Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan..can't Install Anti-virus Programs


  • Please log in to reply
2 replies to this topic

#1 czebuth

czebuth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:15 PM

Posted 08 September 2007 - 10:41 AM

On friday I somehow managed to get infected by a trojan/worm. Since I always have Mcafee running i'm not sure how it got in. After doing a scan with mcafee it siad I had the win32Bagle. JM worm. It removed the infected files and then mcafee shut down and is gone. I tried reinstalling it but the exe files would always disappear. I have tried numerous free online scanners all say that there is no virus, trojans or spybots on the pc. But I know something has to be there somewhere, since I am still unable to to install the anti-virus programs. attached are the hijack this log and a log from one of the online scanners (can't recall which one as I have tried too many in the past day). I really don't want to have to reformat and start over as I just did that recently. System restore is turned off. When I was trying to reinstall mcafee I kept getting a Just-in-time debugging window pop up that I would have to click several times before it would go away. Also I was getting a windows file protection window pop up a few times saying that I needed to put the xp disc to fix the missing files.


PC specs:
Xp pro sp2
Cpu celeron 3.20Ghz
1.93 Gb ram


HIJACK THIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:27 AM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe
C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\CZ\Desktop\hijack this\killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2007 Platinum\SCActiveBlock.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2007 Platinum\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" /d=60
O4 - HKCU\..\Run: [EPSON Stylus Photo R260 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE /FU "C:\WINDOWS\TEMP\E_S2C7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe
O4 - Global Startup: RAID Manager.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: SnipeIt! eSnipe - http://www.esnipe.com/SnipeIt/SnipeItOpen3.asp
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...indows-i586.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6498 bytes



AVAST FREE SCANNER LOG:

9/8/2007, 12:39:22 AM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (4.4s).
----------
Files scanning started...
C:\WINDOWS\SoftwareDistribution\EventCache\{DDDB7B14-9E94-4043-B383-57BBEAABE56A}.bin... file could not be scanned!
C:\WINDOWS\system32\chkdsk.exe... file could not be scanned!
C:\WINDOWS\system32\ntoskrnl.exe... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\edb.log... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\tmp.edb... file could not be scanned!
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb... file could not be scanned!
C:\WINDOWS\system32\dllcache\chkdsk.exe... file could not be scanned!
C:\WINDOWS\system32\dllcache\ntoskrnl.exe... file could not be scanned!
No virus body found.
Files scanning finished (67516 files, 0 infected, 728.8s).
Drives scanned: C: D: G: I: J:
----------


ROOT CHECK LOG:

********************************* ROOTCHK-(22-08-07)-LOG, by ejvindh
Sat 09/08/2007 1:22:55.06

Driver srosa (visible) is present. A rootkit scan is recommended.

********************************* ROOTCHK-LOG-end


catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 01:22:55
Windows 5.1.2600 Service Pack 2
detected NTDLL code modification:
ZwQuerySystemInformation
scanning hidden processes ...

detected NTDLL code modification:
ZwQuerySystemInformation
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\srosa.sys"
"DisplayName"="Megadrv3"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SROSA]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\srosa]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\srosa.sys"
"DisplayName"="Megadrv3"

detected NTDLL code modification:
ZwQuerySystemInformation
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\TempPackages]
"C:\WINDOWS\Installer\{F8BB72FB-615E-4CF6-963D-B37550D4639E}\NewShortcut4_F8BB72FB615E4CF6963DB37550D4639E.exe"=dword:00000001
"C:\WINDOWS\Installer\fe8aefa.msi"=dword:00000000
"C:\WINDOWS\Installer\{8D4942F1-D5EB-40A7-9D7B-07F8ED1B71E9}\_AD2B46E4_15C3_419F_A9BE_43745C271471"=dword:00000001
"C:\WINDOWS\Installer\{8D4942F1-D5EB-40A7-9D7B-07F8ED1B71E9}\NewShortcut1_02EC20FD1D074CA3AB9B9EEED76503F0.exe"=dword:00000001
"C:\WINDOWS\Installer\{8D4942F1-D5EB-40A7-9D7B-07F8ED1B71E9}\NewShortcut5_02EC20FD1D074CA3AB9B9EEED76503F0.exe"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserChosenExecuteHandlers]
"H:\\?\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10L________________LL11____#314b453238353031353120392020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+PlayVideoFilesOnArrival"="IviVideoCDHandler"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\UserDefaults]
"H:\\?\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10L________________LL11____#314b453238353031353120392020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+PlayDVDMovieOnArrival"="MSPromptEachTime"
"H:\\?\IDE#CdRomLITE-ON_DVD_SOHD-16P9S__________________FS0J____#5&32ce90b9&0&0.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+PlayVideoFilesOnArrival"="MSPromptEachTime"
"H:\\?\IDE#CdRomHL-DT-ST_DVDRAM_GSA-H10L________________LL11____#314b453238353031353120392020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+PlayVideoFilesOnArrival"="MSPromptEachTime"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"="C:\WINDOWS\system32\drivers\hidr.exe"
"mule_st_key"="C:\Documents and Settings\CZ\Application Data\m\flec006.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\DOCUME~1\CZ\LOCALS~1\Temp\is-BPBVO.tmp\is-ML0RO.tmp"="Setup/Uninstall"
"C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe"="MailWasher Pro"
"@explorer.exe,-7024"="Internet"
"@explorer.exe,-7025"="E-mail"
"@C:\WINDOWS\system32\SHELL32.dll,-9319"="Printers and Faxes"
"@C:\WINDOWS\system32\SHELL32.dll,-9217"="My Network Places"
"@C:\WINDOWS\system32\SHELL32.dll,-8964"="Recycle Bin"
"@xpsp1res.dll,-11004"="Outlook Express"
"@C:\WINDOWS\system32\rcbdyctl.dll,-152"="Remote Assistance"
"@shell32.dll,-22017"="Address Book"
"@shell32.dll,-22022"="Command Prompt"
"@shell32.dll,-22051"="Notepad"
"@C:\WINDOWS\system32\tourstart.exe,-1"="Tour Windows XP"
"@shell32.dll,-22041"="Magnifier"
"@shell32.dll,-22048"="Narrator"
"@shell32.dll,-22052"="On-Screen Keyboard"
"@shell32.dll,-22065"="Utility Manager"
"@C:\WINDOWS\system32\xpsp1res.dll,-10077"="Set Program Access and Defaults"
"@C:\PROGRA~1\MOVIEM~1\wmm2res.dll,-61446"="Windows Movie Maker"
"@shell32.dll,-22019"="Calculator"
"@shell32.dll,-22054"="Paint"
"@C:\WINDOWS\system32\sti_ci.dll,-11"="Scanner and Camera Wizard"
"@shell32.dll,-22069"="WordPad"
"@shell32.dll,-22016"="Accessibility Wizard"
"@shell32.dll,-22031"="HyperTerminal"
"@C:\WINDOWS\system32\mstsc.exe,-4000"="Remote Desktop Connection"
"@shell32.dll,-22061"="Sound Recorder"
"@shell32.dll,-22018"="Backup"
"@shell32.dll,-22021"="Character Map"
"@shell32.dll,-22026"="Disk Cleanup"
"@shell32.dll,-22027"="Disk Defragmenter"
"@C:\WINDOWS\system32\usmt\migwiz.exe,-202"="Files and Settings Transfer Wizard"
"@shell32.dll,-22063"="System Information"
"@C:\WINDOWS\system32\restore\rstrui.exe,-2048"="System Restore"
"@C:\WINDOWS\system32\comres.dll,-661"="Component Services"
"@shell32.dll,-22023"="Computer Management"
"@shell32.dll,-22025"="Data Sources (ODBC)"
"@shell32.dll,-22029"="Event Viewer"
"@shell32.dll,-22040"="Local Security Policy"
"@shell32.dll,-22055"="Performance"
"@shell32.dll,-22059"="Services"
"@shell32.dll,-21762"="Administrative Tools"
"@shell32.dll,-21761"="Accessories"
"@shell32.dll,-21787"="Startup"
"@C:\WINDOWS\system32\SHELL32.dll,-9227"="My Documents"
"@shell32.dll,-21779"="My Pictures"
"@shell32.dll,-21790"="My Music"
"@shell32.dll,-21772"="Entertainment"
"@shell32.dll,-21760"="Accessibility"
"@shell32.dll,-22062"="Synchronize"
"@C:\WINDOWS\system32\compatUI.dll,-115"="Program Compatibility Wizard"
"@shell32.dll,-22067"="Windows Explorer"
"@xpsp1res.dll,-10077"="Set Program Access and Defaults"
"@C:\WINDOWS\system32\SHELL32.dll,-22982"="Administrative Tools"
"@explorer.exe,-7021"="&Help and Support"
"@explorer.exe,-7020"="&Search"
"@explorer.exe,-7023"="&Run..."
"@shell32.dll,-22075"="Windows Catalog"
"@shell32.dll,-21773"="Games"
"@shell32.dll,-21768"="Communications"
"@shell32.dll,-21788"="System Tools"
"@C:\WINDOWS\system32\hnetwiz.dll,-3085"="Network Setup Wizard"
"@C:\WINDOWS\System32\xpsp2res.dll,-16201"="Wireless Network Setup Wizard"
"@C:\WINDOWS\system32\netshell.dll,-1010"="New Connection Wizard"
"@shell32.dll,-22066"="Volume Control"
"@shell32.dll,-22058"="Scheduled Tasks"
"@C:\WINDOWS\System32\xpsp2res.dll,-6103"="Security Center"
"@C:\WINDOWS\system32\mshearts.exe,-413"="Hearts"
"@shell32.dll,-22030"="FreeCell"
"@C:\PROGRA~1\MSNGAM~1\Windows\hrtzres.dll,-1212"="Internet Hearts"
"@C:\PROGRA~1\MSNGAM~1\Windows\chkrres.dll,-1212"="Internet Checkers"
"@C:\PROGRA~1\MSNGAM~1\Windows\bckgres.dll,-1212"="Internet Backgammon"
"@shell32.dll,-22045"="Minesweeper"
"@C:\PROGRA~1\MSNGAM~1\Windows\shvlres.dll,-1212"="Internet Spades"
"@C:\PROGRA~1\MSNGAM~1\Windows\rvseres.dll,-1212"="Internet Reversi"
"@C:\WINDOWS\system32\spider.exe,-56"="Spider Solitaire"
"@shell32.dll,-22060"="Solitaire"
"@shell32.dll,-22057"="Pinball"
"@C:\WINDOWS\system32\SHELL32.dll,-8503"="S&earch..."
"@C:\WINDOWS\system32\mycomput.dll,-400"="Mana&ge"
"@shell32.dll,-31232"="System Tasks"
"@shell32.dll,-31294"="View system information"
"@shell32.dll,-31327"="Add or remove programs"
"@shell32.dll,-31312"="Change a setting"
"@shell32.dll,-31272"="Other Places"
"@shell32.dll,-21785"="Shared Documents"
"@shell32.dll,-31274"="Details"
"C:\WINDOWS\Explorer.EXE"="Windows Explorer"
"@C:\WINDOWS\system32\SHELL32.dll,-22913"="Shows the disk drives and hardware connected to this computer."
"@C:\Program Files\Common Files\Ahead\lib\MediaLibraryNSE.dll,-11111"="Nero Scout"
"@shell32.dll,-31291"="These tasks apply to your computer or the selected hardware device."
"@shell32.dll,-31295"="Shows information about your computer, such as the processor speed and the amount of installed memory."
"@shell32.dll,-31328"="Provides the steps necessary to add a new program, or to change or remove an existing program."
"@shell32.dll,-31273"="These links open other folders and take you quickly to useful places."
"@C:\WINDOWS\system32\notepad.exe,-469"="Text Document"
"@shell32.dll,-31317"="System Tasks"
"@shell32.dll,-31321"="Hide the contents of this drive"
"@shell32.dll,-31292"="Search for files or folders"
"@shell32.dll,-31233"="File and Folder Tasks"
"@shell32.dll,-31236"="Make a new folder"
"@shell32.dll,-31260"="Publish this folder to the Web"
"@shell32.dll,-31374"="Share this folder"
"@shell32.dll,-31256"="Move this folder"
"@shell32.dll,-31258"="Copy this folder"
"@shell32.dll,-31380"="E-mail this folder's files"
"@shell32.dll,-31262"="Delete this folder"
"@shell32.dll,-31325"="Hide the contents of this folder"
"@shell32.dll,-31254"="Rename this folder"
"@shell32.dll,-31242"="Rename this file"
"@shell32.dll,-31244"="Move this file"
"@shell32.dll,-31246"="Copy this file"
"@shell32.dll,-31248"="Publish this file to the Web"
"@shell32.dll,-31370"="E-mail this file"
"@shell32.dll,-31252"="Delete this file"
"C:\Program Files\Spybot - Search & Destroy\SDMain.exe"="Spybot-S&D Security Center launcher"
"C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe"="Spybot-S&D Security Center integration"
"@C:\WINDOWS\ime\sptip.dll,-600"="Speech Recognition"
"c:\program files\internet explorer\iexplore.exe"="Internet Explorer"
"C:\DOCUME~1\CZ\LOCALS~1\Temp\ICD1.tmp\jinstall.exe"="Java™ 2 Platform Standard Edition binary"
"C:\WINDOWS\system32\msiexec.exe"="Windows\xae installer"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\RVQXI3CI\spyaudit1_9731311[1].exe"="spyaudit1_9731311[1]"
"C:\WINDOWS\Downloaded Program Files\xclean_micro.exe"="X-Cleaner"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\YPJ61S22\xclean_micro[1].exe"="X-Cleaner"
"@shell32.dll,-31253"="Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."
"@shell32.dll,-31318"="These tasks apply to your computer and to this protected folder."
"@shell32.dll,-31322"="Hides the files and folders stored on this drive to protect them from being changed or deleted."
"@C:\Program Files\NetMeeting\conf.exe,-12345"="H.323 Internet Telephony"
"@C:\WINDOWS\system32\accwiz.exe,-16"="Accessibility Wizard settings"
"@C:\WINDOWS\inf\unregmp2.exe,-9903"="AIFF Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9909"="Windows Media Audio/Video file"
"@C:\WINDOWS\inf\unregmp2.exe,-9910"="Windows Media Audio/Video playlist"
"@C:\WINDOWS\inf\unregmp2.exe,-9904"="AU Format Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9905"="Video Clip"
"@C:\WINDOWS\system32\SHELL32.dll,-22978"="Briefcase"
"@C:\WINDOWS\System32\ntbackup.exe,-40"="Windows Backup File"
"@C:\WINDOWS\System32\pdh.dll,-10023"="Performance Monitor File"
"@C:\WINDOWS\System32\cryptext.dll,-6145"="Security Catalog"
"@C:\WINDOWS\inf\unregmp2.exe,-9918"="CD Audio Track"
"@C:\WINDOWS\System32\cryptext.dll,-6108"="Security Certificate"
"@C:\Program Files\NetMeeting\conf.exe,-12346"="SpeedDial"
"@C:\WINDOWS\System32\cryptext.dll,-6110"="Certificate Revocation List"
"@C:\WINDOWS\system32\netshell.dll,-1300"="Dialup Networking File"
"@C:\WINDOWS\inf\unregmp2.exe,-9927"="Microsoft Recorded TV Show"
"@C:\WINDOWS\system32\shimgvw.dll,-301"="EMF Image"
"@C:\Program Files\NetMeeting\conf.exe,-12347"="Intel IPhone Compatible"
"@C:\WINDOWS\System32\setupapi.dll,-2000"="Setup Information"
"@C:\Program Files\Internet Explorer\Connection Wizard\icwres.dll,-20003"="Internet Communication Settings"
"@C:\WINDOWS\System32\wshext.dll,-4804"="JScript Script File"
"@C:\WINDOWS\System32\wshext.dll,-4805"="JScript Encoded Script File"
"@C:\WINDOWS\inf\unregmp2.exe,-9902"="Movie Clip"
"@C:\WINDOWS\inf\unregmp2.exe,-9926"="M3U file"
"@C:\WINDOWS\inf\unregmp2.exe,-9907"="MIDI Sequence"
"@C:\WINDOWS\inf\unregmp2.exe,-9925"="MP3 Format Sound"
"@C:\WINDOWS\system32\mmcbase.dll,-130"="Microsoft Common Console Document"
"@C:\WINDOWS\System32\msi.dll,-34"="Windows Installer Package"
"@C:\WINDOWS\System32\msi.dll,-35"="Windows Installer Patch"
"@C:\WINDOWS\System32\RCBdyctl.dll,-150"="Microsoft Remote Assistance Incident"
"@C:\Program Files\Movie Maker\wmm2res.dll,-63097"="Windows Movie Maker Project"
"@C:\WINDOWS\PCHealth\HelpCtr\Binaries\msinfo.dll,-391"="MSInfo Document"
"@C:\Program Files\NetMeeting\nmwb.dll,-1234"="Microsoft NetMeeting T126 Compatible Whiteboard Document"
"@C:\WINDOWS\System32\cryptext.dll,-6111"="PKCS #7 Certificates"
"@C:\WINDOWS\System32\cryptext.dll,-6113"="PKCS #7 Signature"
"@C:\WINDOWS\System32\scrobj.dll,-8192"="Windows Script Component"
"@C:\WINDOWS\system32\shscrap.dll,-258"="Scrap object"
"@C:\WINDOWS\System32\cryptext.dll,-6112"="Microsoft Serialized Certificate Store"
"@C:\WINDOWS\System32\cryptext.dll,-6109"="Certificate Trust List"
"@C:\WINDOWS\System32\wshext.dll,-4803"="VBScript Encoded Script File"
"@C:\WINDOWS\System32\wshext.dll,-4802"="VBScript Script File"
"@C:\WINDOWS\inf\unregmp2.exe,-9908"="Wave Sound"
"@C:\WINDOWS\inf\unregmp2.exe,-9911"="Windows Media Audio shortcut"
"@C:\WINDOWS\inf\unregmp2.exe,-9912"="Windows Media Audio file"
"@C:\WINDOWS\inf\unregmp2.exe,-9920"="Windows Media Player Download Package"
"@C:\WINDOWS\system32\shimgvw.dll,-307"="WMF Image"
"@C:\WINDOWS\inf\unregmp2.exe,-9915"="Windows Media Player Skin File"
"@C:\WINDOWS\inf\unregmp2.exe,-9914"="Windows Media Audio/Video file"
"@C:\WINDOWS\inf\unregmp2.exe,-9916"="Windows Media Player Skin Package"
"@C:\WINDOWS\inf\unregmp2.exe,-9923"="Windows Media playlist"
"@"C:\Program Files\Windows NT\Accessories\WORDPAD.EXE",-208"="Write Document"
"@C:\WINDOWS\System32\wshext.dll,-4801"="Windows Script File"
"@C:\WINDOWS\System32\wshext.dll,-4800"="Windows Script Host Settings File"
"@C:\WINDOWS\inf\unregmp2.exe,-9913"="Windows Media Audio/Video playlist"
"@C:\WINDOWS\system32\msxml3r.dll,-1"="XML Document"
"@C:\WINDOWS\system32\msxml3r.dll,-2"="XSL Stylesheet"
"@shell32.dll,-12693"="Favorites"
"@shell32.dll,-21786"="Start Menu"
"@shell32.dll,-31235"="Folder Tasks"
"@shell32.dll,-31375"="Makes the selected folder available to computers on a network so that other people can view it."
"@shell32.dll,-31389"="These tasks apply to the items and folders you select."
"@C:\WINDOWS\system32\SHELL32.dll,-22914"="Contains letters, reports, and other documents and files."
"@shell32.dll,-31266"="Copy the selected items"
"@shell32.dll,-31270"="Delete the selected items"
"@shell32.dll,-31247"="Copies the selected items to a place you choose."
"@shell32.dll,-12710"="&Run"
"C:\WINDOWS\regedit.exe"="Registry Editor"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\YPJ61S22\a2AntiDialerSetup[1].exe"="a-squared Anti-Dialer Setup "
"C:\DOCUME~1\CZ\LOCALS~1\Temp\is-AOBAE.tmp\is-8GS1M.tmp"="Setup/Uninstall"
"C:\Program Files\a-squared Anti-Dialer\a2adwizard.exe"="a-squared Anti-Dialer Security Wizard"
"C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE"="Microsoft Office Outlook"
"C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"="a-squared Anti-Dialer Guard"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\M2SJX31V\a2AntiMalwareSetup[1].exe"="a-squared Anti-Malware Setup "
"C:\DOCUME~1\CZ\LOCALS~1\Temp\is-TRRBB.tmp\is-ME0PU.tmp"="Setup/Uninstall"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\M2SJX31V\ANTIbagle[1].exe"="ANTIbagle[1]"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\EMH2GXPR\antiblast[1].exe"="antiblast[1]"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\YPJ61S22\antibadtrans[1].exe"="antibadtrans[1]"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\M2SJX31V\ANTINIMDA[1].exe"="Nimda virus remover"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\RVQXI3CI\antiscam[1].com"="antiscam[1]"
"C:\Documents and Settings\CZ\Local Settings\Temporary Internet Files\Content.IE5\M2SJX31V\avgas-setup-7.5.1.43[1].exe"="avgas-setup-7.5.1.43[1]"
"C:\WINDOWS\system32\taskmgr.exe"="Windows TaskManager"
"@C:\WINDOWS\system32\SHELL32.dll,-22912"="Shows shortcuts to Web sites, network computers, and FTP sites."
"C:\Documents and Settings\CZ\Desktop\hijack this\HijackThis.exe"="HijackThis"
"@C:\WINDOWS\system32\SHELL32.dll,-32517"="Taskbar and Start Menu"
"@C:\WINDOWS\system32\Audiodev.dll,-510"="Portable Media Devices"
"@C:\WINDOWS\system32\SHELL32.dll,-22985"="Folder Options"
"@C:\WINDOWS\system32\SHELL32.dll,-22981"="Fonts"
"@C:\WINDOWS\system32\mstask.dll,-3408"="Scheduled Tasks"
"@C:\WINDOWS\system32\wiashext.dll,-331"="Scanners and Cameras"
"C:\WINDOWS\system32\rundll32.exe"="Run a DLL as an App"
"@xpob2res.dll,-41519"="Windows Messenger"
"C:\Program Files\a-squared Anti-Malware\unins000.exe"="Setup/Uninstall"
"C:\DOCUME~1\CZ\LOCALS~1\Temp\_iu14D2N.tmp"="Setup/Uninstall"
"C:\WINDOWS\system32\OnlineScannerUninstaller.exe"="OnlineScannerUninstaller"
"C:\Program Files\eVoice Player 1.0\Uninstall.exe"="Uninstall"
"C:\Program Files\Spybot - Search & Destroy\unins000.exe"="Setup/Uninstall"
"C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe"="te"
"@shell32.dll,-31234"="These tasks apply to the files and folders you select."
"@shell32.dll,-31249"="Transfers copies of the selected items to a public Web page so that you can share them with other people."
"@shell32.dll,-31371"="Sends an e-mail message with copies of the selected files, or the files within a selected folder."
"@shell32.dll,-31250"="Print this file"
"@shell32.dll,-21765"="Application Data"
"@shell32.dll,-31326"="Hides the items stored in this folder to protect them from being changed or deleted."
"@C:\WINDOWS\system32\SHELL32.dll,-12695"="Contains files and folders shared between users of this computer."
"@shell32.dll,-31337"="Briefcase Tasks"
"@shell32.dll,-31339"="Update all items"
"@shell32.dll,-31340"="Update this item"
"C:\WINDOWS\system32\VTTimer.exe"="VTTimer"
"C:\WINDOWS\system32\VTtrayp.exe"="s3contrl (32-bit)"
"C:\Program Files\VIA\RAID\raid_tool.exe"="VIA RAID Tool"
"C:\WINDOWS\SOUNDMAN.EXE"="Realtek Sound Manager"
"C:\Program Files\Google\Gmail Notifier\gnotify.exe"="Gmail Notifier"
"C:\WINDOWS\system32\NeroCheck.exe"="NeroCheck"
"C:\Program Files\Logitech\iTouch\iTouch.exe"="iTouch Application"
"C:\WINDOWS\Logi_MwX.Exe"="Logitech Launcher Application"
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"="Adobe Acrobat SpeedLauncher"
"C:\Program Files\GhostSurf 2007 Platinum\Privacy Control Center.exe"="Privacy Control Center"
"C:\Program Files\Logitech\MouseWare\system\em_exec.exe"="Logitech Events Handler Application"
"C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe"="Acronis True Image Monitor"
"C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe"="Monitor for Acronis True Image Backup Archive Explorer"
"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"="Acronis Scheduler Helper"
"C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"="Java™ 2 Platform Standard Edition binary"
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBNA.EXE"="EPSON Status Monitor 3"
"C:\WINDOWS\system32\ctfmon.exe"="CTF Loader"
"C:\Program Files\ITE\ITE IT8212 ATA RAID Controller\RaidMgr.exe"="RaidMgr"
"C:\Program Files\Common Files\Logitech\CdlsHand\CdlsHand.exe"="Handler for Logitech Cordless Devices"
"@shell32.dll,-31237"="Creates a new, empty folder in the folder you have open."
"C:\Program Files\TuneUp Utilities 2007\Integrator.exe"="TuneUp Utilities Start Center"
"C:\Program Files\TuneUp Utilities 2007\RegistryCleaner.exe"="TuneUp RegistryCleaner"
"@shell32.dll,-21782"="Programs"
"C:\Program Files\TuneUp Utilities 2007\DiskCleaner.exe"="TuneUp DiskCleaner"
"C:\Documents and Settings\CZ\Desktop\aswclnr.exe"="Virus/Worm Cleaner Application"
"C:\Documents and Settings\CZ\Desktop\aswclnr.tmp"="Virus/Worm Cleaner Application"
"C:\Documents and Settings\CZ\Desktop\ATF-Cleaner.exe"="ATF Cleaner.exe"
"C:\Documents and Settings\CZ\Desktop\rootchk.exe"="rootchk"
"C:\WINDOWS\system32\cmd.exe"="Windows Command Processor"

detected NTDLL code modification:
ZwQuerySystemInformation
scanning hidden files ...

hidden processes: 0
hidden files: 0

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:15 AM

Posted 11 September 2007 - 06:45 AM

Hi czebuth

Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:01:15 AM

Posted 14 September 2007 - 05:28 AM

Hi,

You might want to save this page on your favorites, so you can find it again when you return.

1. Please download this tool: EliBagle
  • Doubleclick to launch the application, and wait for the scan to finish.
  • Make sure you have the like this: Posted Image
  • When completed, please post the contents of C:\infoSat.txt, in a reply to this thread, along with a new HijackThis log.
2. Please download F-Secure Blacklight (fsbl.exe) and save to your C:\ drive.
  • Open a command window by going to Start > Run and typing: cmd
  • Copy/paste or type the following in the command window: C:\fsbl.exe /expert
  • Hit "Enter" to start the program and then close the cmd box.
  • Accept the user agreement and click "Next".
  • Click "Scan".
  • After the scan is complete, click "Next", then "Exit".
  • BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
  • The log will have a list of all items found. Do not choose to rename any yet!
    I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
  • Exit Blacklight and post the contents of the log in your next reply.
Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users