Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log, Please Help


  • This topic is locked This topic is locked
16 replies to this topic

#1 mawk

mawk

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 29 August 2006 - 06:52 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:09:54 PM, on 8/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINNT\Explorer.exe
C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\win3207743-728999.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Faamati Winey\Desktop\Downloads\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,asus.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [defender] C:\\dfndrff_13.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_13.exe
O4 - HKLM\..\Run: [win3207743-728999] C:\WINNT\win3207743-728999.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\Duce6.exe
O4 - HKLM\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKLM\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124304577546
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E724400-D544-4B9D-913B-6ED311EB5F94}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: NexMgrService - NexWatch - C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\62E.tmp (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 31 August 2006 - 01:05 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 01 September 2006 - 05:54 PM

Hi Sam, Nice to meet you. Thanks a lot for the help. Here's the log from combofix:

Faamati Winey - Fri 09/01/2006 17:31:30.34
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Faamati Winey\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Faamati Winey\Local Settings\Temporary Internet Files\Content.IE5\OJJ9E58Y\kybrdff_14[1].exe
C:\deskbar.exe
C:\Program Files\Deskbar


((((((((((((((((((((((((((((((( Files Created from 2006-08-01 to 2006-09-01 ))))))))))))))))))))))))))))))))))


2006-08-29 13:07 183,296 --a-s---- C:\WINNT\NDNuninstall7_22.exe
2006-08-29 13:03 8,464 --a------ C:\WINNT\system32\sporder.dll
2006-08-26 11:42 1,645,320 --a------ C:\WINNT\system32\gdiplus.dll
2006-08-25 05:38 968,085 ---hs---- C:\WINNT\system32\kjkkj.bak1
2006-08-25 05:38 13,844 --a------ C:\WINNT\system32\dmlnktuc.exe
2006-08-24 17:37 13,844 --a------ C:\WINNT\system32\xrqgbrbk.exe
2006-08-24 17:37 1,083,999 ---hs---- C:\WINNT\system32\kjkkj.bak2
2006-08-23 22:21 0 --a------ C:\WINNT\system32\17348_netapi.exe
2006-08-23 21:50 188,416 --a------ C:\WINNT\system32\58503_netapi.exe
2006-08-23 20:59 188,416 --a------ C:\WINNT\system32\88654_netapi.exe
2006-08-23 19:21 188,416 --a------ C:\WINNT\system32\30404_netapi.exe
2006-08-23 19:21 188,416 --a------ C:\WINNT\system32\01334_netapi.exe
2006-08-23 18:34 573,492 ---hs---- C:\WINNT\system32\jkkjk.dll
2006-08-23 18:20 40,973 ---hs---- C:\WINNT\system32\ssqnonm.dll
2006-08-23 17:22 188,416 --a------ C:\WINNT\system32\87037_netapi.exe
2006-08-23 17:22 188,416 --a------ C:\WINNT\system32\38448_netapi.exe
2006-08-23 17:22 188,416 --a------ C:\WINNT\system32\03755_netapi.exe
2006-08-23 17:18 188,416 --a------ C:\WINNT\system32\17166_netapi.exe
2006-08-23 16:57 188,416 --a------ C:\WINNT\system32\63474_netapi.exe
2006-08-23 16:54 188,416 --a------ C:\WINNT\system32\12258_netapi.exe
2006-08-23 16:54 188,416 --a------ C:\msguard.exe
2006-08-23 16:45 214,752 --a------ C:\Setup100.exe
2006-08-23 16:43 214,749 --a------ C:\WINNT\srvgbfqucs.exe
2006-08-23 16:42 507,904 --a------ C:\814.exe
2006-08-23 16:42 0 --a------ C:\WINNT\system32\60423_netapi.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-01 09:41 -------- d-------- C:\Program Files\PCCW
2006-09-01 00:00 -------- d-a------ C:\Program Files\LogMeIn
2006-08-26 15:40 -------- d-------- C:\Program Files\Lavasoft
2006-08-26 15:40 -------- d-------- C:\Documents and Settings\Faamati Winey\Application Data\Lavasoft
2006-08-07 08:23 777472 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-08-07 08:23 27904 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-08-07 08:23 26912 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-07-26 14:53 8040 --a------ C:\WINNT\system32\drivers\LMImirr.sys
2006-07-25 00:08 840976 --a------ C:\WINNT\system32\mmcndmgr.dll
2006-07-24 19:51 -------- d-------- C:\Program Files\NexSentry Manager
2006-07-21 13:15 9576 --a------ C:\WINNT\system32\LMImirr2.dll
2006-07-21 13:15 23016 --a------ C:\WINNT\system32\LMImirr.dll
2006-07-21 10:08 72704 --a------ C:\WINNT\system32\hlink.dll
2006-07-06 11:52 613648 --a------ C:\WINNT\system32\mmc.exe
2006-07-06 06:45 96528 --a------ C:\WINNT\system32\dnsrslvr.dll
2006-06-21 01:52 54544 --a------ C:\WINNT\system32\mpr.dll
2006-06-16 02:05 1713536 --a------ C:\WINNT\system32\NTKRNLPA.EXE
2006-06-16 02:04 1690880 --a------ C:\WINNT\system32\NTOSKRNL.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows firewall manager"="msguard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows firewall manager"="msguard.exe"
"Asus MotherBoard Utility"="asus.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00002002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows firewall manager"="msguard.exe"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjk


Completion time: Fri 2006-09-01 17:35:09.71
ComboFix.txt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 02 September 2006 - 07:13 PM

I see a few issues, so I'm going to post two steps for you in this post.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


============



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 05 September 2006 - 11:50 AM

Ok, here we go; my hat goes off to you if you can make sense of all this. First the Vundo file:


VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.3

Scan started at 10:23:50 AM 9/5/2006

Listing files found while scanning....

C:\WINNT\system32\jkkjk.dll
C:\WINNT\system32\kjkkj.ini
C:\WINNT\system32\kjkkj.bak1
C:\WINNT\system32\kjkkj.bak2
C:\WINNT\system32\ssqnonm.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\jkkjk.dll
C:\WINNT\system32\jkkjk.dll Could not be deleted.

Attempting to delete C:\WINNT\system32\kjkkj.ini
C:\WINNT\system32\kjkkj.ini Has been deleted!

Attempting to delete C:\WINNT\system32\kjkkj.bak1
C:\WINNT\system32\kjkkj.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\kjkkj.bak2
C:\WINNT\system32\kjkkj.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\ssqnonm.dll
C:\WINNT\system32\ssqnonm.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Java version is 1.4.2.3

Scan started at 10:39:09 AM 9/5/2006

Listing files found while scanning....

C:\WINNT\system32\jkkjk.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\jkkjk.dll
C:\WINNT\system32\jkkjk.dll Has been deleted!

Performing Repairs to the registry.
Done!


Now the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, September 05, 2006 11:34:05 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/09/2006
Kaspersky Anti-Virus database records: 221005
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 39210
Number of viruses found: 13
Number of infected objects: 37 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:31:45

Infected Object Name / Virus Name / Last Action
C:\814.exe Infected: Trojan-Downloader.Win32.Dyfuca.fb skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\gc[1].exe/data.rar/kans.reg Infected: Trojan.WinREG.LowZones.f skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\gc[1].exe/data.rar/kansup.reg Infected: Trojan.WinREG.LowZones.f skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\gc[1].exe/data.rar Infected: Trojan.WinREG.LowZones.f skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\gc[1].exe RarSFX: infected - 3 skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\0006_159900[1].cab/ISTactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\0006_159900[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\deskbar[1].exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\deskbar[1].exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\deskbar[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\Setup100[1].exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\Setup100[1].exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\Setup100[1].exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\Setup100[1].exe NSIS: infected - 3 skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\814[1].exe Infected: Trojan-Downloader.Win32.Dyfuca.fb skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\AppWrap[1].exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Documents and Settings\Faamati Winey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Faamati Winey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Faamati Winey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Faamati Winey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Faamati Winey\Local Settings\History\History.IE5\MSHist012006090520060906\index.dat Object is locked skipped
C:\Documents and Settings\Faamati Winey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Faamati Winey\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Faamati Winey\ntuser.dat.LOG Object is locked skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-537.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\NexSentry Manager\Database\nexmgr.dbc Object is locked skipped
C:\Program Files\NexSentry Manager\Database\NexMgr.DCT Object is locked skipped
C:\Program Files\NexSentry Manager\Database\NexMgr.DCX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblabareader.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblabareader.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblaccesscodes.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblAccessCodes.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblactiongroups.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblactiongroups.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblactions.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblActions.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblactionschip.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblActionsCHIP.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblacumodemdata.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblACUModemData.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblacusitecodes.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblACUSiteCodes.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblacuusers.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblacuusers.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblalarms.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblalarms.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblaudit.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblaudit.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblcredentials.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblCredentials.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbldevicechip.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblDeviceCHIP.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbldialupinfo.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblDialupInfo.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbldigitalreader.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblDigitalReader.DBF Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbldoorchip.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblDoorCHIP.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfacilitycodes.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfacilitycodes.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfloorgroup.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfloorgroup.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfloorgroupcabs.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfloorgroupcabs.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblfloorgroupfloors.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblFloorGroupFloors.DBF Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblholidays.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblholidays.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblhosts.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblHosts.DBF Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblinputs.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblinputs.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblkeypad.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblkeypad.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblManageActions.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblmanageactions.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbloperatorsecurity.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbloperatorsecurity.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbloutputs.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbloutputs.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblpeople.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblPeople.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblpeopleaccesscodes.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblPeopleAccessCodes.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblpoints.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblPoints.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblpollers.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblPollers.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblsitecodes.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblsitecodes.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblsystem.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblsystem.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblsystem.FPT Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltimecodes.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltimecodes.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltimegroups.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltimegroups.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltimezones.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltimezones.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltransactionlog.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltransactionlog.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltransactionlog.FPT Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltransactiontype.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tbltransactiontype.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblweigandreader.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblweigandreader.dbf Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblzones.CDX Object is locked skipped
C:\Program Files\NexSentry Manager\Database\tblZones.dbf Object is locked skipped
C:\Setup100.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\Setup100.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\Setup100.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\Setup100.exe NSIS: infected - 3 skipped
C:\u487sdjkt.exe/data.rar/kans.reg Infected: Trojan.WinREG.LowZones.f skipped
C:\u487sdjkt.exe/data.rar/kansup.reg Infected: Trojan.WinREG.LowZones.f skipped
C:\u487sdjkt.exe/data.rar Infected: Trojan.WinREG.LowZones.f skipped
C:\u487sdjkt.exe RarSFX: infected - 3 skipped
C:\VundoFix Backups\jkkjk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\SbCIe02a.dll Infected: not-a-virus:AdWare.Win32.SideStep.g skipped
C:\WINNT\NDNuninstall7_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\srvgbfqucs.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINNT\srvgbfqucs.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\WINNT\srvgbfqucs.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINNT\srvgbfqucs.exe NSIS: infected - 3 skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\dmlnktuc.exe Infected: not-a-virus:Downloader.Win32.WinFixer.r skipped
C:\WINNT\system32\xrqgbrbk.exe Infected: not-a-virus:Downloader.Win32.WinFixer.r skipped
C:\WINNT\Temp\H7SC0000.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

Finally a fresh highjack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:00 AM, on 9/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Faamati Winey\Desktop\Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,asus.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {794946BD-E082-4397-8C26-B16769AC67F6} - C:\WINNT\system32\jkkjk.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124304577546
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E724400-D544-4B9D-913B-6ED311EB5F94}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: NexMgrService - NexWatch - C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\62E.tmp (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 05 September 2006 - 03:49 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,asus.exe
O2 - BHO: (no name) - {794946BD-E082-4397-8C26-B16769AC67F6} - C:\WINNT\system32\jkkjk.dll (file missing)
O4 - HKLM\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINNT\Downloaded Program Files\SbCIe02a.dll
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k00719/sb02a.cab
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\62E.tmp (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)



==========



Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Delete Temp Files
    • Click Tools -> Delete Temp Files
    • Place a check mark in all locations that aren't greyed out. By default they should already be checked.
    • Click Delete Selected Temp Files
  • Once that completes, select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\814.exe
    C:\Setup100.exe
    C:\u487sdjkt.exe
    C:\WINNT\Downloaded Program Files\SbCIe02a.dll
    C:\WINNT\NDNuninstall7_22.exe
    C:\WINNT\srvgbfqucs.exe
    C:\WINNT\system32\dmlnktuc.exe
    C:\WINNT\system32\xrqgbrbk.exe
    C:\msguard.exe



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
=========



Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files
    • Quit Internet Explorer and quit any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.
    IMPORTANT: Close all windows and do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:

  • Lauch Ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido scan report along with a new Hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 07 September 2006 - 01:35 PM

Before I post the logs, I have a couple of observations to make. What am I supposed to do about Spybot? After Killbox rebooted I got several messages from spybot I didn't know what to do so I just closed the message box(btw there's a button in the spybot message box which I can't read, I mean there's nothing there, it's the one farthest to the right, so I just close the box by clicking the X in upper right corner.)

After rebooting the last time I got a message box from asus.exe saying "Cannot find the file asus.exe..."

Ok so here are the logs:

Pocket Killbox version 2.0.0.881
Running on Windows 2000 as Faamati Winey(Administrator)
was started @ Thursday, September 07, 2006, 11:48 AM

# 1 [Delete on Reboot]
Path = C:\814.exe


# 2 [Delete on Reboot]
Path = C:\Setup100.exe


# 3 [Delete on Reboot]
Path = C:\u487sdjkt.exe


# 4 [Delete on Reboot]
Path = C:\WINNT\Downloaded Program Files\SbCIe02a.dll


# 5 [Delete on Reboot]
Path = C:\WINNT\NDNuninstall7_22.exe


# 6 [Delete on Reboot]
Path = C:\WINNT\srvgbfqucs.exe


# 7 [Delete on Reboot]
Path = C:\WINNT\system32\dmlnktuc.exe


# 8 [Delete on Reboot]
Path = C:\WINNT\system32\xrqgbrbk.exe


# 9 [Delete on Reboot]
Path = C:\msguard.exe


I Rebooted @ 11:51:45 AM
Pocket Killbox version 2.0.0.881
Running on Windows 2000 as Faamati Winey(Administrator)
was started @ Thursday, September 07, 2006, 11:55 AM

Killbox Closed(Exit) @ 11:55:44 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows 2000 as Faamati Winey(Administrator)
was started @ Thursday, September 07, 2006, 1:22 PM



---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:04:35 PM 9/7/2006

+ Scan result:



C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Error during cleaning.
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Error during cleaning.
HKLM\SOFTWARE\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Error during cleaning.
C:\!KillBox\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\SbCIe02a.dll -> Adware.SideStep : Cleaned with backup (quarantined).
C:\!KillBox\814.exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\814[1].exe -> Downloader.Dyfuca.fb : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\0006_159900[1].cab/ISTactivex.dll -> Downloader.IstBar : Error during cleaning.
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\prompt[1].htm -> Downloader.IstBar.j : Cleaned with backup (quarantined).
C:\!KillBox\dmlnktuc.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\!KillBox\xrqgbrbk.exe -> Not-A-Virus.Downloader.Win32.WinFixer.r : Cleaned with backup (quarantined).
C:\!KillBox\u487sdjkt.exe/kans.reg -> Trojan.LowZones.f : Error during cleaning.
C:\!KillBox\u487sdjkt.exe/kansup.reg -> Trojan.LowZones.f : Error during cleaning.
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\gc[1].exe/kans.reg -> Trojan.LowZones.f : Error during cleaning.
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\gc[1].exe/kansup.reg -> Trojan.LowZones.f : Error during cleaning.
C:\!KillBox\msguard.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\27054_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\40862_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\63116_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\12O2OVO8\70375_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\06243_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\51681_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\55062_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\63016_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\3DG9GRU0\66377_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\10602_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\13614_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\17312_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\32508_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\40753_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\42187_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\FLTG4CYR\76173_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\10201_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\56785_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\68133_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\VOF6NTYL\81288_netapi[1].exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\01334_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\03755_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\12258_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\17166_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\30404_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\38448_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\58503_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\63474_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\87037_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\88654_netapi.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).
C:\WINNT\system32\msguard.exe -> Worm.SpyBot.74 : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 1:13:19 PM, on 9/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\locator.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Faamati Winey\Desktop\Downloads\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,asus.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {794946BD-E082-4397-8C26-B16769AC67F6} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] msguard.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124304577546
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E724400-D544-4B9D-913B-6ED311EB5F94}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: NexMgrService - NexWatch - C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\62E.tmp (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 07 September 2006 - 04:52 PM

That's my fault. I forget to tell you to disable Spybot's Teatimer. :thumbsup:

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
===========


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe asus.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,asus.exe
O2 - BHO: (no name) - {794946BD-E082-4397-8C26-B16769AC67F6} - (no file)
O4 - HKLM\..\RunServices: [Windows firewall manager] msguard.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\RunServices: [Windows firewall manager] msguard.exe
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} -
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\62E.tmp (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)



Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 11 September 2006 - 10:02 AM

Hi Sam, I had no problems with your last instructions. Thanks. I think I should mention that ewido is now launching on start-up, should I leave that alone or change it also.

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:56 AM, on 9/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\System32\locator.exe
C:\Documents and Settings\Faamati Winey\Desktop\Downloads\hijack this\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124304577546
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E724400-D544-4B9D-913B-6ED311EB5F94}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Mouse Button Monitor (mousebm) - Unknown owner - C:\WINNT\system32\mousebm.exe (file missing)
O23 - Service: NexMgrService - NexWatch - C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINNT\system32\62E.tmp (file missing)
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINNT\system32\wgareg.exe (file missing)

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 11 September 2006 - 08:45 PM

It's not necessary to have Ewido starting on boot up. However you should have AVG starting automatically and I don't see it there.

Click Start > Run and type these commands hitting enter after each one:

sc stop mousebm

sc delete mousebm

sc stop nsms

sc delete nsms

sc stop ssl

sc delete ssl

sc stop wgareg

sc delete wgareg




Reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 12 September 2006 - 12:21 PM

Having a little trouble with this recent step. I get one of those message boxes with a red circle containing a white X saying: "Cannot find the file 'sc'..."

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 12 September 2006 - 06:25 PM

My fault, Windows 2000 doesn't have that tool.
Let's do it this way.
  • Click Start -> Run -> (type) services.msc
  • Scroll down and find the service called Mouse Button Monitor
    • When you find it, double-click on it to open up Properties.
    • Click the Stop button(if available)
    • Change the Startup Type to Disabled.
    • Now hit Apply and then Ok.
    • Take the same steps with these other services
      • Windows Network Security Management Service
      • Microsoft SSL
      • Windows Genuine Advantage Registration Service
    • Close that window.
  • Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
  • Copy and paste this into the text box and click OK.

    mousebm
  • Do the same with these:
    • nsms
    • ssl
    • wgareg
  • Close Hijackthis and any other open windows
  • Reboot and post a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 14 September 2006 - 10:12 AM

OK, got that done. All the services on your list were already stopped but the start-up was set to auto; of course I changed those to 'disabled' as you instructed.

Also, I can't figure out how to get AVG to start-up automatically (it wasn't running when I ran highjack this even though I see references to it in the following log). Should I just re-install it?

Here's the latest highjack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:55:46 AM, on 9/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\NEXSEN~1\Eagleserver.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\locator.exe
C:\Documents and Settings\Faamati Winey\Desktop\Downloads\hijack this\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1124304577546
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E724400-D544-4B9D-913B-6ED311EB5F94}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: NexMgrService - NexWatch - C:\PROGRA~1\NEXSEN~1\Eagleserver.exe

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:22 AM

Posted 14 September 2006 - 10:26 AM

It looks like AVG is running ok. I see it in your running processes and the autostart entry(04 line) is now present, as well as the services. You should be ok here.

In fact, your log looks good now.
Are you having any more problems or issues?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 mawk

mawk
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 17 September 2006 - 02:37 PM

Thank You very much for all the help, it is greatly appreciated.

If you happen to live in Minnesota (St. Paul area) my wife and I would love to treat you to lunch or dinner.

Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users