the log.

Post results.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 31 July 2007 - 10:30 AM

I deleted the following VIA HJT:
O21 - SSODL: syshelps - {47CC9C6D-F334-49DB-8085-25570043A3D9} - syshelps.dll (file missing)
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (file missing)

When trying to put this command sc delete "COM+ Messeges" it says not an intern commando so i tryed sc delete "COM+ Messages" and then it says that the service i not installed "Open service FAILED 1060"

I took away this file instantly since i never said yes to install it. It just followed the package. It is not present. C:\Program\DaemonTools_WhenUSaveNow_Installer


This is the startup log:
StartupList report, 2007-07-31, 17:29:16
StartupList version: 1.52.2
Started from : D:\hijack this\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16414)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ASUS\ASUS Live Update\ALU.exe
C:\Program\Wireless Console 2\wcourier.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\iid.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
D:\hijack this\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Thomas Masson\Start-meny\Program\Autostart]
Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start-meny\Program\Autostart]
Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HControl = C:\WINDOWS\ATK0100\HControl.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SoundMan = SOUNDMAN.EXE
ASUS Live Update = C:\Program\ASUS\ASUS Live Update\ALU.exe
Wireless Console 2 = C:\Program\Wireless Console 2\wcourier.exe
SynTPEnh = C:\Program\Synaptics\SynTP\SynTPEnh.exe
Power_Gear = C:\Program\ASUS\Power4 Gear\BatteryLife.exe 1
iTunesHelper = "C:\Program\iTunes\iTunesHelper.exe"
{0228e555-4f9c-4e35-a3ec-b109a192b4c2} = C:\Program\Google\Gmail Notifier\gnotify.exe
Net iD = C:\WINDOWS\system32\iid.exe
DAEMON Tools = "C:\Program\DAEMON Tools\daemon.exe" -lang 1033

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

swg = C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MsnMsgr = "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
updateMgr = c:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[>{97BFB627-6E7B-492A-8B95-61754BAAB54D}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registereditorn'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - c:\program\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Shockwave 10\Download.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Checkers Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\msgrchkr.dll
CODEBASE = http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

[{5BF56AD2-E297-416E-BC49-00B304040507}]
CODEBASE = https://cve.trust.telia.com/testa/iidsetup.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windowsupd...b?1185812663125

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MessengerStatsPAClient.dll
CODEBASE = http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/flash...ent/swflash.cab

[FlashXControl Object]
InProcServer32 = C:\WINDOWS\system32\FlashAX\FlashAX.ocx
CODEBASE = https://flash.7sultans.com/7sultans/FlashAX.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\avgfwafu.dll
Protocol #2: C:\WINDOWS\system32\avgfwafu.dll
Protocol #3: C:\WINDOWS\system32\avgfwafu.dll
Protocol #4: C:\WINDOWS\system32\avgfwafu.dll
Protocol #5: C:\WINDOWS\system32\avgfwafu.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
Protocol #11: C:\WINDOWS\system32\rsvpsp.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: system32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: system32\DRIVERS\ACPIEC.sys (system)
Adobe LM Service: "C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD: \SystemRoot\System32\drivers\afd.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD-processordrivrutin: system32\DRIVERS\AmdK8.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP-klientprotokoll: system32\DRIVERS\arp1394.sys (manual start)
ASNDIS5 Protocol Driver: \??\C:\WINDOWS\system32\ASNDIS5.SYS (manual start)
RAS Asynchronous Media Driver: system32\DRIVERS\asyncmac.sys (manual start)
Standard-IDE/ESDI-hårddiskstyrenhet: system32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: system32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Ljud-stub-drivrutin: system32\DRIVERS\audstub.sys (manual start)
AVG7 Alert Manager Server: C:\Program\Grisoft\AVG7\avgamsvr.exe (autostart)
AVG7 Kernel: \SystemRoot\System32\Drivers\avg7core.sys (system)
AVG7 Wrap Driver: \SystemRoot\System32\Drivers\avg7rsw.sys (system)
AVG7 Resident Driver XP: \SystemRoot\System32\Drivers\avg7rsxp.sys (system)
AVG7 Update Service: C:\Program\Grisoft\AVG7\avgupsvc.exe (autostart)
AVG7 Clean Driver: \SystemRoot\System32\Drivers\avgclean.sys (system)
AVG E-mail Scanner: C:\Program\Grisoft\AVG7\avgemc.exe (autostart)
AVG Firewall: C:\Program\Grisoft\AVG7\avgfwsrv.exe /srvfsys (autostart)
AVG Network Redirector: \SystemRoot\System32\Drivers\avgtdi.sys (autostart)
Drivrutin för ASUS 802.11 nätverksadapter: system32\DRIVERS\bcmwl5.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Avkodare för dold textning: system32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM-drivrutin: system32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
Microsoft AC Adapter Driver: system32\DRIVERS\CmBatt.sys (manual start)
COM+ Messages: "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0001291 (disabled)
Microsoft Composite Battery Driver: system32\DRIVERS\compbatt.sys (system)
COM+ System Application: C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Diskdrivrutin: system32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\system32\svchost.exe -k netsvcs (manual start)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
FltMgr: system32\DRIVERS\fltMgr.sys (system)
Volume Manager Driver: system32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: system32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID-klassdrivrutin: system32\DRIVERS\hidusb.sys (manual start)
HSFHWSIS: system32\DRIVERS\HSFHWSIS.sys (manual start)
HSF_DPV: system32\DRIVERS\HSF_DPV.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: system32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: system32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\system32\imapi.exe (manual start)
IPv6 Windows Firewall Driver: system32\DRIVERS\Ip6Fw.sys (manual start)
IP Traffic Filter Driver: system32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: system32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: system32\DRIVERS\ipnat.sys (manual start)
iPod Service: "C:\Program\iPod\bin\iPodService.exe" (manual start)
IPSEC driver: system32\DRIVERS\ipsec.sys (system)
IrDA Protocol: system32\DRIVERS\irda.sys (autostart)
Tjänst för IR-uppräkning: system32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microsoft Serial Infrared Driver: system32\DRIVERS\irsir.sys (manual start)
PnP ISA/EISA Bus Driver: system32\DRIVERS\isapnp.sys (system)
Tangentbordsklassdrivrutin: system32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel-wave-ljudMixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
AEGIS Protocol (IEEE 802.1x) v2.3.1.9: system32\DRIVERS\mdc8021x.sys (autostart)
mdmxsdk: system32\DRIVERS\mdmxsdk.sys (autostart)
Messenger: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\system32\mnmsrvc.exe (manual start)
Musklassdrivrutin: system32\DRIVERS\mouclass.sys (system)
HID-drivrutin för mus: system32\DRIVERS\mouhid.sys (manual start)
Klientomdirigerare för WebDav: system32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: system32\DRIVERS\mrxsmb.sys (system)
Microsoft authenticate service: C:\WINDOWS\system32\msasvc.exe (autostart)
Distributed Transaction Coordinator: C:\WINDOWS\system32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\system32\msiexec.exe /V (manual start)
Tjänstproxy för Microsoft-direktuppspelning: system32\drivers\MSKSSRV.sys (manual start)
Klockproxy för Microsoft-direktuppspelning: system32\drivers\MSPCLOCK.sys (manual start)
Kvalitetshanteringsproxy för Microsoft-direktuppspelning: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: system32\DRIVERS\mssmbios.sys (manual start)
MSSQLServerADHelper: C:\Program\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (manual start)
Tee/Sink-to-Sink-konverterare för Microsoft-direktuppspelning: system32\drivers\MSTEE.sys (manual start)
ATK0100 ACPI UTILITY: system32\DRIVERS\ATKACPI.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video-anslutning: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: system32\DRIVERS\ndistapi.sys (manual start)
NDIS-protokoll för I/O i användarläge: system32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: system32\DRIVERS\ndiswan.sys (manual start)
NetBIOS-gränssnitt: system32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: system32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\system32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: system32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Network Monitor Driver: system32\DRIVERS\NMnt.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\system32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: system32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: system32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: system32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI-kompatibel IEEE 1394-värdstyrenhet: system32\DRIVERS\ohci1394.sys (system)
Office Source Engine: "C:\Program\Delade filer\Microsoft Shared\Source Engine\OSE.EXE" (manual start)
Drivrutin för parallellport: system32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: system32\DRIVERS\pci.sys (system)
PCIIde: system32\DRIVERS\pciide.sys (system)
Pcmcia: system32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\system32\lsass.exe (autostart)
WAN Miniport (PPTP): system32\DRIVERS\raspptp.sys (manual start)
Processordrivrutin: system32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
QoS Packet Scheduler: system32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: system32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: system32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA): system32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): system32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: system32\DRIVERS\raspppoe.sys (manual start)
Direkt parallell: system32\DRIVERS\raspti.sys (manual start)
Rdbss: system32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Filterdrivrutin för uppspelning av digitalt CD-ljud: system32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\system32\svchost.exe -k netsvcs (disabled)
rimsptsk: system32\DRIVERS\rimsptsk.sys (system)
risdptsk: system32\DRIVERS\risdptsk.sys (system)
Remote Procedure Call (RPC) Locator: %SystemRoot%\system32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\system32\rsvp.exe (manual start)
Realtek 10/100/1000 NIC Family all in one NDIS XP Driver: system32\DRIVERS\Rtlnicxp.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: system32\DRIVERS\secdrv.sys (manual start)
Secondary Logon Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
Drivrutin för filter för Systemåterställning: system32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Srv: system32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
WIA (Windows Image Acquisition): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: system32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\system32\dllhost.exe /Processid:{2D8BBEA0-7E17-4A45-AA2B-1DA933C79D68} (manual start)
USB2.0 1.3M Web Cam: System32\Drivers\SynMini.sys (manual start)
USB2.0 1.3M Web Cam Still Image: System32\Drivers\SynScan.sys (manual start)
Synaptics TouchPad Driver: system32\DRIVERS\SynTP.sys (manual start)
Microsoft Kernelsystemljudenhet: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: system32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: system32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Microcode Update Driver: system32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\system32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: system32\DRIVERS\usbehci.sys (manual start)
USB2-aktiverat nav: system32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: system32\DRIVERS\usbohci.sys (manual start)
Drivrutin för USB-masslagringsenheter: system32\DRIVERS\USBSTOR.SYS (manual start)
Läsartjänsten USN Journal för mappdelning i Messenger: "C:\Program\MSN Messenger\usnsvc.exe" (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: system32\DRIVERS\wanarp.sys (manual start)
Drivrutin för Microsoft WINMM WDM-ljudkompatibilitet: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
winachsf: system32\DRIVERS\HSF_CNXT.sys (manual start)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\system32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Teletext-codec för världsstandard: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatiska uppdateringar: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 34 654 bytes
Report generated in 0,110 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


--
Thanx for help :D

#9 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:17 AM

Posted 01 August 2007 - 04:52 AM

Hi,

Startuplist looks good except for that one service we are having a little trouble with.

TRy this again please:

Click start> run> type cmd and hit enter.
Type:

sc delete "COM+ Messages" and hit enter.

Be sure to include the quotes. ( " " )

Should get success messege.

If not....

Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.
Copy / Paste the following line into the Search Box:

COM+ Messages

then hit Ok

After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe.

Post contents of RegSearch.txt please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#10 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 01 August 2007 - 06:36 AM

This time it said DeleteService SUCCESS :D

Great job Blender!

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:17 AM

Posted 02 August 2007 - 07:16 AM

Great!

I'd feel better having an online scan done.

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 02 August 2007 - 02:50 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 02, 2007 9:46:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/08/2007
Kaspersky Anti-Virus database records: 371240
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 81125
Number of viruses found: 8
Number of infected objects: 47 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:37:16

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\drivers\sptd3517.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\photos.zip/webcam_photos-2007-06.scr Infected: Backdoor.Win32.IRCBot.aaq skipped
C:\WINDOWS\photos.zip ZIP: infected - 1 skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\AvgFwLog.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\AvgFwLog.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Thomas Masson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Thomas Masson\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temp\~DF8411.tmp Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temp\~DF8418.tmp Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temp\~DFABA6.tmp Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temp\~DFABAD.tmp Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Tidigare\History.IE5\MSHist012007080220070803\index.dat Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temporary Internet Files\Content.IE5\BC823WHK\mail[2] Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Temporary Internet Files\Content.IE5\BC823WHK\test[1].htm Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Application Data\Microsoft\Windows Live Contacts\masson.thomas@gmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Application Data\Microsoft\Windows Live Contacts\masson.thomas@gmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Thomas Masson\Lokala inställningar\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Thomas Masson\Cookies\index.dat Object is locked skipped
C:\Program\WinZix\WinZixManager.dll Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\Program\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP181\A0020522.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ca skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP185\A0031717.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP185\A0031717.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP185\A0031717.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP186\A0036767.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP189\A0050930.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP189\A0050935.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP189\A0050935.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP189\A0050935.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP189\A0051031.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ca skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP189\A0051037.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP190\A0051930.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP190\A0051935.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP190\A0051935.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP190\A0051935.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP190\A0052031.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ca skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP190\A0052037.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP191\A0052198.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP191\A0052203.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP191\A0052203.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP191\A0052203.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP191\A0052299.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ca skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP191\A0052305.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP201\change.log Object is locked skipped
D:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP185\A0033732.exe Object is locked skipped
D:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP185\A0033733.exe Object is locked skipped
D:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP185\A0033734.exe Object is locked skipped
D:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP192\A0054379.exe Object is locked skipped
D:\System Volume Information\_restore{C1A7D5AD-6A0F-49E0-B88B-0F385E2E0B42}\RP201\change.log Object is locked skipped
D:\Starcraft\StarEdit.exe Infected: Email-Worm.Win32.Mixor.a skipped
D:\AOE2WEXP\patch\age2upa.exe Object is locked skipped
D:\AOE2WEXP\patch\Age2XPatch.exe Object is locked skipped
D:\Till Ny dator\WinRAR 3.70 + Crack\WinRAR Patch.exe/data.rar/winrarcrack.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
D:\Till Ny dator\WinRAR 3.70 + Crack\WinRAR Patch.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.jm skipped
D:\Till Ny dator\WinRAR 3.70 + Crack\WinRAR Patch.exe RarSFX: infected - 2 skipped
D:\Till Ny dator\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip/SETUP.EXE Infected: Constructor.Win32.MicroJoiner.17 skipped
D:\Till Ny dator\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip ZIP: infected - 1 skipped
D:\Till Ny dator\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Till Ny dator\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Till Ny dator\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\Till Ny dator\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
D:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\SmitfraudFix.exe RarSFX: infected - 2 skipped
G:\Gamla datorn\WinRAR 3.70 + Crack\WinRAR Patch.exe/data.rar/winrarcrack.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped
G:\Gamla datorn\WinRAR 3.70 + Crack\WinRAR Patch.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.jm skipped
G:\Gamla datorn\WinRAR 3.70 + Crack\WinRAR Patch.exe RarSFX: infected - 2 skipped
G:\Gamla datorn\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip/SETUP.EXE Infected: Constructor.Win32.MicroJoiner.17 skipped
G:\Gamla datorn\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip ZIP: infected - 1 skipped
G:\Gamla datorn\Från fettodatorn\Torrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip/SETUP.EXE Infected: Constructor.Win32.MicroJoiner.17 skipped
G:\Gamla datorn\Från fettodatorn\Torrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip ZIP: infected - 1 skipped

Scan process completed.





That was alot of junk! What do you suggest i do?

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:12:17 AM

Posted 03 August 2007 - 07:38 AM

Hi,

Fair bit of junk for sure.
Don't worry about the junk in system restore.
We'll get that stuff last when we are satisfied all is OK.

Just to point out..
I don't know for sure if you fileshare or not.
Some worms create these filenames to make it "look enticing" for the unsuspecting downloader.

It is not recommended to use p2p programs for file sharing.
file sharing is a dangerous practice because you don't know who you are downloading from. Therefore the files are untrusted.
Lots of people think its funny to upload malware infected stuff.
Also alot of people who get infected spread the malware without even realizing it.

--------------------------------------------

Locate and delete"

C:\WINDOWS\photos.zip
C:\Program\DAEMON Tools\SetupDTSB.exe
D:\Starcraft\StarEdit.exe
D:\Till Ny dator\WinRAR 3.70 + Crack\WinRAR Patch.exe
D:\Till Ny dator\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip
D:\Till Ny dator\SmitfraudFix.exe
D:\SmitfraudFix.exe
G:\Gamla datorn\WinRAR 3.70 + Crack\WinRAR Patch.exe
G:\Gamla datorn\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip
G:\Gamla datorn\Från fettodatorn\Torrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip

Go to add/Remove Programs and Uninstall CiD Help if listed.

Reboot when done.

D:\AOE2WEXP\patch\age2upa.exe Object is locked skipped
D:\AOE2WEXP\patch\Age2XPatch.exe Object is locked skipped

Those 2 files couldn't be scanned cus they are in use by the system. What exactly are they? You know?
Got them from a reputable site?
They look like a patch for AgeOfEmpires but I dunno if in this case "patch" means hotfix or crack/cheat.

See if you can scan both those files here please:

http://virusscan.jotti.org/

http://www.virustotal.com/

Make sure AOE is not running.

-----------------------------------------

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 03 August 2007 - 10:41 AM

Hi again.
The folowing files are deleted:

C:\WINDOWS\photos.zip
C:\Program\DAEMON Tools\SetupDTSB.exe
D:\Starcraft\StarEdit.exe
D:\Till Ny dator\WinRAR 3.70 + Crack\WinRAR Patch.exe
D:\Till Ny dator\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip
D:\Till Ny dator\SmitfraudFix.exe
D:\SmitfraudFix.exe
G:\Gamla datorn\WinRAR 3.70 + Crack\WinRAR Patch.exe
G:\Gamla datorn\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip
G:\Gamla datorn\Från fettodatorn\Torrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage).zip


I did not find CiD Help in the list.


The 2 following files are Game files to the game Age of empires 2 expansion pack.

D:\AOE2WEXP\patch\age2upa.exe
D:\AOE2WEXP\patch\Age2XPatch.exe

When trying to upload them i get the following messages:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
0 bytes size received / Se ha recibido un archivo vacio

and similar.... I dont mind deleting them if that works out fine.


Now i will reeboot the comp and install SD Fix.

#15 masson

masson
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:17 AM

Posted 03 August 2007 - 11:24 AM

And here is the SD Fix logg:


SDFix: Version 1.95

Run by Thomas Masson on 2007-08-03 at 18:15

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc

ImagePath:
C:\WINDOWS\system32\msasvc.exe

MsaSvc - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\141113~1 - Deleted
C:\Program\Ipwindows\Uninst.exe - Deleted
C:\Program\Ipwindows\pop9.tmp - Deleted
C:\Program\Ipwindows\pop2.tmp - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted


Folder C:\Program\Ipwindows - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------


Rootkit huy32 Found, Use a Rootkit scanner !

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\DC++\\DCPlusPlus.exe"="C:\\Program\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program\\uTorrent\\utorrent.exe"="C:\\Program\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program\\MSN Messenger\\msncall.exe"="C:\\Program\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program\\iTunes\\iTunes.exe"="C:\\Program\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\\WINDOWS\\System32\\dplaysvr.exe"="C:\\WINDOWS\\System32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"D:\\SPEL\\Warcraft III\\Warcraft III.exe"="D:\\SPEL\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program\\MSN Messenger\\livecall.exe"="C:\\Program\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program\\Grisoft\\AVG7\\avginet.exe"="C:\\Program\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\MSN Messenger\\msncall.exe"="C:\\Program\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program\\MSN Messenger\\livecall.exe"="C:\\Program\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINDOWS\SoftwareDistribution\Download\93a233c2dff315e0408559775486f5b2\BIT5.tmp

Finished









The HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 18:24:04, on 2007-08-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\ASUS\ASUS Live Update\ALU.exe
C:\Program\Wireless Console 2\wcourier.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\system32\iid.exe
C:\Program\DAEMON Tools\daemon.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
D:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Power_Gear] C:\Program\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] c:\Program\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program\ieSpell\iespell.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5BF56AD2-E297-416E-BC49-00B304040507} - https://cve.trust.telia.com/testa/iidsetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1185812663125
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.7sultans.com/7sultans/FlashAX.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Well im havin a hart time reading it but it seems there are some more hazardus files?

Best regards
--
Thomas Masson




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users