Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed..(log Inculded)


  • Please log in to reply
14 replies to this topic

#1 shadowzz

shadowzz

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 08:08 AM

Lately ,i have this pop up out of no where and suddenly i got 888 toolbar which i believe is very difficult to remove




Logfile of HijackThis v1.99.1
Scan saved at 8:57:14 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wtn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\{C02B1680-0535-1033-0728-040218040001}\Update.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shadow\Desktop\My Item\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maplesea.com.sg/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wtn] "C:\WINDOWS\system32\wtn.exe"
O4 - Startup: Singnet Broadband dial.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A8A140E-CC45-4AC4-8AB4-67718D928B00}: NameServer = 165.21.100.88 165.21.83.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: bidispl.exe - Unknown owner - C:\WINDOWS\system32\bidispl.exe (file missing)
O23 - Service: certcli.exe - Unknown owner - C:\WINDOWS\system32\certcli.exe (file missing)
O23 - Service: icmp.exe - Unknown owner - C:\WINDOWS\system32\icmp.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: mfc40u.exe - Unknown owner - C:\WINDOWS\system32\mfc40u.exe (file missing)
O23 - Service: miglibnt.exe - Unknown owner - C:\WINDOWS\system32\miglibnt.exe (file missing)
O23 - Service: msieftp.exe - Unknown owner - C:\WINDOWS\system32\msieftp.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfproc.exe - Unknown owner - C:\WINDOWS\system32\perfproc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


#2 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 03 December 2006 - 09:04 AM

Hey shadowzz

Firewall:

Please download one of these free firewalls and install it, either ZoneAlarm or OutPost

Update Java:

Your version of Java is now outdated. Java vulnerabilites are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 5.0 Update 10 ). Please install it and then reboot your computer.

Remove the older versions of Java:
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except J2SE Runtime Environment 5.0 Update 10
Remove the Bad Services:

1. Copy/paste the following text into notepad and save it as (include the quotes): "FixMe.bat"
sc stop bidispl.exe
sc delete bidispl.exe
sc stop certcli.exe
sc delete certcli.exe
sc stop icmp.exe
sc delete icmp.exe
sc stop mfc40u.exe
sc delete mfc40u.exe
sc stop miglibnt.exe
sc delete miglibnt.exe
sc stop msieftp.exe
sc delete msieftp.exe
sc stop perfproc.exe
sc delete perfproc.exe
del FixMe.bat
2. Double-click FixMe.bat
3. You have now removed the bad service/s.

Fix the HJT entries:
  • Open hijackthis and select the DO A SYSTEM SCAN ONLY option.
  • Place a check next to the following items:

    O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
    O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
    O23 - Service: bidispl.exe - Unknown owner - C:\WINDOWS\system32\bidispl.exe (file missing)
    O23 - Service: certcli.exe - Unknown owner - C:\WINDOWS\system32\certcli.exe (file missing)
    O23 - Service: icmp.exe - Unknown owner - C:\WINDOWS\system32\icmp.exe
    O23 - Service: mfc40u.exe - Unknown owner - C:\WINDOWS\system32\mfc40u.exe (file missing)
    O23 - Service: miglibnt.exe - Unknown owner - C:\WINDOWS\system32\miglibnt.exe (file missing)
    O23 - Service: msieftp.exe - Unknown owner - C:\WINDOWS\system32\msieftp.exe (file missing
    O23 - Service: perfproc.exe - Unknown owner - C:\WINDOWS\system32\perfproc.exe
  • Close all open browsers and windows, except hijackthis. Then select fix checked . Now close HJT.
Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\PROGRA~1\COMMON~1\{302B1~1
    C:\WINDOWS\system32\bidispl.exe
    C:\WINDOWS\system32\certcli.exe
    C:\WINDOWS\system32\icmp.exe
    C:\WINDOWS\system32\mfc40u.exe
    C:\WINDOWS\system32\miglibnt.exe
    C:\WINDOWS\system32\msieftp.exe
    C:\WINDOWS\system32\perfproc.exe


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

VirusTotal:

1. Go to this website: www.virustotal.com
2. Upload this file by copy/pasting it in to the file box: C:\WINDOWS\system32\wtn.exe
3. Submit the file and copy/paste the results back into this thread.

Uninstall List:

1. Open Hijackthis and select: Open the Misc Tools section.
2. Then choose: Open Uninstall Manager and click Save List.
3. Save the list to your computer.
4. Then copy the contents of the list back to this thread in your next reply.

Please can you include the following logs in your next reply - they may need separate posts to stop them getting cut off:

VirusTotal Results
Uninstall List
A new Hijackthis log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#3 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 09:41 AM

Fix the HJT entries:[list=1]
[*] Open hijackthis and select the DO A SYSTEM SCAN ONLY option.
[*] Place a check next to the following items:

O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
O23 - Service: bidispl.exe - Unknown owner - C:\WINDOWS\system32\bidispl.exe (file missing)
O23 - Service: certcli.exe - Unknown owner - C:\WINDOWS\system32\certcli.exe (file missing)
O23 - Service: icmp.exe - Unknown owner - C:\WINDOWS\system32\icmp.exe
O23 - Service: mfc40u.exe - Unknown owner - C:\WINDOWS\system32\mfc40u.exe (file missing)
O23 - Service: miglibnt.exe - Unknown owner - C:\WINDOWS\system32\miglibnt.exe (file missing)
O23 - Service: msieftp.exe - Unknown owner - C:\WINDOWS\system32\msieftp.exe (file missing
O23 - Service: perfproc.exe - Unknown owner - C:\WINDOWS\system32\perfproc.exe

[*] Close all open browsers and windows, except hijackthis. Then select fix checked . Now close HJT.




There are some i cant seem to find it during my scan of Hijackthis
So do i need to Fix those i can find only?

#4 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 09:50 AM

this is the result from VirusTotal



Complete scanning result of "wtn.exe", received in VirusTotal at 12.03.2006, 15:44:41 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.46 12.02.2006 no virus found
Authentium 4.93.8 12.01.2006 no virus found
Avast 4.7.892.0 12.01.2006 no virus found
AVG 386 12.02.2006 no virus found
BitDefender 7.2 12.02.2006 no virus found
CAT-QuickHeal 8.00 12.03.2006 no virus found
ClamAV devel-20060426 12.03.2006 no virus found
DrWeb 4.33 12.03.2006 no virus found
eSafe 7.0.14.0 12.03.2006 no virus found
eTrust-InoculateIT 23.73.74 12.02.2006 no virus found
eTrust-Vet 30.3.3225 12.01.2006 no virus found
Ewido 4.0 12.02.2006 no virus found
Fortinet 2.82.0.0 12.03.2006 suspicious
F-Prot 3.16f 12.01.2006 no virus found
F-Prot4 4.2.1.29 12.01.2006 no virus found
Ikarus 0.2.65.0 12.01.2006 no virus found
Kaspersky 4.0.2.24 12.03.2006 no virus found
McAfee 4909 12.01.2006 no virus found
Microsoft 1.1804 12.03.2006 no virus found
NOD32v2 1897 12.02.2006 a variant of Win32/Agent.UY
Norman 5.80.02 12.01.2006 no virus found
Panda 9.0.0.4 12.02.2006 Suspicious file
Prevx1 V2 12.03.2006 no virus found
Sophos 4.12.0 12.02.2006 Troj/Mondo-Gen
Sunbelt 2.2.907.0 11.30.2006 no virus found
TheHacker 6.0.3.127 12.01.2006 no virus found
UNA 1.83 12.01.2006 no virus found
VBA32 3.11.1 12.03.2006 suspected of Trojan-Downloader.IstBar.15
VirusBuster 4.3.15:9 12.02.2006 no virus found

Aditional Information
File size: 81949 bytes
MD5: 655a1d9e23743715eea23aef7147c9a3
SHA1: d3fc254de07023aa8ff84a0960d71c7b9a7fdf4d

#5 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 09:52 AM

uninstall list


Adobe Reader 7.0.5
a-squared Free 2.0
avast! Antivirus
BitComet 0.70
CCleaner (remove only)
Dr SpeedTouch
DSS Client 1.12a
Fraps
Hamachi 0.9.9.9
HijackThis 1.99.1
IpWins
J2SE Runtime Environment 5.0 Update 10
MapleStory
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5)
Nero Suite
NVIDIA Drivers
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Sierra Utilities
SpeedTouch USB
SpeedTouch USB Software
Sqirlz Water Reflections
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
VIA Platform Device Manager
VIA Rhine-Family Fast Ethernet Adapter
VideoLAN VLC media player 0.8.5
Visualboy Advance 1.6a
WC3Banlist
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Safety Scanner
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 3.1
WinRAR archiver
WinZip
Yahoo! Toolbar
ZoneAlarm

#6 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 09:58 AM

okay i manage to fix these 2 other i cant seem to find it
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{302B1~1\888Bar.dll




Okay then this is my new Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:53:36 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\{C02B1680-0535-1033-0728-040218040001}\Update.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\wtn.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Shadow\Desktop\My Item\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maplesea.com.sg/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wtn] "C:\WINDOWS\system32\wtn.exe"
O4 - Startup: Singnet Broadband dial.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A8A140E-CC45-4AC4-8AB4-67718D928B00}: NameServer = 165.21.100.88 165.21.83.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: tlntsvrp.exe - Unknown owner - C:\WINDOWS\system32\tlntsvrp.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 09:59 AM

Oh by the way , thanks alot for helping me

#8 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 10:29 AM

Am i doing all right?

#9 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 03 December 2006 - 10:31 AM

Hey shadowzz

Submit Files:

You have a file/s of interest to us. It would help the detection rates of the tools we use by getting hold of samples of these infections.

1. Go this website: http://www.bleepingcomputer.com/submit-malware.php?channel=15
2. Copy/paste this into the 'Link to Topic' box: http://www.bleepingcomputer.com/forums/t/74139/help-neededlog-inculded/
3. Copy/paste this into the 'Browser for File' box: C:\WINDOWS\system32\wtn.exe
4. Let me know if it was successful or not.

Uninstall Bad Programs:

1. Click Start >> Control Panel >> Add/Remove Programs
2. Select each of these programs, click Remove and follow the prompts to uninstall them:

BitComet 0.70
IpWins


ComboFix:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running! That may cause it to stall.


Please can you include the following logs in your next reply - they may need separate posts to stop them getting cut off:

ComboFix
A new Hijackthis log

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#10 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 10:42 AM

the file was send successful


next is the ComboFix log

Shadow - 06-12-03 23:34:51.26 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Shadow\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{302B1680-0535-1033-0728-040218040001}
C:\Program Files\Common Files\{C02B1680-0535-1033-0728-040218040001}


((((((((((((((((((((((((((((((( Files Created from 2006-11-03 to 2006-12-03 ))))))))))))))))))))))))))))))))))


2006-12-03 22:39 <DIR> d-------- C:\!KillBox
2006-12-03 22:15 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2006-12-03 22:14 <DIR> d-------- C:\WINDOWS\Internet Logs
2006-12-03 21:49 17,920 --a------ C:\Documents and Settings\Shadow\PACP.exe
2006-12-03 21:12 <DIR> dr-h----- C:\Documents and Settings\Shadow\Recent
2006-12-03 20:03 17,920 --a------ C:\Documents and Settings\Shadow\AMIS.exe
2006-12-03 20:02 17,920 --a------ C:\Documents and Settings\Shadow\FRTS.exe
2006-12-03 19:47 <DIR> d-------- C:\Program Files\Yahoo!
2006-12-03 19:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-12-03 15:26 17,920 --a------ C:\Documents and Settings\Shadow\BFOT.exe
2006-12-03 15:25 17,920 --a------ C:\Documents and Settings\Shadow\HIFK.exe
2006-12-03 14:22 17,920 --a------ C:\Documents and Settings\Shadow\PCHL.exe
2006-12-03 14:06 17,920 --a------ C:\Documents and Settings\Shadow\MOFM.exe
2006-12-03 14:00 17,920 --a------ C:\Documents and Settings\Shadow\KNRG.exe
2006-12-03 13:56 17,920 --a------ C:\Documents and Settings\Shadow\QKLD.exe
2006-12-03 13:53 17,920 --a------ C:\Documents and Settings\Shadow\UAGM.exe
2006-12-03 12:31 17,920 --a------ C:\Documents and Settings\Shadow\HNTI.exe
2006-12-03 00:51 17,920 --a------ C:\Documents and Settings\Shadow\QINH.exe
2006-12-03 00:25 17,920 --a------ C:\Documents and Settings\Shadow\OAEQ.exe
2006-12-03 00:24 17,920 --a------ C:\Documents and Settings\Shadow\LTKJ.exe
2006-12-02 10:39 17,920 --a------ C:\Documents and Settings\Shadow\TEHE.exe
2006-12-02 10:39 17,920 --a------ C:\Documents and Settings\Shadow\RBTJ.exe
2006-12-02 10:39 17,920 --a------ C:\Documents and Settings\Shadow\IBTU.exe
2006-12-02 10:32 17,920 --a------ C:\Documents and Settings\Shadow\NLJF.exe
2006-12-02 10:29 17,920 --a------ C:\Documents and Settings\Shadow\FKCH.exe
2006-12-02 10:24 17,920 --a------ C:\Documents and Settings\Shadow\IFOP.exe
2006-12-01 22:18 18,432 --a------ C:\Documents and Settings\Shadow\UPTC.exe
2006-12-01 22:16 6 --a------ C:\WINDOWS\system32\01-12-22.exe
2006-12-01 22:16 18,432 --a------ C:\Documents and Settings\Shadow\GGDQ.exe
2006-12-01 21:46 18,432 --a------ C:\Documents and Settings\Shadow\IIUH.exe
2006-12-01 21:41 6 --a------ C:\WINDOWS\system32\01-12-21.exe
2006-12-01 21:41 18,432 --a------ C:\Documents and Settings\Shadow\EILJ.exe
2006-12-01 11:44 18,432 --a------ C:\Documents and Settings\Shadow\EMDR.exe
2006-12-01 11:41 6 --a------ C:\WINDOWS\system32\01-12-11.exe
2006-12-01 11:41 18,432 --a------ C:\Documents and Settings\Shadow\SJIO.exe
2006-12-01 11:41 18,432 --a------ C:\Documents and Settings\Shadow\FQLJ.exe
2006-11-30 23:35 18,432 --a------ C:\WINDOWS\system32\SKKS.exe
2006-11-30 23:35 18,432 --a------ C:\WINDOWS\system32\OOGO.exe
2006-11-30 23:35 18,432 --a------ C:\WINDOWS\system32\HDFM.exe
2006-11-30 23:19 18,432 --a------ C:\WINDOWS\system32\EKFO.exe
2006-11-30 23:15 18,432 --a------ C:\WINDOWS\system32\OMHU.exe
2006-11-30 23:15 18,432 --a------ C:\WINDOWS\system32\LSBT.exe
2006-11-30 23:08 18,432 --a------ C:\WINDOWS\system32\LABHK.exe
2006-11-30 23:08 138,565 --a------ C:\WINDOWS\system32\install.exe
2006-11-30 23:07 81,949 --a------ C:\WINDOWS\system32\wtn.exe
2006-11-30 23:07 6 --a------ C:\WINDOWS\system32\30-11-23.exe
2006-11-30 23:07 28,672 --a------ C:\WINDOWS\system32\vv815.exe
2006-11-30 23:07 18,432 --a------ C:\WINDOWS\system32\12.exeEILAJ.exe
2006-11-30 23:07 18,432 --a------ C:\WINDOWS\system32\12.exe
2006-11-30 23:07 <DIR> d-------- C:\youtube-download
2006-11-22 17:42 <DIR> d-------- C:\Documents and Settings\Shadow\Application Data\vlc
2006-11-21 21:16 40,960 --a------ C:\WINDOWS\system32\SSubTmr6.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-03 23:36 -------- d-------- C:\Program Files\Common Files
2006-12-03 22:33 -------- d-------- C:\Program Files\Java
2006-10-08 13:46 -------- d-------- C:\Program Files\Common Files\Real
2006-10-08 13:46 -------- d-------- C:\Documents and Settings\Shadow\Application Data\Real
2006-10-05 10:47 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-03 12:40 -------- d-------- C:\Program Files\Google
2006-09-27 09:25 160016 --a------ C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
2006-09-25 23:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 23:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-15 15:59 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"STManager"="\"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe\" -b"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"wtn"="\"C:\\WINDOWS\\system32\\wtn.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"Zone Labs Client"="\"D:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-12-03 23:37:04.95
C:\ComboFix.txt ... 06-12-03 23:37

#11 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 10:44 AM

okay the New Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:40:36 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\wtn.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Shadow\Desktop\My Item\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maplesea.com.sg/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [wtn] "C:\WINDOWS\system32\wtn.exe"
O4 - Startup: Singnet Broadband dial.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A8A140E-CC45-4AC4-8AB4-67718D928B00}: NameServer = 165.21.100.88 165.21.83.88
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: tlntsvrp.exe - Unknown owner - C:\WINDOWS\system32\tlntsvrp.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Is everytime fine now?

#12 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 03 December 2006 - 11:01 AM

Hey shadowzz

Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\Documents and Settings\Shadow\PACP.exe
  • Browse for this filename: C:\Documents and Settings\Shadow\UPTC.exe
  • Browse for this filename: C:\WINDOWS\system32\01-12-22.exe
  • Browse for this filename: C:\WINDOWS\system32\wtn.exe
  • Browse for this filename: C:\WINDOWS\system32\install.exe
  • Browse for this filename: C:\WINDOWS\system32\12.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Thanks :thumbsup:

Edited by jamielaw, 03 December 2006 - 11:02 AM.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#13 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 11:03 AM

No problem
i send the files already

#14 jamielaw

jamielaw

    Malware Ass-Kicker!


  • Members
  • 878 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 03 December 2006 - 11:06 AM

Hey shadowzz

Dr.Web CureIt

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Reboot your computer in safe mode by pressing F8 continually whilst your computer starts up.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Right Click the Desktop and Select New--> Folder--> Name it SysClean
  • Download the Sysclean Package to the folder you made.
  • Next,download the Virus Pattern Files (Official Pattern Release) to your desktop from Here
  • Right Click and Select Extract All to unzip the folder.
  • Now,from the unzipped folder,move lpt$vpn.XXX file to the SysClean folder.
  • Restart in SAFE MODE(Tap F8 when restarting)
  • Open the SysClean Folder and doubleclick sysclean.com
  • Be sure Automatically clean or delete detected files is checked.
  • Click the Scan button to begin,please be patient,it will take a little bit to finish.
  • Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
  • Copy&Paste those results in the next reply.
Tutorial from Trend
http://esupport.trendmicro.com/support/vie...entID=en-125991

BitDefender Online Scan:

Please run Bit Defender
  • read the EULA and click 'I agree' if you wish to procede with scan
  • When prompted for the install and run click 'yes'
  • Choose your country and click 'ok'
  • Place a 'check' in all boxes under scan options
  • Place a check in the 'My Computer' under Target Selection
  • Click 'start scanning' to begin
  • Save the Log file for posting back here.

    This could be a long scan so do it when you have at least an hour or two free.
***Edit***

I replaced the last scanner with BitDefender it should get rid of some of the baddies.

Edited by jamielaw, 03 December 2006 - 11:10 AM.

My Website!

"The ultimate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at times of challenge and controversy." - Martin Luther King, Jr.

Posted Image

#15 shadowzz

shadowzz
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 03 December 2006 - 11:40 AM

sry its late here , so tml i shall continue




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users