Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Shutdown, Smitfraud Infection Help.


  • This topic is locked This topic is locked
14 replies to this topic

#1 Spazmunt

Spazmunt

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 08 February 2007 - 09:25 PM

So everytime i start up the computer and log in it has the System Shutdown in 60 seconds thingy. I learnt how to stop that while im on, but next time i start up it happens again. I tried to use Spybot and it says it cant get rid of C:\\WINDOWS\system32\rpcc.dll.
If someone could please help me that would be great.
Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 3:16:56 p.m., on 9/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mozilla.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ZDWlan.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: StXfflAdpvDOithoV - {2469EDB8-8EC3-4712-7490-70F05BCAF9AE} - C:\WINDOWS\system32\gc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 09 February 2007 - 03:46 AM

Welcome to Bleeping Computer Spazmunt :thumbsup:

Warning:
If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Ok,now you know the score,lets make a start :flowers:

Download Killbox by Option^Explicit:
http://www.killbox.net/downloads/KillBox.exe
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\v6.exe
C:\WINDOWS\system32\rpcc.dll


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

=====================

Download NGenFix:
http://download.norman.no/public/NGenFix.exe
Disconnect from the internet,close any running programs.
Disable your current antivirus program (don't forget to re-enable it once this scan has finished).
Double click on the NGenFix icon on your desktop.
There's no need to change any of the preconfigured scan selections in the top window [Scan areas].
Click on the 'Start scan' button.
Allow the scan to run until it's finished,don't cancel it,your pc will reboot if you do.
Restart your pc when it's finished.

=====================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

====================

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Reboot,post the DrWeb.cvs report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Let me know whats happening now please.

Edited by RichieUK, 09 February 2007 - 04:17 AM.

Posted Image
Posted Image

#3 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 February 2007 - 05:49 PM

Hey there man, thanks so much for the help but..
When trying to open KillBox it gives me the following error:

Component 'MSCOMCTL.OCX' or one of its dependencies not correctly registered: a file is missing or invalid

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 09 February 2007 - 05:57 PM

Download mscomctl.ocx to your 'System32' folder,then reboot your pc, then try Killbox again: http://www.boletrice.com/downloads/mscomctl.ocx
Posted Image
Posted Image

#5 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 09 February 2007 - 08:11 PM

drweb report:

cmd32.exe;c:\windows\system32;Trojan.DownLoader.15527;Deleted.;
svchost.exe;C:\;Trojan.DownLoader.18125;Deleted.;
v6.exe;C:\!KillBox;Trojan.DownLoader.18357;Incurable.Moved.;
20.tmp;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Spambot;Deleted.;
x1001.exe;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.DownLoader.18357;Incurable.Moved.;
A0002886.exe;C:\System Volume Information\_restore{5D7AE2AB-9598-45B6-97D7-5F5502DFFC9C}\RP24;Trojan.DownLoader.18477;Deleted.;
A0002942.exe;C:\System Volume Information\_restore{5D7AE2AB-9598-45B6-97D7-5F5502DFFC9C}\RP24;Trojan.DownLoader.18357;Incurable.Moved.;
A0002943.dll;C:\System Volume Information\_restore{5D7AE2AB-9598-45B6-97D7-5F5502DFFC9C}\RP24;Trojan.Spambot;Deleted.;
A0003993.exe;C:\System Volume Information\_restore{5D7AE2AB-9598-45B6-97D7-5F5502DFFC9C}\RP25;Trojan.DownLoader.15527;Deleted.;
A0003994.exe;C:\System Volume Information\_restore{5D7AE2AB-9598-45B6-97D7-5F5502DFFC9C}\RP25;Trojan.DownLoader.18125;Deleted.;
A0003995.exe;C:\System Volume Information\_restore{5D7AE2AB-9598-45B6-97D7-5F5502DFFC9C}\RP25;Trojan.DownLoader.18357;Incurable.Moved.;
10127862ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
10453292ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
12559932ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
1432352ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
14474062ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
15404992ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
16246832ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
16451092ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
17247312ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
17437342ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
17478812ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
1757172ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2153652ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2186472ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2216812ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2361632ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
24597702ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2548592ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2551192ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
27493972ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
2888222ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
30355672ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
31314622ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
32135882ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
3386672ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
3444832ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
3458872ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
35472982ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
36133952ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
36304572ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
3648862ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
37129532ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
373402ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
37538752ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
3817152ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
3938512ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
42111502ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
4219332ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
43157122ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
4511732ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
45248022ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
47555622ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
48161182ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
4901302ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
5059012ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
55238192ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
55347632ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
56365612ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
5637172ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
56586112ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
57188472ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
57415462ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
5874292ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
815362ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
9298582ld.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
v170n[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\HIYWUSTI;Trojan.Spambot;Deleted.;
nldr[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RHAVPJFF;Trojan.DownLoader.18478;Deleted.;
msits[1].exe;C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Z8B21GRY;Trojan.DownLoader.15527;Deleted.;
B.tmp;C:\WINDOWS\Temp;Trojan.DownLoader.15527;Deleted.;
E.tmp;C:\WINDOWS\Temp;Trojan.Spambot;Deleted.;


combofix report:

"Administrator" - 07-02-10 14:13:24 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\ws386.ini


((((((((((((((((((((((((((((((( Files Created from 2007-01-10 to 2007-02-10 ))))))))))))))))))))))))))))))))))


2007-02-10 13:08 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-02-10 12:57 90,112 --a------ C:\WINDOWS\system32\CNMCP47.exe
2007-02-10 12:57 8,704 --a------ C:\WINDOWS\system32\CNMVS47.DLL
2007-02-10 12:57 140,288 --a------ C:\WINDOWS\system32\CNMLM47.DLL
2007-02-10 12:57 <DIR> d--h----- C:\DOCUME~1\ALLUSE~1\Application Data\CanonBJ
2007-02-10 12:52 <DIR> d-------- C:\Temp
2007-02-10 12:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-02-10 12:13 30,720 --a------ C:\WINDOWS\system32\13227422ld.exe
2007-02-10 12:13 <DIR> d-------- C:\!KillBox
2007-02-10 11:43 0 --a------ C:\WINDOWS\system32\z16.exe
2007-02-10 11:43 0 --a------ C:\WINDOWS\system32\z15.exe
2007-02-10 11:43 0 --a------ C:\WINDOWS\system32\z14.exe
2007-02-10 11:43 0 --a------ C:\WINDOWS\system32\z13.exe
2007-02-10 11:43 0 --a------ C:\WINDOWS\system32\z12.exe
2007-02-10 11:43 0 --a------ C:\WINDOWS\system32\z11.exe
2007-02-10 11:37 30,720 --a------ C:\WINDOWS\system32\37124072ld.exe
2007-02-09 18:55 30,720 --a------ C:\WINDOWS\system32\5539232ld.exe
2007-02-09 18:34 30,720 --a------ C:\WINDOWS\system32\34527612ld.exe
2007-02-09 18:14 30,720 --a------ C:\WINDOWS\system32\14353512ld.exe
2007-02-09 17:54 30,720 --a------ C:\WINDOWS\system32\54288462ld.exe
2007-02-09 17:34 30,720 --a------ C:\WINDOWS\system32\34209392ld.exe
2007-02-09 17:14 30,720 --a------ C:\WINDOWS\system32\14121112ld.exe
2007-02-09 16:54 30,720 --a------ C:\WINDOWS\system32\5417512ld.exe
2007-02-09 16:33 30,720 --a------ C:\WINDOWS\system32\33486162ld.exe
2007-02-09 16:13 30,720 --a------ C:\WINDOWS\system32\13414502ld.exe
2007-02-09 15:53 30,720 --a------ C:\WINDOWS\system32\53336642ld.exe
2007-02-09 15:33 30,720 --a------ C:\WINDOWS\system32\33243052ld.exe
2007-02-09 15:14 <DIR> d-------- C:\Program Files\HijackThis
2007-02-09 15:13 30,720 --a------ C:\WINDOWS\system32\13156672ld.exe
2007-02-09 14:53 30,720 --a------ C:\WINDOWS\system32\5398932ld.exe
2007-02-09 14:32 30,720 --a------ C:\WINDOWS\system32\32591922ld.exe
2007-02-09 14:12 30,720 --a------ C:\WINDOWS\system32\12465782ld.exe
2007-02-09 12:35 30,720 --a------ C:\WINDOWS\system32\3586412ld.exe
2007-02-09 11:47 30,720 --a------ C:\WINDOWS\system32\47527092ld.exe
2007-02-09 10:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-02-09 10:38 30,720 --a------ C:\WINDOWS\system32\38298932ld.exe
2007-02-08 18:24 <DIR> d--h----- C:\WINDOWS\PIF
2007-02-08 03:18 30,720 --a------ C:\WINDOWS\system32\18215782ld.exe
2007-02-08 02:58 30,720 --a------ C:\WINDOWS\system32\5889142ld.exe
2007-02-08 02:37 30,720 --a------ C:\WINDOWS\system32\37582632ld.exe
2007-02-08 02:17 30,720 --a------ C:\WINDOWS\system32\17413842ld.exe
2007-02-08 01:57 30,720 --a------ C:\WINDOWS\system32\5725852ld.exe
2007-02-08 01:37 30,720 --a------ C:\WINDOWS\system32\37152752ld.exe
2007-02-08 01:16 30,720 --a------ C:\WINDOWS\system32\16527972ld.exe
2007-02-08 00:56 30,720 --a------ C:\WINDOWS\system32\56461022ld.exe
2007-02-08 00:36 30,720 --a------ C:\WINDOWS\system32\36366032ld.exe
2007-02-08 00:16 30,720 --a------ C:\WINDOWS\system32\16204842ld.exe
2007-02-07 23:56 30,720 --a------ C:\WINDOWS\system32\5693032ld.exe
2007-02-07 23:36 30,720 --a------ C:\WINDOWS\system32\361452ld.exe
2007-02-07 23:15 30,720 --a------ C:\WINDOWS\system32\15449372ld.exe
2007-02-07 23:11 30,720 --a------ C:\WINDOWS\system32\11424342ld.exe
2007-02-07 22:51 30,720 --a------ C:\WINDOWS\system32\51218092ld.exe
2007-02-07 22:15 30,720 --a------ C:\WINDOWS\system32\1558542ld.exe
2007-02-07 21:55 30,720 --a------ C:\WINDOWS\system32\55504172ld.exe
2007-02-07 21:35 30,720 --a------ C:\WINDOWS\system32\35298822ld.exe
2007-02-07 21:15 30,720 --a------ C:\WINDOWS\system32\15171592ld.exe
2007-02-07 20:55 30,720 --a------ C:\WINDOWS\system32\5579902ld.exe
2007-02-07 20:34 30,720 --a------ C:\WINDOWS\system32\34557872ld.exe
2007-02-07 20:14 30,720 --a------ C:\WINDOWS\system32\14454762ld.exe
2007-02-07 19:48 30,720 --a------ C:\WINDOWS\system32\48197612ld.exe
2007-02-07 19:28 30,720 --a------ C:\WINDOWS\system32\2811232ld.exe
2007-02-07 19:08 30,720 --a------ C:\WINDOWS\system32\808032ld.exe
2007-02-07 19:07 <DIR> d-------- C:\Program Files\mIRC
2007-02-07 18:54 <DIR> d-------- C:\Program Files\Java
2007-02-07 18:47 30,720 --a------ C:\WINDOWS\system32\47473482ld.exe
2007-02-07 18:47 <DIR> d-------- C:\Program Files\Common Files\Java
2007-02-07 18:27 30,720 --a------ C:\WINDOWS\system32\27403932ld.exe
2007-02-07 18:07 30,720 --a------ C:\WINDOWS\system32\7286102ld.exe
2007-02-07 17:47 30,720 --a------ C:\WINDOWS\system32\47165572ld.exe
2007-02-07 17:27 30,720 --a------ C:\WINDOWS\system32\2659772ld.exe
2007-02-07 17:06 30,720 --a------ C:\WINDOWS\system32\6339452ld.exe
2007-02-07 15:59 30,720 --a------ C:\WINDOWS\system32\590892ld.exe
2007-02-07 15:38 30,720 --a------ C:\WINDOWS\system32\38489482ld.exe
2007-02-07 15:18 30,720 --a------ C:\WINDOWS\system32\18371452ld.exe
2007-02-07 15:03 30,720 --a------ C:\WINDOWS\system32\2599142ld.exe
2007-02-07 14:42 30,720 --a------ C:\WINDOWS\system32\42543702ld.exe
2007-02-07 14:18 30,720 --a------ C:\WINDOWS\system32\18419922ld.exe
2007-02-07 13:35 30,720 --a------ C:\WINDOWS\system32\3515662ld.exe
2007-02-07 13:09 30,720 --a------ C:\WINDOWS\system32\9284922ld.exe
2007-02-07 12:49 30,720 --a------ C:\WINDOWS\system32\49115332ld.exe
2007-02-07 11:36 30,720 --a------ C:\WINDOWS\system32\36266182ld.exe
2007-02-07 11:16 30,720 --a------ C:\WINDOWS\system32\16162182ld.exe
2007-02-06 23:30 30,208 --a------ C:\WINDOWS\system32\29564512ld.exe
2007-02-06 23:09 30,208 --a------ C:\WINDOWS\system32\9495962ld.exe
2007-02-06 22:49 30,208 --a------ C:\WINDOWS\system32\49357612ld.exe
2007-02-06 15:56 27,208 --a------ C:\WINDOWS\system32\56483412ld.exe
2007-02-06 15:15 30,208 --a------ C:\WINDOWS\system32\15512282ld.exe
2007-02-06 12:05 30,208 --a------ C:\WINDOWS\system32\5289112ld.exe
2007-02-05 23:16 <DIR> d-------- C:\Program Files\FLVPlayer
2007-02-05 22:41 30,208 --a------ C:\WINDOWS\system32\41217082ld.exe
2007-02-05 21:18 30,208 --a------ C:\WINDOWS\system32\18128122ld.exe
2007-02-05 20:30 <DIR> d-------- C:\Program Files\Baldur's Gate
2007-02-05 19:57 30,208 --a------ C:\WINDOWS\system32\57369092ld.exe
2007-02-05 19:37 30,208 --a------ C:\WINDOWS\system32\37263582ld.exe
2007-02-05 17:35 0 --a------ C:\WINDOWS\PowerReg.dat
2007-02-05 17:18 <DIR> d-------- C:\NeverwinterNights
2007-02-05 17:13 30,208 --a------ C:\WINDOWS\system32\13196832ld.exe
2007-02-05 16:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AdobeUM
2007-02-05 00:51 15,752 --a------ C:\WINDOWS\system32\5145432ld.exe
2007-02-04 22:47 <DIR> d-------- C:\Program Files\Total War
2007-02-04 18:25 1,432 --a------ C:\WINDOWS\system32\25473532ld.exe
2007-02-04 18:05 30,208 --a------ C:\WINDOWS\system32\4597092ld.exe
2007-02-04 10:24 30,208 --a------ C:\WINDOWS\system32\24448692ld.exe
2007-02-03 20:05 30,208 --a------ C:\WINDOWS\system32\551222ld.exe
2007-02-03 19:45 30,208 --a------ C:\WINDOWS\system32\45425642ld.exe
2007-02-03 19:25 30,208 --a------ C:\WINDOWS\system32\25363992ld.exe
2007-02-03 19:05 30,208 --a------ C:\WINDOWS\system32\5306662ld.exe
2007-02-03 18:04 30,208 --a------ C:\WINDOWS\system32\4494302ld.exe
2007-02-03 17:44 30,208 --a------ C:\WINDOWS\system32\44396602ld.exe
2007-02-03 17:24 30,208 --a------ C:\WINDOWS\system32\24341572ld.exe
2007-01-31 12:45 30,208 --a------ C:\WINDOWS\system32\45444482ld.exe
2007-01-31 00:22 30,208 --a------ C:\WINDOWS\system32\22394722ld.exe
2007-01-30 23:01 30,208 --a------ C:\WINDOWS\system32\1465842ld.exe
2007-01-30 22:41 30,208 --a------ C:\WINDOWS\system32\41378262ld.exe
2007-01-30 22:18 30,208 --a------ C:\WINDOWS\system32\18358972ld.exe
2007-01-30 20:23 30,208 --a------ C:\WINDOWS\system32\23406592ld.exe
2007-01-30 20:03 30,208 --a------ C:\WINDOWS\system32\3224272ld.exe
2007-01-30 15:37 30,208 --a------ C:\WINDOWS\system32\3717922ld.exe
2007-01-30 14:44 4,296 --a------ C:\WINDOWS\system32\44184142ld.exe
2007-01-22 20:59 <DIR> d-------- C:\Program Files\Google
2007-01-17 14:49 1,432 --a------ C:\WINDOWS\system32\48262342ld.exe
2007-01-15 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Macrovision
2007-01-15 16:45 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-01-14 23:13 <DIR> d-------- C:\Program Files\QuickTime
2007-01-14 23:13 <DIR> d-------- C:\Program Files\Apple Software Update
2007-01-14 15:11 <DIR> d---s---- C:\DOCUME~1\ADMINI~1\UserData
2007-01-14 15:02 786,432 --ah----- C:\DOCUME~1\internet\NTUSER.DAT
2007-01-14 14:50 <DIR> d-------- C:\Oscar
2007-01-14 14:41 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-01-14 14:41 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-01-14 14:41 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-01-14 13:46 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-01-14 13:46 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2007-01-14 13:46 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-01-14 13:46 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-01-14 13:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Cakewalk
2007-01-14 13:46 <DIR> d-------- C:\Cakewalk Projects
2007-01-14 13:26 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Cakewalk
2007-01-14 13:16 180,224 --a------ C:\WINDOWS\system32\ReWire.dll
2007-01-14 13:16 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2007-01-14 13:15 <DIR> d-------- C:\Program Files\Cakewalk
2007-01-14 13:04 5,248 --a------ C:\WINDOWS\system32\drivers\d346prt.sys
2007-01-14 13:04 156,800 --a------ C:\WINDOWS\system32\drivers\d346bus.sys
2007-01-14 13:04 <DIR> d-------- C:\Program Files\D-Tools
2007-01-14 12:40 <DIR> d-------- C:\Program Files\Fruity Loops
2007-01-14 12:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Adobe
2007-01-14 12:30 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-14 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-14 12:28 <DIR> d-------- C:\Program Files\Common Files\Adobe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-10 14:08 -------- d-------- C:\Program Files\mozilla firefox
2007-02-07 19:01 1289 --a------ C:\WINDOWS\mozver.dat
2007-02-05 17:19 -------- d--h----- C:\Program Files\installshield installation information
2007-02-05 16:54 -------- d-------- C:\Program Files\black isle
2007-01-30 14:44 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-01-15 19:27 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\macromedia
2007-01-15 16:44 -------- d-------- C:\Program Files\Common Files\macromedia
2007-01-15 16:43 -------- d-------- C:\Program Files\macromedia
2007-01-14 13:42 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2007-01-09 23:21 -------- d-------- C:\Program Files\warcraft 3
2007-01-09 18:09 54291 --a------ C:\WINDOWS\war3unin.dat
2007-01-09 18:08 2829 --a------ C:\WINDOWS\war3unin.pif
2007-01-09 18:08 139264 --a------ C:\WINDOWS\war3unin.exe
2007-01-09 15:29 -------- d-------- C:\Program Files\warcraft iii
2007-01-09 12:28 34624 --a------ C:\WINDOWS\system32\gdipfontcachev1.dat
2007-01-08 17:33 615 --a------ C:\WINDOWS\ereg.dat
2007-01-08 17:13 -------- d-------- C:\Program Files\ea games
2007-01-08 16:10 645904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-01-08 16:10 115088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-01-08 16:10 1021504 --a------ C:\WINDOWS\system32\vete.dll
2007-01-08 15:49 -------- d-------- C:\Program Files\analog devices
2007-01-08 13:57 -------- d-------- C:\Program Files\audacity
2007-01-08 13:54 0 --a------ C:\WINDOWS\nsreg.dat
2007-01-08 13:54 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\mozilla
2007-01-08 11:31 -------- d-------- C:\Program Files\zydas
2007-01-08 11:31 -------- d-------- C:\Program Files\Common Files\installshield
2007-01-08 00:49 -------- d-------- C:\Program Files\Common Files\speechengines
2007-01-08 00:49 -------- d-------- C:\Program Files\Common Files\odbc
2007-01-08 00:46 62 --ahs---- C:\DOCUME~1\ADMINI~1\Application Data\desktop.ini
2007-01-07 21:38 -------- d-------- C:\Program Files\directx
2007-01-07 21:37 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-01-07 21:37 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-01-07 18:13 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\identities
2007-01-07 18:04 0 -rahs---- C:\MSDOS.SYS
2007-01-07 18:04 0 -rahs---- C:\IO.SYS
2007-01-07 18:04 0 --a------ C:\CONFIG.SYS
2007-01-07 18:04 0 --a------ C:\AUTOEXEC.BAT
2007-01-07 18:04 -------- d-------- C:\Program Files\microsoft frontpage
2007-01-07 18:01 -------- d--h----- C:\Program Files\windowsupdate
2007-01-07 18:01 -------- d-------- C:\Program Files\online services
2007-01-07 18:00 -------- d-------- C:\Program Files\movie maker
2007-01-07 18:00 -------- d-------- C:\Program Files\Common Files\mssoap
2007-01-07 17:58 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-01-07 17:57 -------- d-------- C:\Program Files\windows nt
2007-01-07 17:57 -------- d-------- C:\Program Files\msn gaming zone
2007-01-07 17:57 -------- d-------- C:\Program Files\messenger


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"PmProxy"="C:\\Program Files\\Analog Devices\\SoundMAX\\PmProxy.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"
"syswin"="C:\\WINDOWS\\system32\\v6.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"StXfflAdpvDOithoV"="{2469EDB8-8EC3-4712-7490-70F05BCAF9AE}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-10 14:17:39


There you are. Im still getting the Shutdown in 60 seconds notice everytime i reboot though. Is there a way to stop this forever? Im just using the Start>Run>shutdown -a command..
Thanks again.

Edited by Spazmunt, 09 February 2007 - 08:19 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 09 February 2007 - 08:50 PM

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"syswin"=-

==============================================


Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\z16.exe
C:\WINDOWS\system32\z15.exe
C:\WINDOWS\system32\z14.exe
C:\WINDOWS\system32\z13.exe
C:\WINDOWS\system32\z12.exe
C:\WINDOWS\system32\z11.exe
C:\WINDOWS\system32\13227422ld.exe
C:\WINDOWS\system32\37124072ld.exe
C:\WINDOWS\system32\5539232ld.exe
C:\WINDOWS\system32\34527612ld.exe
C:\WINDOWS\system32\14353512ld.exe
C:\WINDOWS\system32\54288462ld.exe
C:\WINDOWS\system32\34209392ld.exe
C:\WINDOWS\system32\14121112ld.exe
C:\WINDOWS\system32\5417512ld.exe
C:\WINDOWS\system32\33486162ld.exe
C:\WINDOWS\system32\13414502ld.exe
C:\WINDOWS\system32\53336642ld.exe
C:\WINDOWS\system32\33243052ld.exe
C:\WINDOWS\system32\13156672ld.exe
C:\WINDOWS\system32\5398932ld.exe
C:\WINDOWS\system32\32591922ld.exe
C:\WINDOWS\system32\12465782ld.exe
C:\WINDOWS\system32\3586412ld.exe
C:\WINDOWS\system32\47527092ld.exe
C:\WINDOWS\system32\38298932ld.exe
C:\WINDOWS\system32\18215782ld.exe
C:\WINDOWS\system32\5889142ld.exe
C:\WINDOWS\system32\37582632ld.exe
C:\WINDOWS\system32\17413842ld.exe
C:\WINDOWS\system32\5725852ld.exe
C:\WINDOWS\system32\37152752ld.exe
C:\WINDOWS\system32\16527972ld.exe
C:\WINDOWS\system32\56461022ld.exe
C:\WINDOWS\system32\36366032ld.exe
C:\WINDOWS\system32\16204842ld.exe
C:\WINDOWS\system32\5693032ld.exe
C:\WINDOWS\system32\361452ld.exe
C:\WINDOWS\system32\15449372ld.exe
C:\WINDOWS\system32\11424342ld.exe
C:\WINDOWS\system32\51218092ld.exe
C:\WINDOWS\system32\1558542ld.exe
C:\WINDOWS\system32\55504172ld.exe
C:\WINDOWS\system32\35298822ld.exe
C:\WINDOWS\system32\15171592ld.exe
C:\WINDOWS\system32\5579902ld.exe
C:\WINDOWS\system32\34557872ld.exe
C:\WINDOWS\system32\14454762ld.exe
C:\WINDOWS\system32\48197612ld.exe
C:\WINDOWS\system32\2811232ld.exe
C:\WINDOWS\system32\808032ld.exe
C:\WINDOWS\system32\47473482ld.exe
C:\WINDOWS\system32\27403932ld.exe
C:\WINDOWS\system32\7286102ld.exe
C:\WINDOWS\system32\47165572ld.exe
C:\WINDOWS\system32\2659772ld.exe
C:\WINDOWS\system32\6339452ld.exe
C:\WINDOWS\system32\590892ld.exe
C:\WINDOWS\system32\38489482ld.exe
C:\WINDOWS\system32\18371452ld.exe
C:\WINDOWS\system32\2599142ld.exe
C:\WINDOWS\system32\42543702ld.exe
C:\WINDOWS\system32\18419922ld.exe
C:\WINDOWS\system32\3515662ld.exe
C:\WINDOWS\system32\9284922ld.exe
C:\WINDOWS\system32\49115332ld.exe
C:\WINDOWS\system32\36266182ld.exe
C:\WINDOWS\system32\16162182ld.exe
C:\WINDOWS\system32\29564512ld.exe
C:\WINDOWS\system32\9495962ld.exe
C:\WINDOWS\system32\49357612ld.exe
C:\WINDOWS\system32\56483412ld.exe
C:\WINDOWS\system32\15512282ld.exe
C:\WINDOWS\system32\5289112ld.exe
C:\WINDOWS\system32\41217082ld.exe
C:\WINDOWS\system32\18128122ld.exe
C:\WINDOWS\system32\57369092ld.exe
C:\WINDOWS\system32\37263582ld.exe
C:\WINDOWS\system32\13196832ld.exe
C:\WINDOWS\system32\5145432ld.exe
C:\WINDOWS\system32\25473532ld.exe
C:\WINDOWS\system32\4597092ld.exe
C:\WINDOWS\system32\24448692ld.exe
C:\WINDOWS\system32\551222ld.exe
C:\WINDOWS\system32\45425642ld.exe
C:\WINDOWS\system32\25363992ld.exe
C:\WINDOWS\system32\5306662ld.exe
C:\WINDOWS\system32\4494302ld.exe
C:\WINDOWS\system32\44396602ld.exe
C:\WINDOWS\system32\24341572ld.exe
C:\WINDOWS\system32\45444482ld.exe
C:\WINDOWS\system32\22394722ld.exe
C:\WINDOWS\system32\1465842ld.exe
C:\WINDOWS\system32\41378262ld.exe
C:\WINDOWS\system32\18358972ld.exe
C:\WINDOWS\system32\23406592ld.exe
C:\WINDOWS\system32\3224272ld.exe
C:\WINDOWS\system32\3717922ld.exe
C:\WINDOWS\system32\44184142ld.exe
C:\WINDOWS\system32\48262342ld.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

========================

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

=========================

You've no virus protection installed.
Download\install AVG Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_441a944.exe
Once installed update AVG's virus definitions and run a full system virus scan.

Reboot when you've done,post the F-Secure report and a new Hijackthis log into your next reply.

Edited by RichieUK, 09 February 2007 - 09:12 PM.

Posted Image
Posted Image

#7 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 10 February 2007 - 12:34 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:32:18 p.m., on 10/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mozilla.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: ZDWlan.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O21 - SSODL: StXfflAdpvDOithoV - {2469EDB8-8EC3-4712-7490-70F05BCAF9AE} - C:\WINDOWS\system32\gc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


F-Secure Report:

Scanning Report
Saturday, February 10, 2007 16:47:47 - 18:23:06

Computer name: MICROSOF-3BAEE6
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 24 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System
* System

Trojan-Downloader.Win32.Tiny.fk (virus)

* C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0002942.exe (Renamed & Submitted)
* C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0003995.exe (Renamed & Submitted)
* C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\v6.exe (Renamed & Submitted)
* C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\x1001.exe (Renamed & Submitted)

Trojan-Proxy.Win32.Dlena.bb (virus)

* C:\!KillBox\12465782ld.exe (Renamed & Submitted)
* C:\!KillBox\13227422ld.exe (Renamed & Submitted)
* C:\!KillBox\13414502ld.exe (Renamed & Submitted)
* C:\!KillBox\14353512ld.exe (Renamed & Submitted)
* C:\!KillBox\16527972ld.exe (Renamed & Submitted)
* C:\!KillBox\33486162ld.exe (Renamed & Submitted)
* C:\!KillBox\34527612ld.exe (Renamed & Submitted)
* C:\!KillBox\361452ld.exe (Renamed & Submitted)
* C:\!KillBox\37124072ld.exe (Renamed & Submitted)
* C:\!KillBox\37152752ld.exe (Renamed & Submitted)
* C:\!KillBox\37582632ld.exe (Renamed & Submitted)
* C:\!KillBox\53336642ld.exe (Renamed & Submitted)
* C:\!KillBox\54288462ld.exe (Renamed & Submitted)
* C:\!KillBox\56461022ld.exe (Renamed & Submitted)
* C:\!KillBox\5693032ld.exe (Renamed & Submitted)
* C:\!KillBox\5889142ld.exe (Renamed & Submitted)

Trojan-Proxy.Win32.Dlena.bk (virus)

* C:\!KillBox\48262342ld.exe (Renamed & Submitted)

Statistics
Scanned:

* Files: 68816
* System: 3378
* Not scanned: 56

Actions:

* Disinfected: 1
* Renamed: 21
* Deleted: 0
* None: 2
* Submitted: 21

Files not scanned:

xîH

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-02-01
* F-Secure AVP: 7.0.171, 2007-02-10
* F-Secure Orion: 1.2.37, 2007-02-09
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-02-44
* F-Secure Pegasus: 1.19.0, 2007-01-07

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics

I am using Zonealarm Antivirus and Firewall.
Cheers.

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 10 February 2007 - 02:37 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - Startup: PowerReg Scheduler V3.exe
O21 - SSODL: StXfflAdpvDOithoV - {2469EDB8-8EC3-4712-7490-70F05BCAF9AE} - C:\WINDOWS\system32\gc.dll (file missing)

Exit Hijackthis.

Other than the above your log looks clean.
Hows your pc running now please.

Edited by RichieUK, 10 February 2007 - 05:15 AM.

Posted Image
Posted Image

#9 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 10 February 2007 - 07:07 PM

I fixed those items in Hijack This but it is still doing the System Shutdown on restart. Any other ideas?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 10 February 2007 - 07:22 PM

You've probably already tried this,if not it may help.
Go here,read the tutorial and run McAfee AVERT Stinger:
http://vil.nai.com/vil/stinger/
Posted Image
Posted Image

#11 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 11 February 2007 - 06:40 PM

Stinger didnt find anything. Except for the System Shutdown everything seems to be running fine.
Any more ideas?

#12 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 12 February 2007 - 10:44 PM

And now i cant install anything.. Ive downloaded a few programs i want to install and it says they are either corrupt or the windows installer isnt working..

Heres my HijackThis log again, see if you can see anything playing up.

Logfile of HijackThis v1.99.1
Scan saved at 4:43:17 p.m., on 13/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ZyDAS\ZD1211 802.11g Utility\ZDWlan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mozilla.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ZDWlan.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 13 February 2007 - 05:32 AM

And now i cant install anything.. Ive downloaded a few programs i want to install and it says they are either corrupt or the windows installer isnt working..


See if this helps at all:
If you have the MS Windows XP install disk.
Click Start>Run,type sfc /scannow then press Ok.
Leave a space in between sfc and /scannow
Reboot when you've done.

If still no joy try a Repair Install:
http://www.michaelstevenstech.com/XPrepairinstall.htm
Posted Image
Posted Image

#14 Spazmunt

Spazmunt
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:20 PM

Posted 13 February 2007 - 07:07 PM

I think i may just save all my files onto an external harddrive and reformat..

Thanks so much for all the help and support Richie.

Cheers

-Spaz

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 14 February 2007 - 07:56 AM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users