Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

compter slows down! need help..


  • Please log in to reply
8 replies to this topic

#1 dandiz

dandiz

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 10 July 2005 - 10:08 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:03:37 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\HPQ\Q Menu\CpqMcSrV.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
C:\Program Files\Mightyfax\MFNTCTL.EXE
C:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
C:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Nokia\PCSUIT~1\Elogerr.exe
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\Nokia\PCSUIT~1\BROADC~1.EXE
C:\PROGRA~1\Nokia\PCSUIT~1\SCRFS.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\dane\Desktop\essential fixes\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.dlsu.edu.ph:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] rundll32 nview.dll,nViewLoadHook
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [hpqMcSrv] "C:\Program Files\HPQ\Q Menu\CpqMcSrV.exe" /Start
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Lebeca PC Camera(Microphone)
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [HP Mobile Printing] C:\Program Files\Hewlett-Packard\HP Mobile Printing\HPBMOBIL.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe
O4 - Startup: Sticky Notes.lnk = C:\WINDOWS\system32\stikynot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MightyFAX Controller.lnk = C:\Program Files\Mightyfax\MFNTCTL.EXE
O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = ?
O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: Dialpad Webphone - https://www.dialpad.com/md/update/cham.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: QoS Provider (qosprv) - Unknown owner - C:\WINDOWS\System32\iexplore.exe" -netsvcs (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 July 2005 - 01:38 PM

Hi dandiz and Welcome to the Bleeping Computer!

Lets take this one Infection at a time

Download the l2mfix from here
http://www.atribune.org/downloads/l2mfix.exe
or
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe.

Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.


If you recieve any error messages for CMD or Autoexec.bat>> Select Option 5 from the l2mfix and once at the Site,Click on the link that apply to your Operating System!

Double Click the file it downloads and Extract the files to its predetermined System32 folder!

#3 dandiz

dandiz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 11 July 2005 - 08:38 PM

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
**********************************************************************************
useragent:
**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
apfaxcnv.dll Fri May 13 2005 10:21:52a A.... 120,832 118.00 K
s32evnt1.dll Fri May 13 2005 7:50:10p A.... 91,856 89.70 K

2 items found: 2 files, 0 directories.
Total of file sizes: 212,688 bytes 207.70 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 15AA-0776

Directory of C:\WINDOWS\System32

07/12/2005 09:34 AM <DIR> ..
07/12/2005 09:34 AM <DIR> .
06/25/2005 10:50 PM <DIR> dllcache
06/09/2005 09:23 PM 12,208 KGyGaAvL.sys
05/15/2005 01:17 AM 2 cmd.com
05/15/2005 01:17 AM 2 taskkill.com
05/15/2005 01:17 AM 2 regedit.com
05/15/2005 01:17 AM 2 tracert.com
05/15/2005 01:17 AM 2 tasklist.com
05/15/2005 01:17 AM 2 ping.com
05/15/2005 01:17 AM 2 netstat.com
09/26/2004 12:22 AM <DIR> Microsoft
8 File(s) 12,222 bytes
4 Dir(s) 14,899,126,272 bytes free


thanks!

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 July 2005 - 04:40 AM

Well that doesnt look right,Did you recieve some Error Messages while trying to run it?

#5 dandiz

dandiz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 12 July 2005 - 06:04 AM

Ok.. I'll try the option 5.

#6 dandiz

dandiz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  

Posted 12 July 2005 - 10:23 AM

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
**********************************************************************************
useragent:
**********************************************************************************
Shell Extension key:
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
apfaxcnv.dll Fri May 13 2005 10:21:52a A.... 120,832 118.00 K
s32evnt1.dll Fri May 13 2005 7:50:10p A.... 91,856 89.70 K

2 items found: 2 files, 0 directories.
Total of file sizes: 212,688 bytes 207.70 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 15AA-0776

Directory of C:\WINDOWS\System32

07/12/2005 09:34 AM <DIR> ..
07/12/2005 09:34 AM <DIR> .
06/25/2005 10:50 PM <DIR> dllcache
06/09/2005 09:23 PM 12,208 KGyGaAvL.sys
05/15/2005 01:17 AM 2 cmd.com
05/15/2005 01:17 AM 2 taskkill.com
05/15/2005 01:17 AM 2 regedit.com
05/15/2005 01:17 AM 2 tracert.com
05/15/2005 01:17 AM 2 tasklist.com
05/15/2005 01:17 AM 2 ping.com
05/15/2005 01:17 AM 2 netstat.com
09/26/2004 12:22 AM <DIR> Microsoft
8 File(s) 12,222 bytes
4 Dir(s) 14,873,735,168 bytes free

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 July 2005 - 11:27 AM

OK,we will go at this another way!

Please Upload these 2 files

C:\WINDOWS\System32\iexplore.exe<< That exact name,in that exact location please!

C:\WINDOWS\System32\loginkey.dll

Upload here
http://www.bleepingcomputer.com/submit-malware.php

Leave a Link to this Post and a Message to Alert me (Attn: Crete)

Once Uploaded,Have them both Scanned at these 2 sites

http://www.virustotal.com/flash/index_en.html

http://virusscan.jotti.org/


Can you try to explain to me why these are running on this PC?

O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe

O23 - Service: QoS Provider (qosprv) - Unknown owner - C:\WINDOWS\System32\iexplore.exe" -netsvcs (file missing)


Is this PC accessed remotly in any way?


For the time if its possible,we need to Disable the PC and any remote connections!

Along with that I want to Shut down 2 Services,1 I am almost 100% sure is nasty the other may be legit but only adding assistance to the problem


Click Start-> Run-> Type in Services.msc and Click OK!

Locate these 2 entries please

MySql

QoS Provider


Right Click on each and select Properties-> Click Stop-> Change the Startup Type to Disabled!

Exit the Services Page!


Update Ewido!!


Download Pocket KillBox from here:
http://www.bleepingcomputer.com/files/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Use the list below and enter each into Pocket KillBox and use the Instructions that Follow!

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com



As you paste each into Killbox,place a tick by "Delete on Reboot"

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/forums/ind...showtutorial=62


Run the Files through Killbox again to ensure all are gone,this time place a tick by any of these available

"Standard File Kill"
"End Explorer Shell while Killing File"



Open HijackThis and place a Check next to these

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O4 - HKCU\..\RunServices: [p2pnetwork] p2pnetwork.exe

Make Sure All Windows and Browsers are Closed and Click "Fix Checked"

Scan the System with Ewido and Save that Report!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates


Post back with a fresh HijackThis log and the reports from Ewido and Panda!


Lets see how things look after that!

#8 dandiz

dandiz
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 14 July 2005 - 01:11 AM

This is a report processed by VirusTotal on 07/14/2005 at 07:59:14 (CET) after scanning the file "loginkey.dll" file.

Antivirus Version Update Result

AntiVir 6.31.0.9 07.14.2005 no virus found
AVG 718 07.13.2005 no virus found
Avira 6.31.0.9 07.13.2005 no virus found
BitDefender 7.0 07.14.2005 no virus found
CATQuickHeal 7.03 07.13.2005 no virus found
ClamAV devel-20050501 07.13.2005 no virus found
DrWeb 4.32b 07.13.2005 no virus found
eTrust-Iris 7.1.194.0 07.13.2005 no virus found
eTrust-Vet 11.9.1.0 07.13.2005 no virus found
Fortinet 2.36.0.0 07.14.2005 no virus found
F-Prot 3.16c 07.14.2005 no virus found
Ikarus 2.32 07.13.2005 no virus found
Kaspersky 4.0.2.24 07.14.2005 no virus found
McAfee 4534 07.13.2005 no virus found
NOD32v2 1.1167 07.13.2005 no virus found
Norman 5.70.10 07.12.2005 no virus found
Panda 8.02.00 07.13.2005 no virus found
Sybari 7.5.1314 07.14.2005 no virus found
Symantec 8.0 07.13.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.13.2005 no virus found


This is a report processed by VirusTotal on 07/14/2005 at 08:05:20 (CET) after
scanning the file "iexplore.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.14.2005 Worm/Wootbot.290515
AVG 718 07.13.2005 BackDoor.Wootbot.R
Avira 6.31.0.9 07.14.2005 Worm/Wootbot.290515
BitDefender 7.0 07.14.2005 Backdoor.Wootbot.DP
CATQuickHeal 7.03 07.13.2005 (Suspicious) - DNAScan
ClamAV devel-20050501 07.13.2005 Worm.Mytob.GH
DrWeb 4.32b 07.13.2005 Win32.HLLW.ForBot
eTrust-Iris 7.1.194.0 07.13.2005 no virus found
eTrust-Vet 11.9.1.0 07.13.2005 no virus found
Fortinet 2.36.0.0 07.14.2005 W32/WootBot.6ACB-bdr
F-Prot 3.16c 07.14.2005 no virus found
Ikarus 2.32 07.13.2005 Backdoor.Win32.Rbot.Gen
Kaspersky 4.0.2.24 07.14.2005 Backdoor.Win32.Wootbot.gen
McAfee 4534 07.13.2005 W32/Sdbot.worm.gen.y
NOD32v2 1.1167 07.13.2005 probably unknown NewHeur_PE virus
Norman 5.70.10 07.12.2005 W32/SDBot.KQU
Panda 8.02.00 07.13.2005 W32/Sdbot.EAY.worm
Sybari 7.5.1314 07.14.2005 W32/Forbot-Fam
Symantec 8.0 07.13.2005 W32.Spybot.Worm
TheHacker 5.8.2.070 07.13.2005 Backdoor/Wootbot.gen
VBA32 3.10.4 07.13.2005 Backdoor.Win32.Wootbot.gen

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 July 2005 - 08:17 AM

Ack!!!! :thumbsup:

Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Make sure that the Services I asked you to Stop are still Disabled and the Startup Types still are Disabled!


Go to Safe Mode and Delete

C:\WINDOWS\System32\iexplore.exe<< That exact name,in that exact location please!


Still in Safe Mode-> From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Click "Copy to Clipboard" and Copy&Paste those Results to Notepad and place them in the next post!


Restart Normal and post a fresh HijackThis log along with the results of WinPFind!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users