Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Pokapoka76


  • This topic is locked This topic is locked
25 replies to this topic

#1 HypNoTiQcoL

HypNoTiQcoL

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 17 October 2005 - 11:43 PM

Hey guys, well its been a while since ive had to post here and i forgot my old acc so i guess ill use this one. Okay well i tried deleting the damn pokapoka76 thing using hjt but it simply doesnt work and its getting annoying. To the point where i couldn't even save an HJT log because it kept notepad from opening up. Weird..so i had to upload my HJT log to turboupload. Heres the link, someone please help!! Last time i needed help you guys helped alot hopefully this time i can fix my problem also. If there's any other nuisances in there let me know.
Heres the link:
http://d.turboupload.com/d/107380/hijackthis.log.html

Thank you

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 18 October 2005 - 08:11 AM

Pasted log from link:

Logfile of HijackThis v1.99.1
Scan saved at 12:36:57 AM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINDOWS\System32\msconfigx32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSub.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\etb\pokapoka76.exe
C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://127.0.0.1:80
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\PROGRA~1\MEDIAG~1\MEDIAG~1.EXE
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7925777B-276C-40BE-9BB9-ACCC74C00127}: NameServer = 205.152.144.23 205.152.132.23
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download LQfix.zip
Unzip it and save it to your desktop, don't use it yet!!

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\System32\WinNB57.dll
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\PROGRA~1\MEDIAG~1\MEDIAG~1.EXE
O4 - HKLM\..\Run: [System service76] C:\WINDOWS\etb\pokapoka76.exe
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKLM\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKLM\..\Run: [Games Acceleration] svshost.exe
O4 - HKLM\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKLM\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKLM\..\Run: [Multimedia extensions] mservice.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] iau.exe
O4 - HKCU\..\Run: [Internet Connection Wizard] stisvsq.exe
O4 - HKCU\..\Run: [Games Acceleration] svshost.exe
O4 - HKCU\..\Run: [Internet Mail and News] msqdevl.exe
O4 - HKCU\..\Run: [Microsoft Management Console] lssas.exe
O4 - HKCU\..\Run: [Multimedia extensions] mservice.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe


* Click on Fix Checked when finished and exit HijackThis.

* Doubleclick LQfix.bat that you saved on your desktop before.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\msconfigx32.exe
C:\WINDOWS\System32\WinNB57.dll
C:\PROGRAM FILES\MEDIAGATEWAY <== folder

Also delete next files, but be carefull here.. the bad ones are present in your C:\Windows-folder and NOT in your C:\Windows\System32 folder!!
So don't start searching for them in your System32-folder, because those are legit ones!!

C:\WINDOWS\iau.exe
C:\WINDOWS\stisvsq.exe
C:\WINDOWS\svshost.exe
C:\WINDOWS\msqdevl.exe
C:\WINDOWS\lssas.exe
C:\WINDOWS\mservice.exe

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an online scan with Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.

Edited by miekiemoes, 18 October 2005 - 08:14 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 HypNoTiQcoL

HypNoTiQcoL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 18 October 2005 - 03:42 PM

Phew, wow i didn't expect to find this many infected files. Thanks so far for all your help. Here are the Logs as you requested, let me know what further steps to take to rid my computer. ThX.

First and foremost My new HJT log: (on a side note, when i performed a system scan with hjt all but 4 of the objects that had previously appeared didnt appear, i waited some time and scanned again and then most came up but not all, i checked the ones you mentioned and deleted them)

Logfile of HijackThis v1.99.1
Scan saved at 4:34:29 PM, on 10/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Now my Ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:04:30 PM, 10/18/2005
+ Report-Checksum: E74F09B5

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{145E6FB1-1256-44ed-A336-8BBA43373BE6} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{A78860C8-EE1A-46DF-A97F-E3E6D433E80B} -> Spyware.AdTomi : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{B599C57E-113A-4488-A5E9-BC552C4F1152} -> Spyware.CoolWebSearch : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned without backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}\ProxyStubClsid32\\ -> Spyware.AproposMedia : Cleaned without backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl -> Spyware.MediaMotor : Cleaned without backup
HKLM\SOFTWARE\Classes\IObjSafety.DemoCtl\Clsid -> Spyware.MediaMotor : Cleaned without backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned without backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned without backup
HKLM\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy\CLSID\\ -> Spyware.NetNucleus : Cleaned without backup
HKLM\SOFTWARE\Classes\NN_Bar_Dummy.NN_BarDummy.1\CLSID\\ -> Spyware.NetNucleus : Cleaned without backup
HKLM\SOFTWARE\Classes\PLOT.PlotCtrl.1 -> Spyware.EliteBar : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\media-motor -> Spyware.MediaMotor : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whSurvey -> Spyware.WebHancer : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned without backup
HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned without backup
HKLM\SOFTWARE\SurfSideKick2 -> Spyware.SurfSide : Cleaned without backup
HKLM\SOFTWARE\SurfSideKick2\Internet Explorer -> Spyware.SurfSide : Cleaned without backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned without backup
HKU\S-1-5-21-3799842130-1382095834-981018723-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned without backup
HKU\S-1-5-21-3799842130-1382095834-981018723-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned without backup
HKU\S-1-5-21-3799842130-1382095834-981018723-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned without backup


And finally my kaspersky report (which found alot) :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 18, 2005 16:30:35
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/10/2005
Kaspersky Anti-Virus database records: 145536
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 79236
Number of viruses found: 22
Number of infected objects: 53
Number of suspicious objects: 0
Duration of the scan process: 3838 sec

Infected Object Name - Virus Name
C:\!Submit\wininet.dll Infected: Virus.Win32.Nsag.a
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected: Trojan-Downloader.Win32.Small.bem
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP32\A0007971.exe Infected: Trojan-Downloader.Win32.Small.bem
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP43\A0015963.exe Infected: Trojan.Win32.Kolweb.e
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP48\A0016335.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP48\A0016335.exe/data0003 Infected: Trojan-Downloader.Win32.Small.aly
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP48\A0016335.exe Infected: Trojan-Downloader.Win32.Small.aly
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP51\A0017613.exe Infected: Backdoor.Win32.Ruledor.j
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020031.exe Infected: Trojan.Win32.LowZones.cf
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020032.exe Infected: Trojan.Win32.LowZones.ct
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020033.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020035.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020046.exe Infected: Trojan.Win32.LowZones.cf
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020047.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020048.exe Infected: Trojan.Win32.LowZones.ct
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020052.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020066.exe Infected: Trojan.Win32.LowZones.cf
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020067.exe Infected: Trojan.Win32.LowZones.ct
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020068.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP59\A0020071.exe Infected: Trojan.Win32.EliteBar.d
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP60\A0021062.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0021086.exe Infected: Trojan.Win32.LowZones.ct
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0021087.exe Infected: Trojan.Win32.LowZones.cf
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0021088.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022082.exe Infected: Trojan.Win32.LowZones.ct
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022083.exe Infected: Trojan.Win32.LowZones.cf
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022084.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022086.exe Infected: Trojan.Win32.EliteBar.d
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022087.exe Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022117.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022132.exe Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022314.exe Infected: Trojan-Proxy.Win32.Symbab.be
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022388.exe Infected: Trojan.Win32.LowZones.cf
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022390.exe Infected: Trojan.Win32.LowZones.ct
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022393.dll Infected: Trojan.Win32.Kolweb.d
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022395.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022397.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022404.exe Infected: Trojan-Dropper.Win32.Small.yn
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022407.exe Infected: Trojan-Downloader.Win32.VB.if
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022411.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022412.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022413.dll Infected: Trojan.Win32.Kolweb.d
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022414.exe Infected: Trojan.Win32.Kolweb.e
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022415.sys Infected: Trojan.Win32.StartPage.xq
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022417.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022418.exe Infected: Trojan-Downloader.Win32.Small.bmm
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022421.sys Infected: Trojan.Win32.Kolweb.e
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022423.exe Infected: Trojan.Win32.Kolweb.d
C:\System Volume Information\_restore{CD53596A-5812-49DB-AF84-A72B9BECDE4F}\RP62\A0022424.sys Infected: Trojan.Win32.Kolweb.e
C:\WINDOWS\msiau.dll Infected: Trojan-Proxy.Win32.Symbab.be
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\msconfigx32.exe Infected: Backdoor.Win32.Rbot.gen
C:\WINDOWS\system32\wininet.dll Infected: Virus.Win32.Nsag.a

Scan process completed.


There it is, thx again for your time and patience.

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 18 October 2005 - 03:58 PM

Hi,

We really made improvement!! :thumbsup:

But it seems like there are still some files present which are infected..

I already asked you before to delete this file: C:\WINDOWS\system32\msconfigx32.exe
Couldn't you find it?

Anyway, I see you have already killbox installed...
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\system32\msconfigx32.exe
C:\WINDOWS\system32\i
C:\WINDOWS\msiau.dll
C:\Program Files\Windows Media Player\wmplayer.exe.tmp


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

Your wininet.dll is infected as well. This file is needed though, so we can't delete but replace it. There is a tool that can restore it, so let's use that one..

Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.
(If you already installed this before, please delete the old version and install this version)

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

REBOOT afterwards Really important!!

Post the log smitfiles.txt (which you will find on your C:\) in your next reply.

It could be possible, after reboot that your system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 HypNoTiQcoL

HypNoTiQcoL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 18 October 2005 - 09:34 PM

Heres the log, looking good so far? :thumbsup:


smitRem log file
version 2.7

by noahdfear

The current date is: Tue 10/18/2005
The current time is: 22:16:54.07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

adult
cars
sexual life
shopping
job search.url
poker.url
Online Gambling.url
online dating.url
Black Jack Online.url
Online Pharmacy\Adipex.url
Black Jack Online.url
Home Loan.url
Network Security.url
Online Dating.url
Online Pharmacy.url
Remove Spyware.url
Spam Filters.url
Take It Here - Free * TGP.url
Web Detective.url
Online Gambling folder
Online Pharmacy folder


~~~ system32 folder ~~~

perfcii.ini
wp.bmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html
screen.html


~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :flowers: Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :trumpet: ~~~~

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 19 October 2005 - 02:55 AM

Hi,

It seems like we fixed it. :thumbsup:
You were also dealing with a desktop Hijacker before, but smitrem deleted related leftovers here.
Can you tell me if your desktop looks good now?
Also, how are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 HypNoTiQcoL

HypNoTiQcoL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 19 October 2005 - 03:03 PM

Hey there, well my computer is running smoother than ever (thx to you) and i think all my problems might be gone. However today i ran HJT again to see if anything came up and that mxconfigx32 came out again, not sure if thats normal. Here have a look for yourself:

Logfile of HijackThis v1.99.1
Scan saved at 4:01:11 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] winsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] winsvc32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


It looking ok?

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 19 October 2005 - 03:12 PM

Hi,

I think they are leftovers, because normally when they are present, they must be in your running processes as well... but they are not.

Check and fix next entries in hijackthis again:

O4 - HKLM\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] winsvc32.exe
O4 - HKLM\..\RunServices: [Microsoft Config 32] msconfigx32.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] winsvc32.exe


Just for being sure, search if next files are present and delete them:

C:\Windows\System32\msconfigx32.exe
C:\Windows\System32\winsvc32.exe

Make sure you don't delete any other files that look similar... make sure it's the right one!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 HypNoTiQcoL

HypNoTiQcoL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 19 October 2005 - 04:05 PM

Ok i deleted the 4 entries using HJT and looked for the other two in my system32 and found them. Proceeded to delete them. So now i guess my system should be ok :thumbsup: Thx for all your help and patience. Glad a site like this one exists to help people. Thx again.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 19 October 2005 - 04:11 PM

Glad I could help :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 HypNoTiQcoL

HypNoTiQcoL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 19 October 2005 - 05:27 PM

Umm im getting a problem i've never gotten before. When i open up IE it doesnt let me go to any websites. Its like it doesnt work. Not only that but when i use Mozilla (which im on right now) my compuer sorta blocks up. It hasn't happened this time but earlier on when i was trying to use HJT to get you a log, HJT froze, along with the ability to open the task manager (ctrl + alt + delete). and i wasnt even able to shut down my computer (i had to unplug )This happened 3 times. Also when i tried to download something using mozilla and the little box with the option to "run file.." or "save as" popped up and i clicked "ok".....it froze....i have no idea whats going on with my comp. Maybe i need to uninstall/reinstall mozilla? IE? What do you think?

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 19 October 2005 - 05:37 PM

That's odd... and I think there must be still something present there.

First of all..

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Can you post a startuplist from hijackthis and a silentrunners-log..

Open Hijackthis.
Click 'config' (bottom right) > Misc Tools > Generate StartUpListlog
Check the two boxes next to it:
List also minor sections (full)
List empty sections (complete)
Click Generate StartupListlog

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Please wait until it prompts you the scan is finished!
Copy and paste the content of the txtfile you get afterwards in your next reply together with the startuplist from hijackthis.

Edited by miekiemoes, 19 October 2005 - 05:38 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 19 October 2005 - 05:50 PM

Extra addition, before performing above steps, use this removaltool first:

http://www.f-secure.com/tools/f-bot.exe

Also perform this:

*Create a folder on your desktop called Sysclean.
Go to http://www.trendmicro.com/download/dcs.asp and download sysclean package to the folder you made.
Go to http://www.trendmicro.com/download/pattern.asp and download the Virus Pattern File (Official Pattern Release) to your desktop.
This file will be called lptXXX.zip (XXX represents the version number)
Unzip lptXXX.zip and you'll get the file lpt$vpn.XXX.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Move the lpt$vpn.XXX to that Sysclean-folder you created on your desktop.


* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

*Open the sysclean-folder and doubleclick sysclean.com.
Check: Automatically clean or delete detected files.
Click scan.
When the scan is finished reboot back to normal mode.

Open your sysclean-folder and copy and paste the contents of sysclean.log in your next reply.

So I need the log from sysclean first. Afterwards I'm going to ask you the silentrunners-log and startuplistlog.

Edited by miekiemoes, 19 October 2005 - 05:51 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 HypNoTiQcoL

HypNoTiQcoL
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 20 October 2005 - 08:53 PM

Kk ill give you the silent runner log in a sec, for now here's the sysclean (which took 5 hours lol) you might see the windows folder first cuz first i scanned that only, then all of my hard drive.

Sysclean :



/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-10-19, 21:29:28, Auto-clean mode specified.
2005-10-19, 21:29:28, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN"...
2005-10-19, 21:30:33, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN" has finished running.
2005-10-19, 21:30:33, TSC Log:

2005-10-19, 21:32:17, An error occurred while scanning file "C:\Documents and Settings\Owner\NTUSER.DAT": Access is denied.
2005-10-19, 21:32:17, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2005-10-19, 21:44:41, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-10-19, 21:44:41, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-10-19, 22:15:21, The user stopped the operation.


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-10-19, 22:21:16, Auto-clean mode specified.
2005-10-19, 22:21:16, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN"...
2005-10-19, 22:22:21, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN" has finished running.
2005-10-19, 22:22:21, TSC Log:

2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\ASHSERV.EXE-19B96E52.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\ASWUPDSV.EXE-0FBFBF2D.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLEANER.EXE-09CFC2BC.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-01DDCF15.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-0AF2BF67.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-2C373FB7.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDOCTRL.EXE-26F6347E.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDOGUARD.EXE-073C0136.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\F-BOT.EXE-05AB2EF3.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX SETUP 1.0.7.EXE-13FB5829.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-06188867.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\GUNITW~1.SCR-3864FF1B.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-0D77750D.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\LIMEWIRE.EXE-2057B409.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\MPLAYERC.EXE-3635234F.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\MSCONFIGX32.EXE-23E9CF38.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\MSHTA.EXE-07121ECA.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2DAE2DE6.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\NVSVC32.EXE-0756FC6B.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-50481032.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-51BAEA16.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-0F47095C.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDVOL32.EXE-0EC6FD20.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\STARCRAFT.EXE-35A03551.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-2D5FBD18.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\TFTP.EXE-2FDCAE53.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\WINAMP.EXE-22223556.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\WINRAR.EXE-0AA31BB9.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\WINSVC32.EXE-2C1EB6EC.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF804.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF805.pf": Access is denied.
2005-10-19, 22:29:21, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2005-10-19, 22:33:38, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-10-19, 22:33:38, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-10-19, 22:33:38, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-10-19, 22:33:38, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-10-19, 22:33:39, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-10-19, 22:33:39, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-10-19, 22:33:39, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-10-19, 22:33:39, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-10-19, 22:33:39, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-10-19, 22:33:39, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-10-19, 22:38:22, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN"...
2005-10-19, 22:55:15, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/19/2005 22:38:23
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\WINDOWS\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\avatarz[1].exe [TROJ_LOWZONES.DS]
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\goaway[1].exe [TROJ_LOWZONES.DW]
18583 files have been read.
18583 files have been checked.
16942 files have been scanned.
23666 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/19/2005 22:55:15
---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-19, 22:55:15, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/19/2005 22:38:23
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\WINDOWS\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

Success Clean [TROJ_LOWZONES.DS]( 1) from C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\avatarz[1].exe
Success Clean [TROJ_LOWZONES.DW]( 1) from C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IIF13938\goaway[1].exe
18583 files have been read.
18583 files have been checked.
16942 files have been scanned.
23666 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/19/2005 22:55:15 16 minutes 46 seconds (1005.77 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-19, 22:55:15, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/19/2005 22:38:23
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\WINDOWS\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

18583 files have been read.
18583 files have been checked.
16942 files have been scanned.
23666 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/19/2005 22:55:15 16 minutes 46 seconds (1005.77 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-19, 22:55:15, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN" has finished running.


/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2005-10-20, 10:09:27, Auto-clean mode specified.
2005-10-20, 10:09:27, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN"...
2005-10-20, 10:10:38, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\TSC.BIN" has finished running.
2005-10-20, 10:10:38, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 1)

Start time : Thu Oct 20 2005 10:09:28

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Owner\Desktop\sysclean\tsc.ptn" (version 668) [success]

Complete time : Thu Oct 20 2005 10:10:38
Execute pattern count(4464), Virus found count(0), Virus clean count(0), Clean failed count(0)

2005-10-20, 10:12:49, An error occurred while scanning file "C:\Documents and Settings\Owner\NTUSER.DAT": Access is denied.
2005-10-20, 10:12:49, An error occurred while scanning file "C:\Documents and Settings\Owner\ntuser.dat.LOG": Access is denied.
2005-10-20, 10:26:32, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-10-20, 10:26:32, An error occurred while scanning file "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-10-20, 12:54:37, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\ASHSERV.EXE-19B96E52.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\ASWUPDSV.EXE-0FBFBF2D.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\CCLEANER.EXE-09CFC2BC.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-01DDCF15.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-0AF2BF67.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-2C373FB7.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDOCTRL.EXE-26F6347E.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\EWIDOGUARD.EXE-073C0136.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\F-BOT.EXE-05AB2EF3.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX SETUP 1.0.7.EXE-13FB5829.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-06188867.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\GUNITW~1.SCR-3864FF1B.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-0D77750D.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\LIMEWIRE.EXE-2057B409.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\MPLAYERC.EXE-3635234F.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\MSCONFIGX32.EXE-23E9CF38.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\MSHTA.EXE-07121ECA.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2DAE2DE6.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\NVSVC32.EXE-0756FC6B.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-50481032.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-51BAEA16.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\SETUP.EXE-0F47095C.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDVOL32.EXE-0EC6FD20.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\STARCRAFT.EXE-35A03551.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCHOST.EXE-2D5FBD18.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\TFTP.EXE-2FDCAE53.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\WINAMP.EXE-22223556.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\WINRAR.EXE-0AA31BB9.pf": Access is denied.
2005-10-20, 13:02:08, Could not set file for reading on "C:\WINDOWS\Prefetch\WINSVC32.EXE-2C1EB6EC.pf": Access is denied.
2005-10-20, 13:02:09, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF804.pf": Access is denied.
2005-10-20, 13:02:09, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF805.pf": Access is denied.
2005-10-20, 13:02:09, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-10-20, 13:06:17, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-10-20, 13:10:59, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN"...
2005-10-20, 14:02:58, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/20/2005 13:11:00
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

C:\!Submit\wininet.dll [TSPY_ALEMOD.A]
63199 files have been read.
63199 files have been checked.
47051 files have been scanned.
93903 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/20/2005 14:02:57
---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-20, 14:02:58, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/20/2005 13:11:00
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

Success Clean [ TSPY_ALEMOD.A]( 1) from C:\!Submit\wininet.dll
63199 files have been read.
63199 files have been checked.
47051 files have been scanned.
93903 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/20/2005 14:02:57 51 minutes 51 seconds (3110.89 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-20, 14:02:58, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/20/2005 13:11:00
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

63199 files have been read.
63199 files have been checked.
47051 files have been scanned.
93903 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/20/2005 14:02:57 51 minutes 51 seconds (3110.89 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-20, 14:02:58, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN" has finished running.
2005-10-20, 14:05:14, Running scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN"...
2005-10-20, 14:12:00, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/20/2005 14:05:14
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

9682 files have been read.
9682 files have been checked.
8591 files have been scanned.
15115 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/20/2005 14:12:00
---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-20, 14:12:00, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/20/2005 14:05:14
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

9682 files have been read.
9682 files have been checked.
8591 files have been scanned.
15115 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/20/2005 14:12:00 6 minutes 39 seconds (399.95 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-20, 14:12:00, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 10/20/2005 14:05:14
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 901 (110857 Patterns) (2005/10/19) (290100)
Command Line: C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 D:\*.* /P=C:\Documents and Settings\Owner\Desktop\sysclean

9682 files have been read.
9682 files have been checked.
8591 files have been scanned.
15115 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At : 10/20/2005 14:12:00 6 minutes 39 seconds (399.95 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-10-20, 14:12:00, Scanner "C:\Documents and Settings\Owner\Desktop\sysclean\VSCANTM.BIN" has finished running.


And my HJT startup list:

StartupList report, 10/20/2005, 9:45:06 PM
StartupList version: 1.52.2
Started from : C:\HJT\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\GUNITW~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is NOT normal! ()
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check failed!

--------------------------------------------------

Enumerating Browser Helper Objects:

*No BHO's found*

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\System32\Kaspersky Lab\Kaspersky On-line Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in 1.4.2]
InProcServer32 = C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: SpSubLSP.dll (file MISSING)
Protocol #2: SpSubLSP.dll (file MISSING)
Protocol #3: SpSubLSP.dll (file MISSING)
Protocol #4: SpSubLSP.dll (file MISSING)
Protocol #5: SpSubLSP.dll (file MISSING)
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\rsvpsp.dll
Protocol #10: C:\WINDOWS\system32\rsvpsp.dll
Protocol #11: SpSubLSP.dll (file MISSING)
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
AMD K7 Processor Driver: System32\DRIVERS\amdk7.sys (system)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
aswRdr: \??\C:\WINDOWS\System32\drivers\aswRdr.sys (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
ExtraSystemService3: \??\C:\WINDOWS\System32\drivers\systemsvr.sys (autostart)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Agere Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: \SystemRoot\System32\DRIVERS\pciide.sys (disabled)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
S3Psddr: System32\DRIVERS\s3gnbm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Alcor Micro Corp - 9360: \??\C:\WINDOWS\System32\Drivers\sunkfilt.sys (manual start)
HP && Alcor Micro Corp for Phison: \??\C:\WINDOWS\System32\Drivers\sunkfiltp.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{07E67AF9-F29E-4C46-A99E-83F064F16F92} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoo

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:19 PM

Posted 21 October 2005 - 03:59 AM

Hi,

It seems like you managed to get infected with another piece of malware now. Called Martfinder. That explains why your O4 items are not all present in your hijackthislog. We have to restore some, for example avast, because that one must be run from there too.

I also see that your LSPchain got corrupted... because maybe of a bad uninstall of Spamextract from Intermute.
A corrupted LSPchain can cause the internetconnectionproblems.
So let's fix that first..

Please download LSPfix and save it to the Desktop and unzip it.
* Run LSPfix and place a check against the I know what I am doing checkbox.

Highlight every instance of SpSubLSP.dll and move it from the Keep to the Remove panel. Be sure to move nothing other than SpSubLSP.dll, or you will loose your internet connection!!

When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Reboot and post a new hijackthislog.
Can you also tell me if you have Spybot S&D installed?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users