Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Killmycpu's Hijack This Log. Please Help.


  • This topic is locked This topic is locked
18 replies to this topic

#1 KillmyCPU

KillmyCPU

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 29 January 2008 - 03:27 AM

Im not to sure whats going on but my computer has alot of problems. your help would be appreciated. Thanks Tony.

http://qca9.hpwis.com/ < a IE browser pops up taking me to this site if this helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:25:52, on 29/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\MTS Accelerator\PropelAC.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qca9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qca9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\MTSACC~1\PRPL_I~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\MTS Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\MTS Accelerator\pac-addwl.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?01034b8159754189ac16c85a541bfc5b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?01034b8159754189ac16c85a541bfc5b
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\MTS Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\MTS Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{79E42031-1403-4EF6-87FD-35C6BE086619}: NameServer = 142.161.2.155 142.161.130.155
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: k9q1t9 - Unknown owner - C:\WINDOWS\system32\svshost.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Windows Network Services (SvcHost32) - Unknown owner - C:\WINDOWS\system\svchost32.exe (file missing)

--
End of file - 8314 bytes


Appologise if i have done this incorrectly. im a noob with computers :S

Thank's guys

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 30 January 2008 - 10:10 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 30 January 2008 - 10:43 AM

Thanks Sam!

ComboFix 08-01-30.6 - Owner 2008-01-30 9:32:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.223 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nspF.dll
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 01:43 . 2008-01-29 01:43 33 --a------ C:\28374.html
2008-01-29 01:41 . 2008-01-29 01:42 65,536 --a------ C:\WINDOWS\system\lc.exe
2008-01-29 01:41 . 2008-01-29 01:41 64,512 --a------ C:\WINDOWS\system\zm.exe
2008-01-29 01:41 . 2008-01-30 09:31 9,216 --a------ C:\WINDOWS\system\del.exe
2008-01-29 01:41 . 2008-01-29 02:33 7,580 --a------ C:\WINDOWS\system\delnew.exe
2008-01-29 01:40 . 2008-01-30 09:30 79,872 --a------ C:\WINDOWS\system\nadlocop.exe
2008-01-29 01:40 . 2008-01-30 09:29 6,144 --a------ C:\WINDOWS\system\helper.exe
2008-01-29 00:35 . 2008-01-30 01:51 79,872 --a------ C:\tohel.exe
2008-01-29 00:07 . 2008-01-29 00:07 32 --a------ C:\28915.html
2008-01-28 23:55 . 2008-01-28 23:55 244 --ah----- C:\sqmnoopt02.sqm
2008-01-28 23:55 . 2008-01-28 23:55 232 --ah----- C:\sqmdata02.sqm
2008-01-28 22:52 . 2008-01-28 22:52 33 --a------ C:\18520.html
2008-01-28 10:42 . 2008-01-28 10:42 33 --a------ C:\11178.html
2008-01-28 05:58 . 2008-01-28 05:58 33 --a------ C:\22566.html
2008-01-28 05:53 . 2008-01-28 05:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MTS
2008-01-28 05:51 . 2008-01-28 05:53 <DIR> d-------- C:\Program Files\MTS Accelerator
2008-01-28 00:30 . 2008-01-28 00:30 33 --a------ C:\24208.html
2008-01-27 23:54 . 2008-01-27 23:54 244 --ah----- C:\sqmnoopt01.sqm
2008-01-27 23:54 . 2008-01-27 23:54 232 --ah----- C:\sqmdata01.sqm
2008-01-27 23:41 . 2008-01-27 23:41 33 --a------ C:\27176.html
2008-01-27 09:55 . 2008-01-27 09:55 33 --a------ C:\18807.html
2008-01-27 03:26 . 2008-01-27 03:26 244 --ah----- C:\sqmnoopt00.sqm
2008-01-27 03:26 . 2008-01-27 03:26 232 --ah----- C:\sqmdata00.sqm
2008-01-26 22:42 . 2008-01-28 10:41 5,516 --a------ C:\WINDOWS\system\hen.exe
2008-01-26 22:42 . 2008-01-26 22:42 33 --a------ C:\3228.html
2008-01-26 10:12 . 2008-01-26 10:12 31 --a------ C:\549.html
2008-01-26 05:09 . 2008-01-30 09:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Tibia
2008-01-26 02:57 . 2008-01-26 02:57 33 --a------ C:\17578.html
2008-01-26 02:51 . 2008-01-26 02:51 <DIR> d-------- C:\Program Files\ShackGuys
2008-01-26 00:50 . 2008-01-29 01:42 7,404 --a------ C:\WINDOWS\system\dc4all.exe
2008-01-26 00:50 . 2008-01-29 01:42 5,376 --a------ C:\WINDOWS\system\kol.exe
2008-01-26 00:50 . 2008-01-29 01:42 4,880 --a------ C:\WINDOWS\system\wbrow.exe
2008-01-26 00:50 . 2008-01-29 02:36 4,460 --a------ C:\WINDOWS\system\run.exe
2008-01-26 00:50 . 2008-01-26 00:50 33 --a------ C:\10611.html
2008-01-26 00:49 . 2008-01-26 00:48 30,720 -r-hs---- C:\WINDOWS\system32\svshost.exe
2008-01-26 00:49 . 2008-01-30 09:29 4,624 --a------ C:\msu32.exe
2008-01-26 00:47 . 2008-01-27 16:28 74 --a------ C:\WINDOWS\system32\i
2008-01-12 14:49 . 2008-01-13 20:27 <DIR> d-------- C:\Program Files\Tibia
2008-01-05 02:07 . 2008-01-05 02:07 <DIR> d-------- C:\Program Files\Blackd Tools
2007-12-08 17:23 . 2007-12-08 17:23 <DIR> d-------- C:\Program Files\Ventrilo
2007-12-08 17:22 . 2007-12-08 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 15:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-30 04:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-29 09:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-15 23:36 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 20:24 --------- d-----w C:\Program Files\Atari
2008-01-14 02:24 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-01-13 01:41 --------- d-----w C:\Program Files\TibiaBot NG
2008-01-02 03:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-01-02 03:47 --------- d-----w C:\Program Files\mIRC
2007-12-04 16:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-03 20:01 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-07-01 03:01 1,085,984 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-01 03:00 73,248 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 08:07 114688]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 09:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 00:19 4640768]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 07:15 344064]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 21:28 81920]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-02-24 19:51 53248]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 04:43 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 12:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-07-24 03:36 151597]
"Propel Accelerator"="C:\Program Files\MTS Accelerator\trayctl.exe" [2007-11-15 16:30 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:37 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 02:57:44 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-22 03:19:20 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2006-03-02 20:02:42 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 04:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\IntelS51.sys [2004-12-23 02:52]
S2 k9q1t9;k9q1t9;"C:\WINDOWS\system32\svshost.exe" [2008-01-26 00:48]
S2 SvcHost32;Windows Network Services;"C:\WINDOWS\system\svchost32.exe" []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-01-30 14:43:05 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 09:36:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MTS Accelerator\PropelAC.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
.
**************************************************************************
.
Completion time: 2008-01-30 9:37:49 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-30 15:37:40
.
2007-08-13 20:53:56 --- E O F ---


-------
Their ya go,
Tony

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 30 January 2008 - 04:42 PM

Your log is showing some unusual files. Do you know anything about the html files that are showing up?

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.

2008-01-29 01:43 . 2008-01-29 01:43 33 --a------ C:\28374.html
2008-01-29 01:41 . 2008-01-29 01:42 65,536 --a------ C:\WINDOWS\system\lc.exe
2008-01-29 01:41 . 2008-01-29 01:41 64,512 --a------ C:\WINDOWS\system\zm.exe
2008-01-29 01:41 . 2008-01-30 09:31 9,216 --a------ C:\WINDOWS\system\del.exe
2008-01-29 01:41 . 2008-01-29 02:33 7,580 --a------ C:\WINDOWS\system\delnew.exe
2008-01-29 01:40 . 2008-01-30 09:30 79,872 --a------ C:\WINDOWS\system\nadlocop.exe
2008-01-29 01:40 . 2008-01-30 09:29 6,144 --a------ C:\WINDOWS\system\helper.exe
2008-01-29 00:35 . 2008-01-30 01:51 79,872 --a------ C:\tohel.exe
2008-01-29 00:07 . 2008-01-29 00:07 32 --a------ C:\28915.html
2008-01-28 23:55 . 2008-01-28 23:55 244 --ah----- C:\sqmnoopt02.sqm
2008-01-28 23:55 . 2008-01-28 23:55 232 --ah----- C:\sqmdata02.sqm
2008-01-28 22:52 . 2008-01-28 22:52 33 --a------ C:\18520.html
2008-01-28 10:42 . 2008-01-28 10:42 33 --a------ C:\11178.html
2008-01-28 05:58 . 2008-01-28 05:58 33 --a------ C:\22566.html

2008-01-28 05:53 . 2008-01-28 05:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MTS
2008-01-28 05:51 . 2008-01-28 05:53 <DIR> d-------- C:\Program Files\MTS Accelerator
2008-01-28 00:30 . 2008-01-28 00:30 33 --a------ C:\24208.html
2008-01-27 23:54 . 2008-01-27 23:54 244 --ah----- C:\sqmnoopt01.sqm
2008-01-27 23:54 . 2008-01-27 23:54 232 --ah----- C:\sqmdata01.sqm
2008-01-27 23:41 . 2008-01-27 23:41 33 --a------ C:\27176.html
2008-01-27 09:55 . 2008-01-27 09:55 33 --a------ C:\18807.html




=================


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb and a new combofix log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 31 January 2008 - 10:00 AM

After a 3 hour drweb scan of both my hard drives heres the report :

msu32.exe;C:\;Trojan.DownLoader.origin;Incurable.Moved.;
00083046.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
00109671.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
00290843.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36226;Deleted.;
00560937.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36226;Deleted.;
00568031.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
00572171.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
00574375.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
01934218.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
01934343.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
01934421.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
01934500.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
02180218.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
02260296.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
04414375.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
04414437.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
04414593.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
04414671.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
04414765.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
04414984.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36226;Deleted.;
04415140.FIL;C:\$VAULT$.AVG;Trojan.DownLoader.36226;Deleted.;
04415203.FIL;C:\$VAULT$.AVG;Trojan.Proxy.2751;Deleted.;
04415359.FIL;C:\$VAULT$.AVG;Trojan.Virtumod.240;Deleted.;
48272406.FIL;C:\$VAULT$.AVG;BackDoor.IRC.Sdbot.2010;Deleted.;
48276890.FIL;C:\$VAULT$.AVG;Win32.Sector.28682;Cured.;
48276890.FIL;C:\$VAULT$.AVG;Trojan.MulDrop.3338;Deleted.;
regLocal.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably SCRIPT.Virus;;
Process.exe;C:\Documents and Settings\Owner\Desktop\SDFix\apps;Tool.Prockill;;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
A0117981.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP194;BackDoor.IRC.Sdbot.2239;Deleted.;
A0137376.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP208;BackDoor.IRC.Sdbot.2239;Deleted.;
A0147392.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP213;BackDoor.IRC.Sdbot.2239;Deleted.;
A0149414.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.DownLoader.origin;Incurable.Moved.;
A0149418.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Proxy.2751;Deleted.;
A0149419.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.DownLoader.36226;Deleted.;
A0149420.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Click.5009;Deleted.;
A0149421.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Virtumod.240;Deleted.;
A0149422.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Virtumod.240;Deleted.;
A0149423.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Click.5009;Deleted.;
A0149426.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Starter.339;Deleted.;
A0149428.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Proxy.2751;Deleted.;
A0150404.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Click.5009;Deleted.;
A0150413.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.DownLoader.origin;Incurable.Moved.;
A0150417.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Virtumod.240;Deleted.;
A0150419.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Virtumod.240;Deleted.;
A0150420.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Click.5009;Deleted.;
A0150423.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Starter.339;Deleted.;
A0150425.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP215;Trojan.Proxy.2751;Deleted.;
A0150441.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.origin;Incurable.Moved.;
A0150443.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0150444.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.36226;Deleted.;
A0150445.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0150446.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0150447.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0150448.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0150451.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0150452.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Starter.339;Deleted.;
A0151404.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0151405.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0151406.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0151407.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0151409.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151410.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.36226;Deleted.;
A0151420.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.origin;Incurable.Moved.;
A0151421.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151424.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151425.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Starter.339;Deleted.;
A0151436.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.origin;Incurable.Moved.;
A0151438.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0151439.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.36226;Deleted.;
A0151440.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151441.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0151442.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0151443.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151446.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151447.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Starter.339;Deleted.;
A0151448.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0151464.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0151465.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.origin;Incurable.Moved.;
A0151468.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0151469.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.36226;Deleted.;
A0151470.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151471.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0151472.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0151473.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151476.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0151477.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Starter.339;Deleted.;
A0152456.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.origin;Incurable.Moved.;
A0152465.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.origin;Incurable.Moved.;
A0152467.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Proxy.2751;Deleted.;
A0152468.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.DownLoader.36226;Deleted.;
A0152469.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0152470.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0152471.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Virtumod.240;Deleted.;
A0152472.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Click.5009;Deleted.;
A0152475.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP216;Trojan.Starter.339;Deleted.;
A0152482.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.origin;Incurable.Moved.;
A0152485.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Starter.339;Deleted.;
A0152488.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Click.5009;Deleted.;
A0152499.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.origin;Incurable.Moved.;
A0152501.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Proxy.2751;Deleted.;
A0152502.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.36226;Deleted.;
A0152503.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Click.5009;Deleted.;
A0152504.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Virtumod.240;Deleted.;
A0152505.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Click.5009;Deleted.;
A0152508.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Starter.339;Deleted.;
A0152511.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Virtumod.240;Deleted.;
A0153489.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Click.5009;Deleted.;
A0153490.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.36226;Deleted.;
A0153498.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.origin;Incurable.Moved.;
A0153500.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Click.5009;Deleted.;
A0153503.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Starter.339;Deleted.;
A0153510.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.origin;Incurable.Moved.;
A0153523.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.origin;Incurable.Moved.;
A0153525.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.Proxy.2751;Deleted.;
A0153528.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.origin;Incurable.Moved.;
A0153539.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Trojan.DownLoader.36226;Deleted.;
A0153542.bat;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP217;Probably BATCH.Virus;;
A0153579.bat;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP218;Probably BATCH.Virus;;
A0153596.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP218;Trojan.Proxy.2751;Deleted.;
A0154630.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP218;BackDoor.IRC.Sdbot.2010;Deleted.;
A0154636.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP218;BackDoor.IRC.Sdbot.2010;Deleted.;
A0154668.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP218;Trojan.DownLoader.origin;Incurable.Moved.;
A0154671.exe;C:\System Volume Information\_restore{10D4B4EE-7C0B-4339-9C74-3091462FA969}\RP218;Trojan.KillApp.30208;Deleted.;
dc4all.exe;C:\WINDOWS\system;Trojan.Click.5009;Deleted.;
del.exe;C:\WINDOWS\system;Trojan.DownLoader.36226;Deleted.;
delnew.exe;C:\WINDOWS\system;Trojan.Click.5009;Deleted.;
hen.exe;C:\WINDOWS\system;Trojan.Click.5009;Deleted.;
lc.exe;C:\WINDOWS\system;Trojan.Virtumod.240;Deleted.;
nadlocop.exe;C:\WINDOWS\system;Trojan.Proxy.2751;Deleted.;
run.exe;C:\WINDOWS\system;Trojan.Starter.339;Deleted.;
zm.exe;C:\WINDOWS\system;Trojan.Virtumod.240;Deleted.;
zi.exe;C:\WINDOWS\system32;BackDoor.IRC.Sdbot.2239;Deleted.;











---------------------------------------------------------------------------
and the Combofix log here :

ComboFix 08-01-30.6 - Owner 2008-01-31 8:46:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.263 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 04:51 . 2008-01-31 04:55 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-01-31 04:35 . 2008-01-31 04:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-31 04:33 . 2003-07-24 03:56 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-31 04:33 . 2003-07-26 02:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-31 04:33 . 2003-07-24 03:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-31 04:33 . 2003-07-24 04:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-31 04:33 . 2003-07-26 02:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-01-29 01:43 . 2008-01-29 01:43 33 --a------ C:\28374.html
2008-01-29 01:40 . 2008-01-30 09:29 6,144 --a------ C:\WINDOWS\system\helper.exe
2008-01-29 00:07 . 2008-01-29 00:07 32 --a------ C:\28915.html
2008-01-28 23:55 . 2008-01-28 23:55 244 --ah----- C:\sqmnoopt02.sqm
2008-01-28 23:55 . 2008-01-28 23:55 232 --ah----- C:\sqmdata02.sqm
2008-01-28 22:52 . 2008-01-28 22:52 33 --a------ C:\18520.html
2008-01-28 10:42 . 2008-01-28 10:42 33 --a------ C:\11178.html
2008-01-28 05:58 . 2008-01-28 05:58 33 --a------ C:\22566.html
2008-01-28 05:53 . 2008-01-28 05:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MTS
2008-01-28 05:51 . 2008-01-28 05:53 <DIR> d-------- C:\Program Files\MTS Accelerator
2008-01-28 00:30 . 2008-01-28 00:30 33 --a------ C:\24208.html
2008-01-27 23:54 . 2008-01-27 23:54 244 --ah----- C:\sqmnoopt01.sqm
2008-01-27 23:54 . 2008-01-27 23:54 232 --ah----- C:\sqmdata01.sqm
2008-01-27 23:41 . 2008-01-27 23:41 33 --a------ C:\27176.html
2008-01-27 09:55 . 2008-01-27 09:55 33 --a------ C:\18807.html
2008-01-27 03:26 . 2008-01-27 03:26 244 --ah----- C:\sqmnoopt00.sqm
2008-01-27 03:26 . 2008-01-27 03:26 232 --ah----- C:\sqmdata00.sqm
2008-01-26 22:42 . 2008-01-26 22:42 33 --a------ C:\3228.html
2008-01-26 10:12 . 2008-01-26 10:12 31 --a------ C:\549.html
2008-01-26 05:09 . 2008-01-30 09:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Tibia
2008-01-26 02:57 . 2008-01-26 02:57 33 --a------ C:\17578.html
2008-01-26 00:50 . 2008-01-29 01:42 5,376 --a------ C:\WINDOWS\system\kol.exe
2008-01-26 00:50 . 2008-01-29 01:42 4,880 --a------ C:\WINDOWS\system\wbrow.exe
2008-01-26 00:50 . 2008-01-26 00:50 33 --a------ C:\10611.html
2008-01-12 14:49 . 2008-01-13 20:27 <DIR> d-------- C:\Program Files\Tibia
2008-01-05 02:07 . 2008-01-05 02:07 <DIR> d-------- C:\Program Files\Blackd Tools
2007-12-08 17:23 . 2007-12-08 17:23 <DIR> d-------- C:\Program Files\Ventrilo
2007-12-08 17:22 . 2007-12-08 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 14:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-31 10:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-29 09:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-15 23:36 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 20:24 --------- d-----w C:\Program Files\Atari
2008-01-14 02:24 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-01-13 01:41 --------- d-----w C:\Program Files\TibiaBot NG
2008-01-02 03:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-01-02 03:47 --------- d-----w C:\Program Files\mIRC
2007-12-04 16:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-03 20:01 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-07-01 03:01 1,085,984 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-01 03:00 73,248 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 08:07 114688]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 09:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 00:19 4640768]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 07:15 344064]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 21:28 81920]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-02-24 19:51 53248]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 04:43 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 12:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-07-24 03:36 151597]
"Propel Accelerator"="C:\Program Files\MTS Accelerator\trayctl.exe" [2007-11-15 16:30 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:37 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 08:11:14 27136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 02:57:44 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-22 03:19:20 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2006-03-02 20:02:42 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 04:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\IntelS51.sys [2004-12-23 02:52]
S2 k9q1t9;k9q1t9;"C:\WINDOWS\system32\svshost.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 14:43:16 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 08:49:32
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MTS Accelerator\PropelAC.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
.
**************************************************************************
.
Completion time: 2008-01-31 8:50:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 14:50:47
ComboFix2.txt 2008-01-31 14:44:29
ComboFix3.txt 2008-01-30 15:37:50
.
2007-08-13 20:53:56 --- E O F ---



Thanks.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 31 January 2008 - 04:34 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
k9q1t9

File::
C:\28374.html
C:\WINDOWS\system\helper.exe
C:\28915.html
C:\18520.html
C:\11178.html
C:\22566.html
C:\24208.html
C:\27176.html
C:\18807.html
C:\3228.html
C:\549.html
C:\17578.html
C:\WINDOWS\system\kol.exe
C:\WINDOWS\system\wbrow.exe
C:\10611.html
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 31 January 2008 - 05:03 PM

thanks Sam.

ComboFix 08-01-30.6 - Owner 2008-01-31 15:54:12.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.202 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\10611.html
C:\11178.html
C:\17578.html
C:\18520.html
C:\18807.html
C:\22566.html
C:\24208.html
C:\27176.html
C:\28374.html
C:\28915.html
C:\3228.html
C:\549.html
C:\WINDOWS\system\helper.exe
C:\WINDOWS\system\kol.exe
C:\WINDOWS\system\wbrow.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\10611.html
C:\11178.html
C:\17578.html
C:\18520.html
C:\18807.html
C:\22566.html
C:\24208.html
C:\27176.html
C:\28374.html
C:\28915.html
C:\3228.html
C:\549.html
C:\WINDOWS\system\helper.exe
C:\WINDOWS\system\kol.exe
C:\WINDOWS\system\wbrow.exe
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_K9Q1T9
-------\k9q1t9


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 04:51 . 2008-01-31 04:55 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-01-31 04:35 . 2008-01-31 04:35 <DIR> d-------- C:\WINDOWS\ERUNT
2008-01-31 04:33 . 2003-07-24 03:56 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-01-31 04:33 . 2003-07-26 02:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-31 04:33 . 2003-07-24 03:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-31 04:33 . 2003-07-24 04:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-31 04:33 . 2003-07-26 02:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\interMute
2008-01-28 23:55 . 2008-01-28 23:55 244 --ah----- C:\sqmnoopt02.sqm
2008-01-28 23:55 . 2008-01-28 23:55 232 --ah----- C:\sqmdata02.sqm
2008-01-28 05:53 . 2008-01-28 05:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MTS
2008-01-28 05:51 . 2008-01-28 05:53 <DIR> d-------- C:\Program Files\MTS Accelerator
2008-01-27 23:54 . 2008-01-27 23:54 244 --ah----- C:\sqmnoopt01.sqm
2008-01-27 23:54 . 2008-01-27 23:54 232 --ah----- C:\sqmdata01.sqm
2008-01-27 03:26 . 2008-01-27 03:26 244 --ah----- C:\sqmnoopt00.sqm
2008-01-27 03:26 . 2008-01-27 03:26 232 --ah----- C:\sqmdata00.sqm
2008-01-26 05:09 . 2008-01-31 13:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Tibia
2008-01-12 14:49 . 2008-01-13 20:27 <DIR> d-------- C:\Program Files\Tibia
2008-01-05 02:07 . 2008-01-05 02:07 <DIR> d-------- C:\Program Files\Blackd Tools
2007-12-08 17:23 . 2007-12-08 17:23 <DIR> d-------- C:\Program Files\Ventrilo
2007-12-08 17:22 . 2007-12-08 17:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 19:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 14:43 --------- d-----w C:\Documents and Settings\Owner\Application Data\AVG7
2008-01-29 09:38 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2008-01-15 23:36 --------- d-----w C:\Program Files\MSN Messenger
2008-01-14 21:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-14 20:24 --------- d-----w C:\Program Files\Atari
2008-01-14 02:24 --------- d-----w C:\Program Files\Teamspeak2_RC2
2008-01-13 01:41 --------- d-----w C:\Program Files\TibiaBot NG
2008-01-02 03:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-01-02 03:47 --------- d-----w C:\Program Files\mIRC
2007-12-04 16:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-12-03 20:01 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-07-01 03:01 1,085,984 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-01 03:00 73,248 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04 52736]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 08:07 114688]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 21:02 61440]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 09:01 155648]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-05-03 00:19 4640768]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 07:15 344064]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-07-31 21:28 81920]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-02-24 19:51 53248]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 04:43 57344]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-20 12:24 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-07-24 03:36 151597]
"Propel Accelerator"="C:\Program Files\MTS Accelerator\trayctl.exe" [2007-11-15 16:30 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 08:37 219136]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
mod_sm.lnk - C:\hp\bin\cloaker.exe [1999-11-07 08:11:14 27136]

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-07-26 02:57:44 552960]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-22 03:19:20 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2006-03-02 20:02:42 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 2003-02-21 04:50 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

R3 IntelS51;Intel® 536EP Modem;C:\WINDOWS\System32\DRIVERS\IntelS51.sys [2004-12-23 02:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-31 21:43:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 15:57:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\Softex\OmniPass\opxpgina.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\MTS Accelerator\PropelAC.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
.
**************************************************************************
.
Completion time: 2008-01-31 15:58:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-31 21:58:51
ComboFix2.txt 2008-01-31 14:50:52
ComboFix3.txt 2008-01-31 14:44:29
ComboFix4.txt 2008-01-30 15:37:50
.
2007-08-13 20:53:56 --- E O F ---


HIJACK THIS--------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59:35, on 31/01/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\MTS Accelerator\PropelAC.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qca9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qca9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qca9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\MTSACC~1\PRPL_I~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\MTS Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\MTS Accelerator\pac-addwl.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/229?01034b8159754189ac16c85a541bfc5b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ca\msntabres.dll.mui/230?01034b8159754189ac16c85a541bfc5b
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\MTS Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\MTS Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

--
End of file - 7694 bytes


:thumbsup:

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 31 January 2008 - 05:12 PM

Your log looks pretty good to me.
How is everything on your end? Any problems or issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 31 January 2008 - 05:17 PM

Things are running alot better, Internet Explorer keeps setting its self to my main browser when all i ever use is Mozzila.
other than that ill jsut have to keep an eye on things.

although i do have another problem im not sure if u can help me with it but i'll try to explain what it is,

NTSystem (i think it is) causes a crash sometimes, and gives me 1:00 min to save what im doing before it instantly resets.
i know that if when this comes up i go to Start>Run and type Shutdown -a the crash will not happen. any idea what the problem might be?.

Thanks sam your help was absolutly great! your a hero!

Thanks,
Tony Deacon
Canada

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 31 January 2008 - 05:22 PM

Let's see what can figure out.
Click Start -> Run -> eventvwr.msc

Look in SYSTEM and APPLICATIONS for anything in the last day or so.
Double click on anything you see with a red X, press the Copy button, and then paste it here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 31 January 2008 - 05:37 PM

Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 31/01/2008
Time: 10:14:14
User: N/A
Computer: TONYS
Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: AVG7
Event Category: Error
Event ID: 100
Date: 31/01/2008
Time: 08:39:40
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
2008-01-31 14:39:40,578 TONYS [001264:001280] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(3808) call failed with WIN32 error 87, returning session id is 0

Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 31/01/2008
Time: 07:35:26
User: N/A
Computer: TONYS
Description:
Hanging application , version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 20 30 2e 30 2e 30 0.0.0
0018: 2e 30 20 69 6e 20 68 75 .0 in hu
0020: 6e 67 61 70 70 20 30 2e ngapp 0.
0028: 30 2e 30 2e 30 20 61 74 0.0.0 at
0030: 20 6f 66 66 73 65 74 20 offset
0038: 30 30 30 30 30 30 30 30 00000000


Event Type: Error
Event Source: AVG7
Event Category: Error
Event ID: 100
Date: 31/01/2008
Time: 04:42:04
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
2008-01-31 10:42:04,046 TONYS [001264:001280] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(204) call failed with WIN32 error 87, returning session id is 0

Event Type: Warning
Event Source: Userenv
Event Category: None
Event ID: 1517
Date: 31/01/2008
Time: 04:34:54
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
Windows saved user TONYS\Administrator registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 8193
Date: 31/01/2008
Time: 04:33:01
User: N/A
Computer: TONYS
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80040206.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 57 52 54 57 52 54 49 43 WRTWRTIC
0008: 32 31 31 33 00 00 00 00 2113....
0010: 57 52 54 57 52 54 49 43 WRTWRTIC
0018: 32 30 37 38 00 00 00 00 2078....

Event Type: Error
Event Source: EventSystem
Event Category: (50)
Event ID: 4609
Date: 31/01/2008
Time: 04:33:01
User: N/A
Computer: TONYS
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043C from line 44 of d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 31/01/2008
Time: 03:05:38
User: N/A
Computer: TONYS
Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Error
Event Source: AVG7
Event Category: Error
Event ID: 100
Date: 30/01/2008
Time: 13:03:22
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
2008-01-30 19:03:22,140 TONYS [001272:001288] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(488) call failed with WIN32 error 87, returning session id is 0

Event Type: Error
Event Source: AVG7
Event Category: Error
Event ID: 100
Date: 30/01/2008
Time: 13:03:22
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
2008-01-30 19:03:22,062 TONYS [001272:001288] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(488) call failed with WIN32 error 87, returning session id is 0

Event Type: Error
Event Source: AVG7
Event Category: Error
Event ID: 100
Date: 30/01/2008
Time: 12:58:56
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
2008-01-30 18:58:56,703 TONYS [001272:001288] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(2884) call failed with WIN32 error 87, returning session id is 0

Event Type: Error
Event Source: AVG7
Event Category: Error
Event ID: 100
Date: 30/01/2008
Time: 09:33:46
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
2008-01-30 15:33:46,296 TONYS [001264:001272] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(376) call failed with WIN32 error 87, returning session id is 0

Event Type: Error
Event Source: Windows Live Messenger
Event Category: None
Event ID: 1000
Date: 30/01/2008
Time: 09:12:23
User: N/A
Computer: TONYS
Description:
The description for Event ID ( 1000 ) in Source ( Windows Live Messenger ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: msnmsgr.exe, 8.1.178.0, 45b12d6a, mshtml.dll, 6.0.2800.1106, 3d6dfa11, 0, 000f015c.
Data:
0000: 41 00 70 00 70 00 6c 00 A.p.p.l.
0008: 69 00 63 00 61 00 74 00 i.c.a.t.
0010: 69 00 6f 00 6e 00 20 00 i.o.n. .
0018: 46 00 61 00 69 00 6c 00 F.a.i.l.
0020: 75 00 72 00 65 00 20 00 u.r.e. .
0028: 20 00 6d 00 73 00 6e 00 .m.s.n.
0030: 6d 00 73 00 67 00 72 00 m.s.g.r.
0038: 2e 00 65 00 78 00 65 00 ..e.x.e.
0040: 20 00 38 00 2e 00 31 00 .8...1.
0048: 2e 00 31 00 37 00 38 00 ..1.7.8.
0050: 2e 00 30 00 20 00 34 00 ..0. .4.
0058: 35 00 62 00 31 00 32 00 5.b.1.2.
0060: 64 00 36 00 61 00 20 00 d.6.a. .
0068: 69 00 6e 00 20 00 6d 00 i.n. .m.
0070: 73 00 68 00 74 00 6d 00 s.h.t.m.
0078: 6c 00 2e 00 64 00 6c 00 l...d.l.
0080: 6c 00 20 00 36 00 2e 00 l. .6...
0088: 30 00 2e 00 32 00 38 00 0...2.8.
0090: 30 00 30 00 2e 00 31 00 0.0...1.
0098: 31 00 30 00 36 00 20 00 1.0.6. .
00a0: 33 00 64 00 36 00 64 00 3.d.6.d.
00a8: 66 00 61 00 31 00 31 00 f.a.1.1.
00b0: 20 00 66 00 44 00 65 00 .f.D.e.
00b8: 62 00 75 00 67 00 20 00 b.u.g. .
00c0: 30 00 20 00 61 00 74 00 0. .a.t.
00c8: 20 00 6f 00 66 00 66 00 .o.f.f.
00d0: 73 00 65 00 74 00 20 00 s.e.t. .
00d8: 30 00 30 00 30 00 66 00 0.0.0.f.
00e0: 30 00 31 00 35 00 63 00 0.1.5.c.
00e8: 0d 00 0a 00 ....



Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 29/01/2008
Time: 01:43:27
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.2600.1106, fault address 0x0003381c.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 6d 73 76 63 72 74 n msvcrt
0030: 2e 64 6c 6c 20 37 2e 30 .dll 7.0
0038: 2e 32 36 30 30 2e 31 31 .2600.11
0040: 30 36 20 61 74 20 6f 66 06 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 33 33 38 31 63 3381c

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 28/01/2008
Time: 10:43:45
User: N/A
Computer: TONYS
Description:
Faulting application IEXPLORE.EXE, version 6.0.2800.1106, faulting module ntdll.dll, version 5.1.2600.1106, fault address 0x0004e4b4.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 49 45 58 ure IEX
0018: 50 4c 4f 52 45 2e 45 58 PLORE.EX
0020: 45 20 36 2e 30 2e 32 38 E 6.0.28
0028: 30 30 2e 31 31 30 36 20 00.1106
0030: 69 6e 20 6e 74 64 6c 6c in ntdll
0038: 2e 64 6c 6c 20 35 2e 31 .dll 5.1
0040: 2e 32 36 30 30 2e 31 31 .2600.11
0048: 30 36 20 61 74 20 6f 66 06 at of
0050: 66 73 65 74 20 30 30 30 fset 000
0058: 34 65 34 62 34 4e4b4

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 28/01/2008
Time: 10:42:16
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.2600.1106, fault address 0x0003381c.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 6d 73 76 63 72 74 n msvcrt
0030: 2e 64 6c 6c 20 37 2e 30 .dll 7.0
0038: 2e 32 36 30 30 2e 31 31 .2600.11
0040: 30 36 20 61 74 20 6f 66 06 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 33 33 38 31 63 3381c


Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 28/01/2008
Time: 05:59:18
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.2600.1106, fault address 0x0003381c.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 6d 73 76 63 72 74 n msvcrt
0030: 2e 64 6c 6c 20 37 2e 30 .dll 7.0
0038: 2e 32 36 30 30 2e 31 31 .2600.11
0040: 30 36 20 61 74 20 6f 66 06 at of
0048: 66 73 65 74 20 30 30 30 fset 000
0050: 33 33 38 31 63 3381c

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 28/01/2008
Time: 00:30:47
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module wbrow.exe, version 0.0.0.0, fault address 0x00002022.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 77 62 72 6f 77 2e n wbrow.
0030: 65 78 65 20 30 2e 30 2e exe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 32 30 32 32 002022

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 27/01/2008
Time: 23:41:23
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module wbrow.exe, version 0.0.0.0, fault address 0x00002022.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 77 62 72 6f 77 2e n wbrow.
0030: 65 78 65 20 30 2e 30 2e exe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 32 30 32 32 002022

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 26/01/2008
Time: 22:42:31
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module wbrow.exe, version 0.0.0.0, fault address 0x00002022.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 77 62 72 6f 77 2e n wbrow.
0030: 65 78 65 20 30 2e 30 2e exe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 32 30 32 32 002022

Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 26/01/2008
Time: 02:57:33
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module wbrow.exe, version 0.0.0.0, fault address 0x00002022.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 77 62 72 6f 77 2e n wbrow.
0030: 65 78 65 20 30 2e 30 2e exe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 32 30 32 32 002022



Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
Date: 26/01/2008
Time: 00:50:52
User: N/A
Computer: TONYS
Description:
Faulting application wbrow.exe, version 0.0.0.0, faulting module wbrow.exe, version 0.0.0.0, fault address 0x00002022.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 62 72 ure wbr
0018: 6f 77 2e 65 78 65 20 30 ow.exe 0
0020: 2e 30 2e 30 2e 30 20 69 .0.0.0 i
0028: 6e 20 77 62 72 6f 77 2e n wbrow.
0030: 65 78 65 20 30 2e 30 2e exe 0.0.
0038: 30 2e 30 20 61 74 20 6f 0.0 at o
0040: 66 66 73 65 74 20 30 30 ffset 00
0048: 30 30 32 30 32 32 002022

Event Type: Error
Event Source: Winlogon
Event Category: None
Event ID: 1015
Date: 26/01/2008
Time: 00:10:36
User: N/A
Computer: TONYS
Description:
A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Service --------------------------------

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 31/01/2008
Time: 15:58:41
User: N/A
Computer: TONYS
Description:
The mrtRate service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 31/01/2008
Time: 10:13:59
User: N/A
Computer: TONYS
Description:
The security package LSA generated an exception. The package is now disabled. The exception information is the data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 00 c0 00 00 00 00 .......
0008: 00 00 00 00 d3 1e f5 77 .....w
0010: 02 00 00 00 00 00 00 00 ........
0018: e3 06 90 90 3f 00 01 00 .?...
0020: 00 00 00 00 00 00 00 00 ........
0028: 06 00 08 00 00 00 00 00 ........
0030: 00 00 00 00 00 00 00 00 ........
0038: 7f 02 ff ff 00 00 ff ff ...
0040: ff ff ff ff 00 00 00 00 ....
0048: 00 00 00 00 00 00 00 00 ........

Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10005
Date: 31/01/2008
Time: 04:35:21
User: NT AUTHORITY\SYSTEM
Computer: TONYS
Description:
DCOM got error "This service cannot be started in Safe Mode " attempting to start the service EventSystem with arguments "" in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: LsaSrv
Event Category: Security Package Manager
Event ID: 5000
Date: 30/01/2008
Time: 18:27:50
User: N/A
Computer: TONYS
Description:
The security package LSA generated an exception. The package is now disabled. The exception information is the data.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 05 00 00 c0 00 00 00 00 .......
0008: 00 00 00 00 d3 1e f5 77 .....w
0010: 02 00 00 00 00 00 00 00 ........
0018: e3 06 90 90 3f 00 01 00 .?...
0020: 00 00 00 00 00 00 00 00 ........
0028: 00 00 00 00 00 00 00 00 ........
0030: 00 00 00 00 00 00 00 00 ........
0038: 7f 02 ff ff 00 00 ff ff ...
0040: ff ff ff ff 00 00 00 00 ....
0048: 00 00 00 00 00 00 00 00 ........

their was tons upon tons upon tons of errors their i only copied a few otherwise id be here for a year, most of them were from the source DCOM, otherwere LsaSrv, and Service Control Manager.

hope this helps sorry for the trouble.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 31 January 2008 - 05:43 PM

The first thing that you should try is to uninstall AVG, reboot, and then reinstall it. See if that resolves your issue.

Do you have your Windows XP disc?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 31 January 2008 - 06:12 PM

Im not sure where the disk is atm ill do some rooting around tonight and get back to you in the morning.

im off for some sleep now.

Thanks for your help, you got no idea how much i appreciate it.
keep up the good work sam.

goodnight
Tony

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:19 PM

Posted 02 February 2008 - 08:43 AM

Tony - did you get a chance to try that yet?
Let me know how it works out.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 KillmyCPU

KillmyCPU
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 03 February 2008 - 01:14 PM

The problem hasent happend yet and i uninstalled and reinstalled AVG maybe that was the problem.

Thanks sam




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users