Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very Badly Infected Computer


  • This topic is locked This topic is locked
17 replies to this topic

#1 1800

1800

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 23 May 2008 - 06:07 PM

heres the report from the scans

main.txt

Deckard's System Scanner v20071014.68
Run by Wong on 2008-05-24 08:47:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2008-05-23 22:48:03 UTC - RP304 - Deckard's System Scanner Restore Point
57: 2008-05-23 11:26:32 UTC - RP303 - Installed MapleStory.
56: 2008-05-23 10:56:04 UTC - RP302 - Removed MapleStory.
55: 2008-05-23 07:50:59 UTC - RP301 - System Checkpoint
54: 2008-05-21 11:55:22 UTC - RP300 - System Checkpoint


-- First Restore Point --
1: 2008-02-25 11:41:39 UTC - RP247 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Wong.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:49 AM, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Wong\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Wong.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {95a277cc-df95-43d6-bda0-66f27fc3e4fb} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Csvnro] C:\Program Files\Csvnro\Csvnro.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: expda2 - expda2.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 4213 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>

S2 npkcrypt - c:\program files\nexon\maplestory\npkcrypt.sys (file missing)
S3 cheetah1 - c:\hacks\zenos\cheetah.sys (file missing)
S3 DBKDRVR54 - c:\program files\cheat engine\dbk32.sys (file missing)
S3 ezplay (VSO Software ezplay) - c:\windows\system32\drivers\ezplay.sys <Not Verified; VSO Software; ezplay driver>
S3 geebers12 - c:\hacks\ce\nvid888.sys (file missing)
S3 kaspersky1 - c:\hacks\kaspersky2\kaspersky.sys (file missing)
S3 memxers12 - c:\hacks\icheat\nvid999.sys (file missing)
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 saruen - c:\hacks\bypass\saruen.sys (file missing)
S3 sejt1 - c:\hacks\akuma\sejt.sys (file missing)
S3 SIS163u (SiS 163 usb Wireless LAN Adapter Driver) - c:\windows\system32\drivers\sis163u.sys <Not Verified; SiS Corporation; NDIS NIC Driver>
S3 XDva042 - c:\windows\system32\xdva042.sys (file missing)
S3 xp1 - c:\hacks\zenos\xp.sys (file missing)
S3 zenos1 - c:\hacks\zenos\zenos.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 sdcoreservice (Spyware Doctor Service) - c:\program files\spyware doctor\swdsvc.exe (file missing)
S3 WLSetupSvc (Windows Live Setup Service) - "c:\program files\windows live\installer\wlsetupsvc.exe" <Not Verified; Microsoft Corporation; Windows Live installer>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\3&61AAA01&0&68
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_125D&DEV_2838&SUBSYS_2838125D&REV_01\3&61AAA01&0&68
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-08 21:31:00 268 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2007-10-01 21:31:15 390 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job


-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 08:49:31 0 d-------- C:\Program Files\Trend Micro
2008-05-24 00:09:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-24 00:09:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 00:08:56 0 d-------- C:\WINDOWS\LastGood
2008-05-23 23:40:48 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-20 21:10:53 0 d-------- C:\Documents and Settings\Wong\Application Data\Malwarebytes
2008-05-20 21:10:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 20:32:04 0 d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-19 00:19:30 0 dr-h----- C:\Documents and Settings\Wong\Recent
2008-05-12 13:34:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx


-- Find3M Report ---------------------------------------------------------------

2008-05-23 17:35:24 0 d-------- C:\Program Files\Warcraft III
2008-05-21 21:39:17 0 d-------- C:\Documents and Settings\Wong\Application Data\U3
2008-05-17 15:08:04 0 d-------- C:\Program Files\World of Warcraft
2008-05-12 18:21:33 0 d-------- C:\Documents and Settings\Wong\Application Data\Lavasoft
2008-05-05 14:09:32 83544 --a----c- C:\Documents and Settings\Wong\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 14:14:09 0 d-------- C:\Program Files\Windows Live
2008-04-17 14:13:43 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-17 14:02:25 0 d-------- C:\Program Files\Common Files
2008-04-13 13:57:09 0 d-------- C:\Documents and Settings\Wong\Application Data\NCH Swift Sound
2008-04-06 15:00:15 0 d-------- C:\Documents and Settings\Wong\Application Data\ViStart
2008-04-02 17:37:55 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-02 12:39:13 0 d-------- C:\Program Files\Common Files\Stardock
2008-04-02 12:38:29 12288 --a------ C:\WINDOWS\_MSRSTRT.EXE


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95a277cc-df95-43d6-bda0-66f27fc3e4fb}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 11:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/08/2004 11:56 PM]
"Csvnro"="C:\Program Files\Csvnro\Csvnro.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\expda2]
expda2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Wong^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\Wong\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Service Centre]
"C:\Program Files\OptusNet DSL Internet\DSC.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\system32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"nwiz.exe" /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vcsron]
C:\Program Files\Vcsron\Vcsron.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
"rundll32.exe" "C:\WINDOWS\vtuvvu.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPro.exe]
"C:\Program Files\Bearshare\WebPro.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5ea0e1c-b4cb-11db-827c-0008a13c6261}]
AutoRun\command- E:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

127.0.0.1 bin.errorprotector.com ## added by CiD
127.0.0.1 br.errorsafe.com ## added by CiD
127.0.0.1 br.winantivirus.com ## added by CiD
127.0.0.1 br.winfixer.com ## added by CiD
127.0.0.1 cdn.drivecleaner.com ## added by CiD
127.0.0.1 cdn.errorsafe.com ## added by CiD
127.0.0.1 cdn.winsoftware.com ## added by CiD
127.0.0.1 de.errorsafe.com ## added by CiD
127.0.0.1 de.winantivirus.com ## added by CiD
127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

60 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-24 08:50:41 ------------

extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 1.70GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 511.48 MiB / 285.23 MiB
Pagefile Memory (total/avail): 1250.06 MiB / 917.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1917.04 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 41.84 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST380023A - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"="C:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe:*:Enabled:BearShare"
"C:\\Program Files\\NEXON\\MapleStory\\MapleStory.exe"="C:\\Program Files\\NEXON\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe"="C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe:*:Enabled:Patcher"
"C:\\Program Files\\NEXON\\MapleStory\\Setup.exe"="C:\\Program Files\\NEXON\\MapleStory\\Setup.exe:*:Enabled:Setup"
"C:\\Program Files\\NEXON\\MapleStory\\NewPatcher.exe"="C:\\Program Files\\NEXON\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Disabled:eMule"
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"="C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Disabled:TmNationsESWC"
"C:\\Documents and Settings\\Wong\\Desktop\\wowclient-downloader.exe"="C:\\Documents and Settings\\Wong\\Desktop\\wowclient-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Wong\\Desktop\\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\\Documents and Settings\\Wong\\Desktop\\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Bearshare\\IeEmbed.exe"="C:\\Program Files\\Bearshare\\IeEmbed.exe:*:Enabled:JDesktop Integration Components binary"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin"="C:\\Program Files\\Softnyx\\WolfTeam\\Wolfteam.bin:*:Enabled:WolfTeam"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\Program Files\\NEXON\\MapleStory\\GGlessV51.exe"="C:\\Program Files\\NEXON\\MapleStory\\GGlessV51.exe:*:Enabled:MapleStory"
"C:\\Valve\\Condition Zero\\czero.exe"="C:\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Wong\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DEREK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Wong
LOGONSERVER=\\DEREK
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0103
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Wong\LOCALS~1\Temp
TMP=C:\DOCUME~1\Wong\LOCALS~1\Temp
USERDOMAIN=DEREK
USERNAME=Wong
USERPROFILE=C:\Documents and Settings\Wong
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Wong (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
CDBurnerXP Pro 3 --> MsiExec.exe /I{896D642C-7125-44F0-AC49-A23ABF82209C}
Counter-Strike 1.6 --> C:\Program Files\Counter-Strike 1.6\Uninstal.exe
Counter-Strike: Condition Zero --> C:\Valve\CONDIT~1\UNWISE.EXE C:\Valve\CONDIT~1\INSTALL.LOG
D-Link DSL-302G USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACCEC3BD-FFCA-4146-8587-17650B86165B}\Setup.exe"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
getPlus®_ocx --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Lexmark Supplies Monitor --> C:\WINDOWS\system32\LXSMUNIN.EXE
Lexmark Z65 --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXALUN5C.EXE -dLexmark Z65
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
OptusNet DSL --> C:\Program Files\OptusNet DSL Internet\Uninstall.exe
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
RebirthRO --> "C:\WINDOWS\RebirthRO\uninstall.exe" "/U:C:\Program Files\Gravity\RebirthRO\Uninstall\uninstall.xml"
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live OneCare safety scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
WoWscape Server Browser --> "C:\WINDOWS\WoWscape Server Browser\uninstall.exe" "/U:C:\Program Files\World of Warcraft\\Uninstall\uninstall.xml"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type6622 / Success
Event Submitted/Written: 05/24/2008 00:25:49 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type6618 / Error
Event Submitted/Written: 05/23/2008 09:26:31 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: MapleStory -- Error 2350.FDI server error

Event Record #/Type6617 / Error
Event Submitted/Written: 05/23/2008 09:26:30 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: MapleStory -- Error 2350.FDI server error

Event Record #/Type6616 / Error
Event Submitted/Written: 05/23/2008 09:26:30 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: MapleStory -- Error 2350.FDI server error

Event Record #/Type6615 / Error
Event Submitted/Written: 05/23/2008 09:26:30 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: MapleStory -- Error 2350.FDI server error



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24225 / Warning
Event Submitted/Written: 05/24/2008 00:00:46 AM
Event ID/Source: 8021 / BROWSER
Event Description:
The browser was unable to retrieve a list of servers from the browser master \\KIRSTY on the network \Device\NetBT_Tcpip_{33EF5273-AA6F-4D98-9345-05EA8BCF67F5}.
The data is the error code.

Event Record #/Type24208 / Error
Event Submitted/Written: 05/23/2008 11:36:19 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%3

Event Record #/Type24175 / Error
Event Submitted/Written: 05/23/2008 09:33:15 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The npkcrypt service failed to start due to the following error:
%%2

Event Record #/Type24171 / Error
Event Submitted/Written: 05/23/2008 09:29:36 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Messenger Sharing Folders USN Journal Reader service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type24170 / Error
Event Submitted/Written: 05/23/2008 09:29:16 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The Windows Installer service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-05-24 08:50:41 ------------

BC AdBot (Login to Remove)

 


#2 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 23 May 2008 - 06:23 PM

here is my kaspersky scan results


kaspersky scan results
--------------
heres my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:49 AM, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSSystem32nvsvc32.exe
C:WINDOWSsystem32wscntfy.exe
C:Program FilesCommon FilesMicrosoft SharedWindows LiveWLLoginProxy.exe
C:Program FilesWindows LiveMessengermsnmsgr.exe
C:Program FilesWindows LiveMessengerusnsvc.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://search.optusnet.com.au/?brand=ODSL&panel=1
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page = blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_11binssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O2 - BHO: (no name) - {95a277cc-df95-43d6-bda0-66f27fc3e4fb} - (no file)
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Csvnro] C:Program FilesCsvnroCsvnro.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_11binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_11binssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: expda2 - expda2.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:WINDOWSsystem32LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSSystem32nvsvc32.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - Unknown owner - C:Program FilesSpyware Doctorswdsvc.exe (file missing)

--
End of file - 4083 bytes
-------------
I have also found out that other computers on the network are also infected.
the symptoms of the virus looks the same, programs not being able to run no matter how many times you start it or re-install it.

Is the virus a network virus?

should i also provide scan results like i have for my computer?

or will the solution to my computer fix the other computers as well?


Merged posts ~ OB

Edited by Orange Blossom, 23 May 2008 - 10:17 PM.


#3 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 24 May 2008 - 01:38 AM

Hello 1800,

I will be assisting you with your malware issues.
  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
----------------------------------------------
You have too many infections which are disabled using msconfig.
----------------------------------------------
Download HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Close HijackThis, do not run it yet.
----------------------------------------------
Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt .
----------------------------------------------
Run HijackThis
  • Double click to open HijackThis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.

Edited by chryssi2001, 24 May 2008 - 01:39 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#4 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 24 May 2008 - 02:28 AM

Thank you Chryssi2001 for helping with my problem

here are my reports

Combo fix Report

ComboFix 08-05-21.3 - Wong 2008-05-24 17:12:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.278 [GMT 10:00]
Running from: C:\Documents and Settings\Wong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wong\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wong\Application Data\inst.exe
C:\WINDOWS\system32\grouppolicy\machine\scripts\scripts.ini
C:\WINDOWS\system32\info.txt

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 16:18 . 2008-05-24 17:14 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-24 08:49 . 2008-05-24 08:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 08:47 . 2008-05-24 08:47 <DIR> d-------- C:\Deckard
2008-05-24 00:09 . 2008-05-24 00:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 00:09 . 2008-05-24 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 23:40 . 2008-05-23 23:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 23:40 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-23 23:40 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-20 21:10 . 2008-05-20 21:10 <DIR> d-------- C:\Documents and Settings\Wong\Application Data\Malwarebytes
2008-05-20 21:10 . 2008-05-20 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 20:32 . 2008-05-20 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-12 13:34 . 2008-05-12 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 04:30 --------- d-----w C:\Program Files\Warcraft III
2008-05-21 11:39 --------- d-----w C:\Documents and Settings\Wong\Application Data\U3
2008-05-17 05:08 --------- d-----w C:\Program Files\World of Warcraft
2008-05-12 08:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 08:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 08:21 --------- d-----w C:\Documents and Settings\Wong\Application Data\Lavasoft
2008-05-05 04:09 83,544 -c--a-w C:\Documents and Settings\Wong\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 04:14 --------- d-----w C:\Program Files\Windows Live
2008-04-17 04:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-17 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-13 03:57 --------- d-----w C:\Documents and Settings\Wong\Application Data\NCH Swift Sound
2008-04-12 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-06 05:00 --------- d-----w C:\Documents and Settings\Wong\Application Data\ViStart
2008-04-02 07:37 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-02 02:39 --------- d-----w C:\Program Files\Common Files\Stardock
2008-04-02 02:38 12,288 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-09-24 12:58 94,208 -c--a-w C:\Documents and Settings\Wong\Application Data\ezplay.sys
2007-09-24 12:58 47,360 -c--a-w C:\Documents and Settings\Wong\Application Data\pcouffin.sys
.

------- Sigcheck -------

2002-08-29 22:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-11-02 14:59 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\dllcache\tcpip.sys
2007-11-02 14:59 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 23:56 1041408 41fd32c566bd44440cc76694110c14bb C:\WINDOWS\explorer.exe
2002-08-29 22:00 1013248 db4c8fa80e2196cf72ad086bdb7f6026 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 1041408 41fd32c566bd44440cc76694110c14bb C:\WINDOWS\LastGood\explorer.exe
2004-08-03 23:56 1041920 7260abbb50eaa37f8852b478e82dad2f C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2002-08-29 22:00 22528 ca2dd875608a26880cdc689e665ed951 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-03 23:56 25088 8c50149e4b5622f096c8093d60123cb0 C:\WINDOWS\LastGood\system32\ctfmon.exe
2004-08-03 23:56 25088 fd5ebddab3c1b33b6afce61b36111659 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-03 23:56 25088 8c50149e4b5622f096c8093d60123cb0 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95a277cc-df95-43d6-bda0-66f27fc3e4fb}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 25088]
"Csvnro"="C:\Program Files\Csvnro\Csvnro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 25088]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-03 23:56 1677312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\expda2]
expda2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wong^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\Wong\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 25088 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Service Centre]
-----c--- 2004-09-06 12:50 2125956 C:\Program Files\OptusNet DSL Internet\DSC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a--c--- 2004-08-03 21:32 221240 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
--a------ 2002-02-22 05:02 896000 C:\WINDOWS\system32\LXSUPMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a--c--- 2004-08-03 21:31 69120 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 11:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-08-03 23:56 43008 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-10-22 11:22 1634304 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a--c--- 2004-08-03 21:32 464896 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a--c--- 2004-08-03 21:32 464896 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1001186.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra--c--- 2003-03-27 18:34 62976 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vcsron]
C:\Program Files\Vcsron\Vcsron.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
--a------ 2004-08-03 23:56 43008 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPro.exe]
C:\Program Files\Bearshare\WebPro.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Valve\\Condition Zero\\czero.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19552:TCP"= 19552:TCP:BitComet 19552 TCP
"19552:UDP"= 19552:UDP:BitComet 19552 UDP

S3 cheetah1;cheetah1;C:\Hacks\zenos\cheetah.sys []
S3 DBKDRVR54;DBKDRVR54;C:\Program Files\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Hacks\CE\nvid888.sys []
S3 kaspersky1;kaspersky1;C:\Hacks\Kaspersky2\kaspersky.sys []
S3 memxers12;memxers12;C:\Hacks\iCheat\nvid999.sys []
S3 saruen;saruen;C:\Hacks\Bypass\saruen.sys []
S3 sejt1;sejt1;C:\Hacks\Akuma\sejt.sys []
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2004-10-01 09:14]
S3 XDva042;XDva042;C:\WINDOWS\system32\XDva042.sys []
S3 xp1;xp1;C:\Hacks\zenos\xp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5ea0e1c-b4cb-11db-827c-0008a13c6261}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 11:31:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-01 11:31:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 17:15:21
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-24 17:17:13
ComboFix-quarantined-files.txt 2008-05-24 07:16:57

Pre-Run: 44,756,283,392 bytes free
Post-Run: 45,476,900,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

184

HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:33 PM, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {95a277cc-df95-43d6-bda0-66f27fc3e4fb} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Csvnro] C:\Program Files\Csvnro\Csvnro.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: expda2 - expda2.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 3922 bytes

#5 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 24 May 2008 - 09:41 AM

Hello 1800,

I have also found out that other computers on the network are also infected.
the symptoms of the virus looks the same, programs not being able to run no matter how many times you start it or re-install it.

Is the virus a network virus?

should i also provide scan results like i have for my computer?

Is it a home or an office network? Is this the main computer?
----------------------------------------------
I give a lot of instructions in one post, as your pc is too much infected.
Take you time, do them and post back the reports, and answer my questions.
----------------------------------------------
WGA Diagnostic Tool

Please follow this WGA troubleshooting procedure:Please post (reply) with the results.
----------------------------------------------
Can you tell me what is this folder? Do you recognise it's contents? The bolded parts?

C:\Hacks

C:\Hacks\zenos
What is zenos?

I have all these which files probably do not excist.

C:\Hacks\zenos\cheetah.sys
C:\Hacks\CE\nvid888.sys
C:\Hacks\Kaspersky2\kaspersky.sys
C:\Hacks\iCheat\nvid999.sys
C:\Hacks\Bypass\saruen.sys
C:\Hacks\Akuma\sejt.sys
C:\Hacks\zenos\xp.sys

I believe C:\Hacks Folder should be removed, as i suspect all those are cracks and propably infected.
----------------------------------------------
You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently.  Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 6.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 6 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u6-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Bearshare

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

Note: If the URL is not the provider of your computer or your ISP fix this line.
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/148411/very-badly-infected-computer/?p=833147
    KillAll::
    
    File::
    C:\Program Files\Bearshare\WebPro.exe
    
    Collect::
    C:\WINDOWS\system32\expda2.dll
    
    Folder::
    C:\Program Files\Csvnro
    C:\Program Files\Vcsron
    
    DirLook::
    C:\Hacks
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95a277cc-df95-43d6-bda0-66f27fc3e4fb}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Csvnro"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\expda2]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=""
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vcsron]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsService]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPro.exe]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "C:\\Valve\\Condition Zero\\czero.exe"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
WGA Diagnostic Tool
SDFix report.
Combofix report.
A new HijackThis log.
Answer my 2 questions.

Edited by chryssi2001, 24 May 2008 - 09:50 AM.
CF Script image missing

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#6 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 24 May 2008 - 12:16 PM

Yes this computer is the main computer and this computer is on a home network.

Zenos is the name of a game hacking program, all the other bold ones are also game hacking programs.

I used to use these hacking programs.(this programs runs scripts that are written in a programming language, those scripts alter the game play. for example in a game normally you cant fly, but if you use those programs with the scripts you can fly)

i found those programs out by going on the following websites

site 1-cheatengine

site 2- gamezplanet<--- scroll down the website till you find the section about "maplestory" there are 4 different subforums but the only two i used the discussion and the download part

also i can not find the folders you told me to delete
bearshare is not showing up in my add/remove programs windows.
also my computer seems to be slower and the lights on the harddrive which flashes red when the computer is lagging seems to be always flashing, more than before i done those stuff you told me to.


combofix report
ComboFix 08-05-21.3 - Wong 2008-05-25 2:37:23.2 - NTFSx86
Running from: C:\Documents and Settings\Wong\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wong\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\Bearshare\WebPro.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wong\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Temporary
C:\WINDOWS\b156.exe
C:\WINDOWS\mrofinu1001186.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-25 01:55 . 2008-05-25 01:55 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-25 01:54 . 2008-05-25 01:54 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 01:48 . 2008-05-25 02:27 <DIR> d-------- C:\SDFix
2008-05-25 01:42 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-25 01:41 . 2008-05-25 01:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-25 01:08 . 2008-05-25 01:27 <DIR> d-------- C:\Documents and Settings\Wong\.SunDownloadManager
2008-05-25 01:01 . 2008-05-25 01:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-24 08:49 . 2008-05-24 08:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-24 08:47 . 2008-05-24 08:47 <DIR> d-------- C:\Deckard
2008-05-24 00:09 . 2008-05-24 00:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-24 00:09 . 2008-05-24 00:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-23 23:40 . 2008-05-23 23:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 23:40 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-23 23:40 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-20 21:10 . 2008-05-20 21:10 <DIR> d-------- C:\Documents and Settings\Wong\Application Data\Malwarebytes
2008-05-20 21:10 . 2008-05-20 21:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-20 20:32 . 2008-05-20 20:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2008-05-12 13:34 . 2008-05-12 13:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 15:42 --------- d-----w C:\Program Files\Java
2008-05-24 04:30 --------- d-----w C:\Program Files\Warcraft III
2008-05-21 11:39 --------- d-----w C:\Documents and Settings\Wong\Application Data\U3
2008-05-17 05:08 --------- d-----w C:\Program Files\World of Warcraft
2008-05-12 08:34 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-12 08:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-12 08:21 --------- d-----w C:\Documents and Settings\Wong\Application Data\Lavasoft
2008-05-05 04:09 83,544 -c--a-w C:\Documents and Settings\Wong\Application Data\GDIPFONTCACHEV1.DAT
2008-04-17 04:14 --------- d-----w C:\Program Files\Windows Live
2008-04-17 04:13 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-17 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-13 03:57 --------- d-----w C:\Documents and Settings\Wong\Application Data\NCH Swift Sound
2008-04-12 13:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-06 05:00 --------- d-----w C:\Documents and Settings\Wong\Application Data\ViStart
2008-04-02 07:37 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-04-02 02:39 --------- d-----w C:\Program Files\Common Files\Stardock
2008-04-02 02:38 12,288 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-09-24 12:58 94,208 -c--a-w C:\Documents and Settings\Wong\Application Data\ezplay.sys
2007-09-24 12:58 47,360 -c--a-w C:\Documents and Settings\Wong\Application Data\pcouffin.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Hacks ----

C:\Hacks\


------- Sigcheck -------

2002-08-29 22:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 22:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2007-11-02 14:59 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\dllcache\tcpip.sys
2007-11-02 14:59 359040 28f288e08a098df3c0eb6aa813bb41fd C:\WINDOWS\system32\drivers\tcpip.sys

2004-08-03 23:56 1041408 41fd32c566bd44440cc76694110c14bb C:\WINDOWS\explorer.exe
2002-08-29 22:00 1013248 db4c8fa80e2196cf72ad086bdb7f6026 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-03 23:56 1041920 7260abbb50eaa37f8852b478e82dad2f C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2002-08-29 22:00 22528 ca2dd875608a26880cdc689e665ed951 C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2004-08-03 23:56 25088 fd5ebddab3c1b33b6afce61b36111659 C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2004-08-03 23:56 25088 8c50149e4b5622f096c8093d60123cb0 C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-05-24_17.16.40.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 06:17:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 16:43:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2005-10-20 10:02:28 172,544 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 10:02:28 173,056 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2008-05-22 17:54:18 173,056 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-24 15:56:05 372,736 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-24 15:56:05 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-22 17:54:18 173,056 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-24 15:55:54 372,736 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-24 15:55:55 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2000-08-30 22:00:00 37,376 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-30 22:00:00 37,888 ----a-w C:\WINDOWS\Nircmd.exe
- 2000-08-30 22:00:00 171,008 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-30 22:00:00 171,520 ----a-w C:\WINDOWS\swreg.exe
- 2008-05-24 06:17:26 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-24 16:43:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-24 06:17:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-24 16:43:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-24 16:32:05 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052520080526\index.dat
+ 2008-05-24 16:32:06 78,924 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat
- 2008-05-24 06:17:26 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-24 16:43:14 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-12-14 14:30:58 61,536 -c--a-w C:\WINDOWS\system32\java.exe
+ 2008-03-24 15:28:39 147,456 ----a-w C:\WINDOWS\system32\java.exe
- 2006-12-14 14:31:06 65,634 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2008-03-24 15:28:43 147,456 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-12-14 16:09:14 139,366 -c--a-w C:\WINDOWS\system32\javaws.exe
+ 2008-03-24 16:37:01 151,552 ----a-w C:\WINDOWS\system32\javaws.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 25088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-03 23:56 25088]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-03 23:56 1677312]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [ ]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Wong^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]
path=C:\Documents and Settings\Wong\Start Menu\Programs\Startup\Stardock ObjectDock.lnk
backup=C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
C:\Program Files\BearShare\BearShare.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 25088 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Service Centre]
-----c--- 2004-09-06 12:50 2125956 C:\Program Files\OptusNet DSL Internet\DSC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a--c--- 2004-08-03 21:32 221240 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
C:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
--a------ 2002-02-22 05:02 896000 C:\WINDOWS\system32\LXSUPMON.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a--c--- 2004-08-03 21:31 69120 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 11:22 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-08-03 23:56 43008 C:\WINDOWS\system32\rundll32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a--c--- 2006-10-22 11:22 1634304 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a--c--- 2004-08-03 21:32 464896 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a--c--- 2004-08-03 21:32 464896 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu1001186.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra--c--- 2003-03-27 18:34 62976 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\World of Warcraft\\Repair.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19552:TCP"= 19552:TCP:BitComet 19552 TCP
"19552:UDP"= 19552:UDP:BitComet 19552 UDP

S3 cheetah1;cheetah1;C:\Hacks\zenos\cheetah.sys []
S3 DBKDRVR54;DBKDRVR54;C:\Program Files\Cheat Engine\dbk32.sys []
S3 geebers12;geebers12;C:\Hacks\CE\nvid888.sys []
S3 kaspersky1;kaspersky1;C:\Hacks\Kaspersky2\kaspersky.sys []
S3 memxers12;memxers12;C:\Hacks\iCheat\nvid999.sys []
S3 saruen;saruen;C:\Hacks\Bypass\saruen.sys []
S3 sejt1;sejt1;C:\Hacks\Akuma\sejt.sys []
S3 SIS163u;SiS 163 usb Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys [2004-10-01 09:14]
S3 XDva042;XDva042;C:\WINDOWS\system32\XDva042.sys []
S3 xp1;xp1;C:\Hacks\zenos\xp.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5ea0e1c-b4cb-11db-827c-0008a13c6261}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-05-08 11:31:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-10-01 11:31:15 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 02:43:51
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-25 2:47:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 16:47:25
ComboFix2.txt 2008-05-24 07:17:14

Pre-Run: 45,674,491,904 bytes free
Post-Run: 45,527,416,832 bytes free

221


hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:27 AM, on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\TEMP\DIL3.tmp
C:\WINDOWS\TEMP\DIL4.tmp
C:\WINDOWS\17PHolmes1001186.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1001186.exe 61A847B5BBF72813329B39577AFF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Spyware Doctor Service (sdcoreservice) - Unknown owner - C:\Program Files\Spyware Doctor\swdsvc.exe (file missing)

--
End of file - 3940 bytes


SDFix report

SDFix: Version 1.185
Run by Administrator on Sun 25/05/2008 at 02:01 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\my.pfx - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 02:11:16
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Counter-Strike 1.6\\hl.exe"="C:\\Program Files\\Counter-Strike 1.6\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\World of Warcraft\\Repair.exe"="C:\\Program Files\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"
"C:\\Valve\\Condition Zero\\czero.exe"="C:\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Sat 24 May 2008 58,368 A..H. --- "C:\Documents and Settings\Wong\Local Settings\Application Data\CHOICE.exe"
Fri 1 Jun 2007 507 A..H. --- "C:\Documents and Settings\Wong\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.bak"

Finished!

wga report
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-X7W2W-7R3XT-DVRPQ
Windows Product Key Hash: FJ394wPNhWbU5cGyY+krGQmGt7E=
Windows Product ID: 55274-640-5150253-23406
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {D3416038-7AFC-420E-AB87-AFB2DACBEA38}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: Yes
Version: 1.7.17.0
WgaTray.exe Signed By: N/A, hr = 0x80096010
WgaLogon.dll Signed By: N/A, hr = 0x80096010

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80096010
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Publisher 2002 - 100 Genuine
Microsoft Office XP Professional - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{D3416038-7AFC-420E-AB87-AFB2DACBEA38}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-DVRPQ</PKey><PID>55274-640-5150253-23406</PID><PIDType>1</PIDType><SID>S-1-5-21-854245398-1454471165-725345543</SID><SYSTEM><Manufacturer>GBT___</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20021120000000.000000+000</Date></BIOS><HWID>883230FF0184A05F</HWID><UserLCID>0C09</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>AUS Eastern Standard Time(GMT+10:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>100</Result><Products><Product GUID="{90190409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Publisher 2002</Name><Ver>10</Ver><Val>800C681537E8626</Val><Hash>Z8d17DhzcTKrkycBif78z1a1pvo=</Hash><Pid>54197-700-4004033-16028</Pid><PidType>1</PidType></Product><Product GUID="{91110409-6000-11D3-8CFE-0050048383C9}"><LegitResult>100</LegitResult><Name>Microsoft Office XP Professional</Name><Ver>10</Ver><Val>57FB4A0538B73FA</Val><Hash>/hWWXHKSskv9o48CfFBkbF2OcRc=</Hash><Pid>54186-700-8240617-17542</Pid><PidType>1</PidType></Product></Products><Applications><App Id="15" Version="10" Result="100"/><App Id="16" Version="10" Result="100"/><App Id="18" Version="10" Result="100"/><App Id="19" Version="10" Result="100"/><App Id="1A" Version="10" Result="100"/><App Id="1B" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>

#7 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 24 May 2008 - 01:38 PM

Hello 1800,

also my computer seems to be slower and the lights on the harddrive which flashes red when the computer is lagging seems to be always flashing, more than before i done those stuff you told me to.

You didn't mention you had this problem before.

This might be a hardware problem, wires not plugged well or any other reason, like hard disk problem, fan etc.
----------------------------------------------
Your windows Validation report, shows you do have an illegal copy of windows.
This result to you, not being able to install the latest updates from Microsoft, so you get easily infected.
Have a read here about your Windows key.
http://forums.microsoft.com/Genuine/ShowPo...2&SiteID=25

If you believe you have a legit copy of windows, i advice you to contact Microsoft.
----------------------------------------------
Is there any reason you didn't install an Anti-Virus?
----------------------------------------------
More additional infection shows on your pc.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read here about the backdoor.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#8 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 24 May 2008 - 08:42 PM

well i kinda did have a idea that my OS was illegal due to, when a friend helped me to reformat he told me not to enable windows update and the cd he gave me was a burnt cd with a cd-key written on it.

when i first got this computer and it came with only a installed version of a legal windows xp and it didnt come with a copy of that OS on a cd, so when my friend helped me to reformat and he gave me a copy of the OS i have now. But not having a copy of the OS on a disk when you first bought the computer is quite common now in australia, they just say whenever you have a problem just use system restore.

i dont have a copy of a legit windows OS

i didnt install the anti virus because i was just waiting for the results of my scans and seeing if it fixed everything, if i did fixed everything i would have installed it because i already have it downloaded, also i had the idea of reformatting all the computers in my head already.

so, i will be reformatting my computer.

can i save everything on my computer, or will all the programs installed on my computer already be infected?

#9 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 25 May 2008 - 01:42 AM

Hello 1800,

can i save everything on my computer, or will all the programs installed on my computer already be infected?

We can't tell for sure, but better save any important personal documents if you have on an external drive or USB and scan all the Files with an Anti-Virus, before you attempt to put them back in a clean re-formatted re-installed system.

You better install all the programs you need from scratch, as the infections you had/have are really nasty ones, so we can't be sure how and if they affected your programs.
----------------------------------------------
REFORMAT & REINSTALL

Since you decided to do a clean install read some information below.

Please make sure that you know what to do before beginning the operation.

Here are a few links that propably help.

Reformatting Windows XP by wng_z3r0
When should I re-format? How should I reinstall?
Windows XP Clean install

Then there are a couple of things you should do immediately after installing Windows and before surfing the net...
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
    I recommend AVG Anti-Virus (Free Edition)!
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish).  If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
    I recommend ZoneAlarm (Free Edition)!
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.  This will ensure your computer has always the latest security updates available installed on your computer.  If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Make your Internet Explorer more secure -  This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to  Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.  You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    here. Just choose a mirror and off you go.
    Find here the tutorial on how to use Spybot properly here
    Find here changes from older version 1.4 here
  • Install Ad-Aware 2007 - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    here
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.  Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#10 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 25 May 2008 - 06:35 AM

will i need to download a different firewall because i use a router and there is also windows firewall?

when i try to update using the stuff from microsoft, i get stopped because my OS is not legit

what about the other computers on the network?

Edited by 1800, 25 May 2008 - 06:41 AM.


#11 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 25 May 2008 - 06:52 AM

will i need to download a different firewall because i use a router and there is also windows firewall?

when i try to update using the stuff from microsoft, i get stopped because my OS is not legit

what about the other computers on the network?


Having a router, and windows firewall is fine.
It's your decision if you want to install an independant one and disable windows firewall.

About updating, you won't be able untill you make your windows legit. You can contact Microsoft and buy a CD to install original windows. I advice you to do it soonest possible, also avoid using cracks, hacks as they do always infect pc, and except of that they are illegal.

Firstly re-format re-install windows on this pc which is the main one on the Network.

After that, you can open a different thread for each pc, here, and if they can be cleaned you will not need to re-format re-install system on all of them.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#12 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 25 May 2008 - 07:45 AM

if i buy one version of the original windows will i be able to use that on all the other pcs?

i have checked out the price of the original windows and it will cost over $1000 for all 3 computers to have original windows and i cant afford that so i probably wont be getting original windows for now.

are there any extra stuff i can do to protect myself from viruses due to not being able to update?

Edited by 1800, 25 May 2008 - 08:03 AM.


#13 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 25 May 2008 - 10:42 AM

if i buy one version of the original windows will i be able to use that on all the other pcs?

i have checked out the price of the original windows and it will cost over $1000 for all 3 computers to have original windows and i cant afford that so i probably wont be getting original windows for now.

are there any extra stuff i can do to protect myself from viruses due to not being able to update?

Since it's a home network i believe you can do it.
Just contact microsoft by email and get all information you need.

Anti-Virus and anti-spyware programs + firewall, but you will need to get original windows, as without Microsoft updates your pcs are in a big risk.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#14 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 25 May 2008 - 10:57 AM

i also cannot start windows explorer. how can i fix this?

when i start it via task manager it says unable to find explorer.exe

all i have on my desktop is the wallpaper

#15 1800

1800
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:03:02 PM

Posted 25 May 2008 - 10:59 AM

Since it's a home network i believe you can do it.
Just contact microsoft by email and get all information you need.

Anti-Virus and anti-spyware programs + firewall, but you will need to get original windows, as without Microsoft updates your pcs are in a big risk.


by that do you mean i only need 1 copy of the OS so i could load it on all my computer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users