Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Vundo (and Others?)


  • Please log in to reply
15 replies to this topic

#1 madjay

madjay

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 25 December 2007 - 12:48 PM

Recently I have been experiencing a very slow start up. Also I am unable to update from microsoft website. (I have original software that has been validated) .

When I try to update windows defender I get an error message: error code 0x80240022.
When I try to update windows I get a message Unable to update!!!
But I am able to update Defender manually!!!

When I switch on the system it does not show the desktop initially so every time I have to open process manager,stop process explorer and start it again.Also some processes may not start fullyl.ie my firewall and antivirus wont be shown in system tray though I have enabled it.
Another interesting thing I noticed was that if I have scheduled some process for startup ,Start up will be ok though slow!!!


My hosts file also was infected .When I found about it I disabled loading Hosts File at startup and using a tool HostsXpert I restored the hosts file. On the next start up Windows Defender showed that the hosts file was being modified to the earlier condition .So I denied access.This happened one more time but now it is not showing any warning!!!
Any help will be deeply appreciated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:51 PM, on 12/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\explorer.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\WINDOWS\system32\nvsvc32.exe
I:\oracle\ora92\bin\omtsreco.exe
I:\oracle\ora92\bin\agntsrvc.exe
I:\oracle\ora92\Apache\Apache\apache.exe
D:\WINDOWS\system32\cmd.exe
i:\oracle\ora92\bin\ORACLE.EXE
I:\oracle\ora92\bin\dbsnmp.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Dell Support Center\bin\sprtsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
I:\oracle\ora92\Apache\Apache\apache.exe
I:\oracle\ora92\jdk\bin\java.exe
I:\oracle\ora92\jdk\bin\java.exe
i:\oracle\ora92\bin\isqlplus
e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\msiexec.exe
E:\Program Files\Trend Micro\HijackThis\Crusty.exe
e:\XP Program Files\Alwil Software\Avast4\setup\avast.setup

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {92efbd12-119c-4971-a03c-9ed22344d6f9} - D:\WINDOWS\system32\xqlkyatp.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] D:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] D:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Clean Traces - e:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192896177203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192896320296
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - E:\XP Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - I:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - I:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - I:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - I:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - I:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - I:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - I:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleServiceGEORGY - Oracle Corporation - i:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - D:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9961 bytes




As The problem may be related to start up I am also posting the startuplog also




StartupList report, 12/25/2007, 11:16:50 PM
StartupList version: 1.52.2
Started from : E:\Program Files\Trend Micro\HijackThis\Crusty.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\explorer.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\WINDOWS\system32\nvsvc32.exe
I:\oracle\ora92\bin\omtsreco.exe
I:\oracle\ora92\bin\agntsrvc.exe
I:\oracle\ora92\Apache\Apache\apache.exe
D:\WINDOWS\system32\cmd.exe
i:\oracle\ora92\bin\ORACLE.EXE
I:\oracle\ora92\bin\dbsnmp.exe
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Dell Support Center\bin\sprtsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
I:\oracle\ora92\Apache\Apache\apache.exe
I:\oracle\ora92\jdk\bin\java.exe
I:\oracle\ora92\jdk\bin\java.exe
i:\oracle\ora92\bin\isqlplus
e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\installer\WLSetupSvc.exe
E:\Program Files\DAP\DAP.exe
D:\Documents and Settings\Georgy Sebastian\Desktop\stinger.exe
E:\Program Files\Trend Micro\HijackThis\Crusty.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Broadcom Wireless Manager UI = D:\WINDOWS\system32\WLTRAY.exe
OEM02Mon.exe = D:\WINDOWS\OEM02Mon.exe
IntelZeroConfig = "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
IntelWireless = "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
avast! = e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
SunJavaUpdateSched = "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
Windows Defender = "D:\Program Files\Windows Defender\MSASCui.exe" -hide
ZoneAlarm Client = "e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
SynTPEnh = D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
SpybotSnD = "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
NvCplDaemon = RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = D:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer = e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
DWQueuedReporting = "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - E:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - D:\WINDOWS\system32\xqlkyatp.dll (file missing) - {92efbd12-119c-4971-a03c-9ed22344d6f9}
ZoneAlarm Spy Blocker BHO - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = D:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[YInstStarter Class]
InProcServer32 = D:\PROGRA~1\Yahoo!\Common\yinsthelper.dll
CODEBASE = D:\Program Files\Yahoo!\Common\yinsthelper.dll

[BDSCANONLINE Control]
InProcServer32 = D:\WINDOWS\BDOSCAN8\oscan82.ocx
CODEBASE = http://download.bitdefender.com/resources/scan8/oscan8.cab

[WUWebControl Class]
InProcServer32 = D:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windowsupd...b?1192896177203

[MUWebControl Class]
InProcServer32 = D:\WINDOWS\system32\muweb.dll
CODEBASE = http://www.update.microsoft.com/microsoftu...b?1192896320296

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab

[Dell PC Checkup Installer Control]
InProcServer32 = D:\WINDOWS\system32\gtdownde_110.ocx
CODEBASE = http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: D:\DOCUME~1\GEORGY~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||D:\DOCUME~1\GEORGY~1\Cookies\index.dat||D:\DOCUME~1\GEORGY~1\LOCALS~1\History\History.IE5\index.dat|||~

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\system32\webcheck.dll
SysTray: D:\WINDOWS\system32\stobject.dll
WPDShServiceObj: D:\WINDOWS\system32\WPDShServiceObj.dll
UPnPMonitor: D:\WINDOWS\system32\upnpui.dll

--------------------------------------------------
End of report, 7,763 bytes
Report generated in 0.328 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 26 December 2007 - 06:01 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum madjay
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 26 December 2007 - 11:14 AM

Thanks for replying Richie

I did as you instructed and the combofix log is posted below.
But I still had trouble booting up

ComboFix 07-12-26.4 - Georgy Sebastian 2007-12-26 21:25:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1300 [GMT 5.5:30]
Running from: D:\Documents and Settings\Georgy Sebastian\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-25 22:25 . 2007-12-25 22:25 81,920 --a------ D:\swxcacls.exe
2007-12-25 21:07 . 2007-12-25 22:32 <DIR> d-------- D:\WINDOWS\BDOSCAN8
2007-12-21 14:26 . 2007-12-25 21:07 <DIR> d-------- D:\WINDOWS\LastGood
2007-12-20 13:46 . 2007-12-20 13:46 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-20 13:45 . 2007-12-20 13:45 <DIR> d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-12-17 00:19 . 2007-12-17 00:19 <DIR> d-------- D:\Program Files\ZoneAlarmSB
2007-12-17 00:16 . 2007-11-14 16:05 1,086,952 --a------ D:\WINDOWS\system32\zpeng24.dll
2007-12-17 00:16 . 2007-11-14 16:04 99,816 --a------ D:\WINDOWS\system32\~GLH0022.TMP
2007-12-16 23:47 . 2007-12-16 23:47 <DIR> d-------- D:\Documents and Settings\Georgy Sebastian\Application Data\iolo
2007-12-16 23:47 . 2007-12-16 23:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\iolo
2007-12-16 23:47 . 2007-12-16 23:47 406 --a------ D:\WINDOWS\system32\ioloBootDefrag.cfg
2007-12-16 23:40 . 2007-12-16 23:48 <DIR> d--hsc--- D:\Program Files\Common Files\WindowsLiveInstaller
2007-12-16 23:39 . 2007-12-16 23:39 <DIR> d-------- D:\Program Files\Windows Live
2007-12-16 23:39 . 2007-12-25 22:47 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-16 23:35 . 2007-12-16 23:36 <DIR> d-------- D:\Documents and Settings\Georgy Sebastian\Application Data\MSNInstaller
2007-12-16 23:11 . 2007-12-16 23:33 <DIR> d-------- D:\WINDOWS\LastGood.Tmp
2007-12-14 22:31 . 2007-12-14 22:31 <DIR> d-------- D:\Program Files\SigmaTel
2007-12-14 22:26 . 2007-12-14 22:27 <DIR> d-------- D:\Program Files\Digital Line Detect
2007-12-01 17:08 . 2007-12-01 17:08 <DIR> d-------- D:\VundoFix Backups
2007-12-01 13:13 . 2007-12-01 13:13 <DIR> d-------- D:\Documents and Settings\Georgy Sebastian\SecurityScans
2007-12-01 12:08 . 2006-11-29 13:06 3,426,072 --a------ D:\WINDOWS\system32\d3dx9_32.dll
2007-12-01 11:44 . 2007-12-01 11:44 <DIR> d-------- D:\Program Files\Windows Defender
2007-12-01 11:38 . 2007-12-01 11:38 <DIR> d-------- D:\Program Files\Microsoft Silverlight
2007-11-30 21:43 . 2007-11-30 21:43 <DIR> d-------- D:\Program Files\ACW

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 15:58 8,151,072 --sha-w D:\WINDOWS\system32\drivers\fidbox.dat
2007-12-26 15:57 101,744 --sha-w D:\WINDOWS\system32\drivers\fidbox.idx
2007-12-26 15:51 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2007-12-26 04:36 --------- d-----w D:\Documents and Settings\Georgy Sebastian\Application Data\Azureus
2007-12-19 18:15 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-15 07:41 --------- d--h--w D:\Program Files\InstallShield Installation Information
2007-12-15 06:34 21,393 ----a-w D:\WINDOWS\system32\drivers\AegisP.sys
2007-12-15 06:34 21,393 ----a-w D:\WINDOWS\AegisP.sys
2007-12-14 17:11 356,352 ----a-w D:\WINDOWS\system32\AegisI5Installer.exe
2007-12-11 18:46 163,644 -c--a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-12-05 02:07 --------- d-----w D:\Program Files\Google
2007-12-04 14:56 93,264 ----a-w D:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w D:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w D:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w D:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w D:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w D:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w D:\WINDOWS\system32\AvastSS.scr
2007-11-17 18:14 --------- d-----w D:\Documents and Settings\Georgy Sebastian\Application Data\Grisoft
2007-11-17 18:14 --------- d-----w D:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-17 18:12 --------- d-----w D:\Program Files\Yahoo!
2007-11-17 17:15 --------- d-----w D:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-17 17:09 --------- d-----w D:\Documents and Settings\All Users\Application Data\Dell
2007-11-17 17:05 --------- d-----w D:\Documents and Settings\All Users\Application Data\SupportSoft
2007-11-17 17:04 --------- d-----w D:\Program Files\Dell Support Center
2007-11-17 17:04 --------- d-----w D:\Program Files\Common Files\supportsoft
2007-11-14 10:35 75,248 ----a-w D:\WINDOWS\zllsputility.exe
2007-11-11 03:34 --------- d-----w D:\Program Files\Common Files\InstallShield
2007-11-08 07:10 --------- d-----w D:\Documents and Settings\Georgy Sebastian\Application Data\Creative
2007-11-07 17:39 --------- d-----w D:\Program Files\MSBuild
2007-11-07 17:36 --------- d-----w D:\Program Files\Reference Assemblies
2007-11-06 17:20 --------- d-----w D:\Program Files\Oracle
2007-10-27 16:25 --------- d-----w D:\Documents and Settings\All Users\Application Data\Trymedia
2007-10-27 16:24 --------- d-----w D:\Program Files\BFG
2007-10-27 15:55 --------- d-----w D:\Program Files\ReflexiveArcade
2007-10-26 07:57 --------- d-----w D:\Documents and Settings\Georgy Sebastian\Application Data\tmp
2007-10-26 07:57 --------- d-----w D:\Documents and Settings\Georgy Sebastian\Application Data\Reallusion
2007-10-25 04:56 53,248 ----a-w D:\WINDOWS\bdoscandel.exe
2007-10-21 22:09 267,272 ----a-w D:\WINDOWS\system32\xactengine2_10.dll
2007-10-21 22:07 17,928 ----a-w D:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-12 09:44 3,734,536 ----a-w D:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 09:44 1,374,232 ----a-w D:\WINDOWS\system32\D3DCompiler_36.dll
2007-10-10 11:34 393,216 ----a-w D:\WINDOWS\system32\OEM02Cvw.dll
2007-10-10 11:32 28,672 ----a-w D:\WINDOWS\OEM02Cfg.exe
2007-10-03 18:06 25,600 ----a-w D:\WINDOWS\system32\WS2Fix.exe
2007-10-02 04:26 444,776 ----a-w D:\WINDOWS\system32\d3dx10_36.dll
2007-09-28 12:37 3,596,288 ----a-w D:\WINDOWS\system32\qt-dx331.dll
2007-09-28 12:35 81,920 -c--a-w D:\WINDOWS\system32\dpl100.dll
2007-09-28 12:35 739,840 -c--a-w D:\WINDOWS\system32\divx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92efbd12-119c-4971-a03c-9ed22344d6f9}]
D:\WINDOWS\system32\xqlkyatp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2007-12-17 00:19 262144 --a------ D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-12 18:48]
"SpybotSD TeaTimer"="e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="D:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10]
"OEM02Mon.exe"="D:\WINDOWS\OEM02Mon.exe" [2007-05-10 01:01]
"IntelZeroConfig"="D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 16:32]
"IntelWireless"="D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 16:30]
"avast!"="e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 18:30]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"ZoneAlarm Client"="e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05]
"SynTPEnh"="D:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 16:10]
"SpybotSnD"="E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2007-08-31 16:46]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-12 18:57 D:\WINDOWS\system32\rundll32.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 19:29]


*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
"2007-12-26 15:02:59 D:\WINDOWS\Tasks\MP Scheduled Scan.job"
- D:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 21:28:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 21:28:57 - machine was rebooted
.
2007-11-05 18:10:02 --- E O F ---


---------------------------------------------------------------------------------------------------------------
The HijackThis log you instructed me to post is posted below


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:40 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\WINDOWS\system32\nvsvc32.exe
I:\oracle\ora92\bin\omtsreco.exe
D:\WINDOWS\explorer.exe
I:\oracle\ora92\bin\agntsrvc.exe
I:\oracle\ora92\Apache\Apache\apache.exe
D:\WINDOWS\system32\cmd.exe
I:\oracle\ora92\bin\dbsnmp.exe
i:\oracle\ora92\bin\ORACLE.EXE
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Dell Support Center\bin\sprtsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
I:\oracle\ora92\Apache\Apache\apache.exe
I:\oracle\ora92\jdk\bin\java.exe
I:\oracle\ora92\jdk\bin\java.exe
i:\oracle\ora92\bin\isqlplus
e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\msiexec.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Trend Micro\HijackThis\Crusty.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {92efbd12-119c-4971-a03c-9ed22344d6f9} - D:\WINDOWS\system32\xqlkyatp.dll (file missing)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] D:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] D:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Clean Traces - e:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192896177203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192896320296
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS2\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - E:\XP Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - I:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - I:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - I:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - I:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - I:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - I:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - I:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleServiceGEORGY - Oracle Corporation - i:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - D:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10121 bytes

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 26 December 2007 - 01:53 PM

Disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

Please disable Spybot S&D’s protection,or it will interfere.
You can enable it after you're clean.

Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Restart the computer.
If you find you're experiencing problems disabling Spybot's Tea-Timer,follow the info in the link below:
http://www.russelltexas.com/malware/teatimer.htm


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {92efbd12-119c-4971-a03c-9ed22344d6f9} - D:\WINDOWS\system32\xqlkyatp.dll (file missing)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.


Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#5 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 27 December 2007 - 10:33 AM

Sorry for not replying faster.Exams are going on thats why.....

I deleted the hijackthis entry as you instructed.

The SUPERAntispyware Log you instructed me to post is posted below.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/27/2007 at 09:55 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 01:01:11

Memory items scanned : 511
Memory threats detected : 0
Registry items scanned : 5252
Registry threats detected : 0
File items scanned : 99502
File threats detected : 0

--------------------------------------------------------------------------------------------------------------------


Please run F-Secure Online Virus Scanner using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
In the opening page read:
1.General
2.System requirements
3.Start your scan,then click on 'Start scanning'.
The 'Internet Explorer-Security Warning' box will pop up,click on 'Install'
Read the Licence Agreement,then click on 'Accept'.
In the next window that opens click on 'Custom Scan'.
Under 'Virus Scan Options',make sure 'Scan whole system' is selected.
Under 'Other Scan Options',make sure the following are selected:
'Scan programs and documents'
'Scan all files'
'Scan whole system for rootkits'
'Scan whole system for spyware'
'Scan inside archives'
'Use advanced heuristics'
Then click on 'Start'.
The 'scanner components and databases' will then be downloaded,this will take some time.
The virus scan will then start automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply

.

But I found that "scan programs and documents " and "scan all files" were having radio buttons so I scanned using "Scan all files"
The Fsecure Log is posted below

Scanning Report
Thursday, December 27, 2007 10:30:25 - 13:58:06

Computer name: GEORGY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\ F:\ I:\
Result: 0 malware found
Statistics
Scanned:

* Files: 576092
* System: 3813
* Not scanned: 307

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 0
* Submitted: 0

Files not scanned:

xtH

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-12-26
* F-Secure AVP: 7.0.171, 2007-12-27
* F-Secure Orion: 1.2.37, 2007-12-27
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2007-11-19

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.


------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The hijack this log is posted below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:01 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\WINDOWS\system32\nvsvc32.exe
I:\oracle\ora92\bin\omtsreco.exe
I:\oracle\ora92\bin\agntsrvc.exe
I:\oracle\ora92\Apache\Apache\apache.exe
D:\WINDOWS\system32\cmd.exe
I:\oracle\ora92\bin\dbsnmp.exe
i:\oracle\ora92\bin\ORACLE.EXE
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Dell Support Center\bin\sprtsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
I:\oracle\ora92\Apache\Apache\apache.exe
I:\oracle\ora92\jdk\bin\java.exe
I:\oracle\ora92\jdk\bin\java.exe
i:\oracle\ora92\bin\isqlplus
e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\WINDOWS\OEM02Mon.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
E:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\XP Program Files\Creative Live! Cam\VideoFX\StartFX.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\Crusty.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] D:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] D:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [avast!] e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] E:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Clean Traces - e:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192896177203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192896320296
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - E:\XP Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - I:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - I:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - I:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - I:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - I:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - I:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - I:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleServiceGEORGY - Oracle Corporation - i:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - D:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10200 bytes

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


I am still unable to update windows and windows defender. Also Though I am able to access the disk defragmenter screen when I click analyze or defragment I get the warning that disk defragmenter cannot be started.
I am not sure now if this is a malware infection or not!! No malware were detected after the combo fix cleaning!!!

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 27 December 2007 - 11:04 AM

Do you recognise the following as your ISP,or the domain:
218.248.240.23 / 218.248.240.135

Internet Cell
Bharat Sanchar Nigam Limited
8th Floor,148-B Statesman House
Barakhamba Road, New Delhi - 110 001
CTS Compound
Netaji Nagar
New Delhi- 110 023

I am still unable to update windows and windows defender.
Try temporarily disabling ZoneAlarm firewall,see if that makes any difference.
Posted Image
Posted Image

#7 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 27 December 2007 - 10:22 PM

Bharat Sanchar Nigam Limited is my ISP. It is operated by our state telecom service


I tried updating windows defender with the zonealarm firewall disabled but I am still getting the error 0x80240022.Once I got another error message 0x80072ee2 but that was with the firewall on.
When I tried updating windows, the updates failed and I got an error message 0x80246008.This I found when I checked the update Logs

Could it be due to some software incompatibility????Should I reinstall Windows???

Edited by madjay, 27 December 2007 - 10:28 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 28 December 2007 - 07:48 AM

Try uninstalling/reinstalling Windows Defender:
http://www.microsoft.com/athome/security/s...re/default.mspx

Download/unzip/install Dial-a-Fix from here:
http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip
Launch the program,place a check in the 'WU/WUAU' box 'Fix Windows Update'.
Make sure you press 'Flush SoftwareDistribution'.
Then click on 'GO' at the bottom.
Restart your pc when Dial-a-Fix has done.

Download/unzip and double click on WUFix.bat Posted Image
You'll see a black screen flash,thats normal.
Restart your pc.
Note:
The file is attached below.

Useful links:
Windows Update Troubleshooter:
http://v4.windowsupdate.microsoft.com/troubleshoot/
Live Links To The Windows Update Troubleshooter:
http://aumha.net/viewtopic.php?t=27635&...41ae1e2b34f712f
How to troubleshoot common Windows Update, Microsoft Update, and Windows Server Update Services installation issues:
http://support.microsoft.com/kb/906602
Posted Image
Posted Image

#9 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 28 December 2007 - 01:18 PM

Thanks for your valuable help!!!
I am now ableto update windows...
But the start up is still slow!!! It must be due to some cluttering problem.
Though I am still unable to use disk defragmenter, I have downloaded system mechanic and hope to defragment with it!!!!

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 28 December 2007 - 03:38 PM

But the start up is still slow!!!

Try the following.
Disconnect from the internet.
Click on Start>Run,type msconfig then press Enter.
Under the 'Startup' tab uncheck EVERYTHING,then reboot.
If everything seems to be back up to speed,start adding items/entries back by rechecking the boxes one at a time.
Reboot in between each one.
Using trial and error,keep doing that until you find the problem program/process.
*Note*
Don't forget to make sure your antivirus and firewall are running before you reconnect to the internet.

Let me know how you get on.
Post a new Hijackthis log when you've finished.
Posted Image
Posted Image

#11 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 29 December 2007 - 10:38 AM

I unchecked every item in startup(in msconfig). Even then there was no notable improvement!!!
So now I am uninstalling my dell drivers as I may have run the setup more than once and might have saved it in different places
Also I am performing a deep defragmentation using system mechanic which is currently running!!!!

I dual boot with Vista. But the Vista installation runs just fine and fast!!!

The Hijackthis post you instructed me to post is posted below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:23 PM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
D:\WINDOWS\OEM02Mon.exe
D:\Program Files\Windows Live\Family Safety\fssui.exe
E:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ctfmon.exe
E:\Program Files\iolo\System Mechanic 7\SysMech7.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\iolo\common\lib\ioloServiceManager.exe
D:\WINDOWS\system32\nvsvc32.exe
I:\oracle\ora92\bin\omtsreco.exe
I:\oracle\ora92\bin\agntsrvc.exe
I:\oracle\ora92\Apache\Apache\apache.exe
D:\WINDOWS\system32\cmd.exe
i:\oracle\ora92\bin\ORACLE.EXE
I:\oracle\ora92\bin\dbsnmp.exe
D:\WINDOWS\system32\svchost.exe
I:\oracle\ora92\Apache\Apache\apache.exe
I:\oracle\ora92\jdk\bin\java.exe
I:\oracle\ora92\jdk\bin\java.exe
i:\oracle\ora92\bin\isqlplus
e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\DAP\DAP.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\WINDOWS\system32\WISPTIS.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\Crusty.exe

R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - D:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKLM\..\Run: [SMSystemAnalyzer] "e:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] D:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [fssui] "D:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [avast!] e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Clean Traces - e:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192896177203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192896320296
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - D:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - D:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - I:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - I:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - I:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - I:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - I:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - I:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - I:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleServiceGEORGY - Oracle Corporation - i:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8987 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 29 December 2007 - 11:40 AM

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Exit Hijackthis.

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#13 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 30 December 2007 - 09:13 AM

The system is still starting slow.
Also I found that the problem of loading the explorer occurs if I pass through the start up page fast(I mean the welcome screen)
In that case to load explorer I have to end the process from the task manager and start the new process "explorer"

In either case it takes a long time to load all programs such that I can start any work!!!Many programs are loaded only after the network loads!!!


The Super antispyware log you instructed me topost is posted below

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/30/2007 at 01:21 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 02:26:00

Memory items scanned : 190
Memory threats detected : 0
Registry items scanned : 5354
Registry threats detected : 0
File items scanned : 83324
File threats detected : 0




The hijackthis log you instructed me to post is posted below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:33:42 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\WLTRYSVC.EXE
D:\WINDOWS\System32\bcmwltry.exe
e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe
D:\WINDOWS\OEM02Mon.exe
D:\Program Files\Windows Live\Family Safety\fssui.exe
E:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\system32\WLTRAY.exe
D:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
D:\WINDOWS\system32\KADxMain.exe
D:\Program Files\Dell\Dell Mobile Broadband\systray.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Dell Support Center\bin\sprtcmd.exe
E:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
E:\Program Files\DellSupport\DSAgnt.exe
D:\Program Files\Digital Line Detect\DLG.exe
e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
D:\Program Files\iolo\common\lib\ioloServiceManager.exe
D:\WINDOWS\system32\nvsvc32.exe
I:\oracle\ora92\bin\omtsreco.exe
I:\oracle\ora92\bin\agntsrvc.exe
I:\oracle\ora92\Apache\Apache\apache.exe
D:\WINDOWS\system32\cmd.exe
I:\oracle\ora92\bin\dbsnmp.exe
I:\oracle\ora92\Apache\Apache\apache.exe
I:\oracle\ora92\jdk\bin\java.exe
I:\oracle\ora92\jdk\bin\java.exe
i:\oracle\ora92\bin\isqlplus
i:\oracle\ora92\bin\ORACLE.EXE
D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
D:\Program Files\Dell Support Center\bin\sprtsvc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
D:\WINDOWS\explorer.exe
E:\Program Files\DAP\DAP.exe
E:\XP Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
E:\XP Program Files\WIDCOMM\Bluetooth Software\BtTray.exe
E:\XPPROG~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Trend Micro\HijackThis\Crusty.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live OneCare Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - D:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - D:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SynTPEnh] D:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSystemAnalyzer] "e:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [OEM02Mon.exe] D:\WINDOWS\OEM02Mon.exe
O4 - HKLM\..\Run: [fssui] "D:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKLM\..\Run: [avast!] e:\XPPROG~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "e:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dscactivate] "D:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] D:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [KADxMain] D:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [systray] D:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "D:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [DellAutomatedPCTuneUp] "E:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupport] "E:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "D:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = D:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &Clean Traces - e:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://e:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - E:\XP Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - D:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\XP Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\XP Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1192896177203
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192896320296
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.dellfix.com/rel/41/install/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74C1BAD0-0581-49DA-86DC-AE418D9CFB4A}: NameServer = 218.248.240.23 218.248.240.135
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - e:\XP Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - E:\XP Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DellAMBrokerService - Unknown owner - E:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: DSBrokerService - Unknown owner - E:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - D:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - D:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - I:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - I:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - I:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - I:\oracle\ora92\Apache\Apache\apache.exe
O23 - Service: OracleOraHome92PagingServer - Unknown owner - I:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - I:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - I:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleServiceGEORGY - Oracle Corporation - i:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - D:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - D:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - D:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12346 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 30 December 2007 - 09:32 AM

The system is still starting slow.

I suggest you start a new topic in the forum below regarding this issue.

Windows XP Home and Professional:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/
Posted Image
Posted Image

#15 madjay

madjay
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:44 PM

Posted 30 December 2007 - 10:47 AM

I will do as you said!!! A great many thanks for your help!!!

I have posted it as a new topic at
[post="http://www.bleepingcomputer.com/forums/t/123359/slow-startup-and-defragmenter-wont-work/"]http://www.bleepingcomputer.com/forums/t/123359/slow-startup-and-defragmenter-wont-work/[/post]

Edited by madjay, 30 December 2007 - 11:40 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users