Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Broadband Keeps Disconnecting Due To Malware


  • This topic is locked This topic is locked
16 replies to this topic

#1 Anish_kol

Anish_kol

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 09 February 2007 - 10:20 PM

Hi please help...I have been facing this problem for a long time...My broadband keeps disconencting every time my internet shows any activity. I am posting the hijackthis log. hope it helps.



Logfile of HijackThis v1.99.1
Scan saved at 8:38:32 AM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\System32\hkcmd.exe
K:\Program Files\Logitech\MouseWare\system\em_exec.exe
K:\WINDOWS\system32\ctfmon.exe
K:\WINDOWS\system32\wscntfy.exe
K:\Program Files\Eset\nod32krn.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
K:\Documents and Settings\little\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - K:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - K:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - K:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] K:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] K:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [nod32kui] "K:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SMSystemAnalyzer] "K:\Program Files\iolo\System Mechanic 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "K:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] K:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "K:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - K:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - K:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - K:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - K:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} - http://www.spybouncer.com/downloader/gdownloader.ocx
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BADA82CB-BF48-4D76-9611-78E2C6F49F03} (BolDownloader Control) - http://messenger.rediff.com/newbol/Bol.CAB
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{C16365D2-67C8-4C29-A6FF-DFECCA1EF80E}: NameServer = 218.248.240.208 218.248.240.135
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "K:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - K:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - K:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - K:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - K:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - K:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - K:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - K:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - K:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - K:\Program Files\Eset\nod32krn.exe
O23 - Service: NT Online Protection - Unknown owner - F:\PROGRA~1\ONLNSVC.EXE
O23 - Service: Office Source Engine (ose) - Unknown owner - K:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - K:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Tally License Server (NT) (Tally License Server) - Unknown owner - H:\tally7.2\tallylicserver.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 10 February 2007 - 04:14 AM

Welcome to Bleeping Computer Anish_kol :thumbsup:

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

=========================

Please download/install AVG Anti-Spyware 7.5.

Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://sifyimg.speedera.net/sify.com/eot/tdserver.cab
O16 - DPF: {4FA3D392-9349-4D85-8FB9-18733534CFE3} - http://www.spybouncer.com/downloader/gdownloader.ocx

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.


Post the AVG Anti Spyware report and a new Hijackthis log into your next reply please.
Let me know whats happening now please.
Posted Image
Posted Image

#3 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 11 February 2007 - 05:48 AM

Hey richie...Thanks so much for replying...I really need help...
Here is the report of the AVG spyware scanner and the new Hijackthis report...HOpe you can figure out something..

VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:04:26 PM 2/11/2007

+ Scan result:



E:\Softwares\Adobe Photoshop CS2 Crack.zip/apcs2ge/Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
E:\Softwares\apcs2ge\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
K:\Program Files\Adobe\Adobe Photoshop CS2\Adobe Photoshop CS2 Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).


::Report end






Logfile of HijackThis v1.99.1
Scan saved at 4:10:30 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
K:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
K:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
K:\Program Files\Eset\nod32krn.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\system32\wscntfy.exe
K:\WINDOWS\system32\WgaTray.exe
K:\Program Files\Logitech\MouseWare\system\em_exec.exe
K:\WINDOWS\System32\hkcmd.exe
K:\WINDOWS\system32\wuauclt.exe
K:\Program Files\Eset\nod32kui.exe
K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\MSN Messenger\msnmsgr.exe
K:\Documents and Settings\little\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - K:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - K:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - K:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] K:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] K:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [nod32kui] "K:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "K:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] K:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "K:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - K:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - K:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - K:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - K:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BADA82CB-BF48-4D76-9611-78E2C6F49F03} (BolDownloader Control) - http://messenger.rediff.com/newbol/Bol.CAB
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "K:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - K:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - K:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - K:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - K:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - K:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - K:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - K:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - K:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - K:\Program Files\Eset\nod32krn.exe
O23 - Service: NT Online Protection - Unknown owner - F:\PROGRA~1\ONLNSVC.EXE (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - K:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - K:\WINDOWS\System32\HPZipm12.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 11 February 2007 - 07:24 AM

Download NGenFix:
http://download.norman.no/public/NGenFix.exe
Disconnect from the internet,close any running programs.
Disable your current antivirus program (don't forget to re-enable it once this scan has finished).
Double click on the NGenFix icon on your desktop.
There's no need to change any of the preconfigured scan selections in the top window [Scan areas].
Click on the 'Start scan' button.
Allow the scan to run until it's finished,don't cancel it,your pc will reboot if you do.
Restart your pc when it's finished.

===============

Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer into Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode, right click the SDFix.zip folder and choose Extract All,
* Open the extracted folder and double click RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

===============

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.Also post the C:\ComboFix.txt,and a new Hijackthis log.
Let me know how your pc is running now.
Posted Image
Posted Image

#5 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 February 2007 - 09:18 AM

Hi Richie,
Thank you so much for trying to help me...I did all of the above that you asked me to...And I am posting the reports below. My broadband continues to disconnect as usual...And when I use dial-up...Then things just don't move...It gives me a hell lot of errors....Hope you can understand the source of the problem...

Here are the reports:


Norman Generic Fix
Copyright © 1990 - 2007, Norman ASA. Built 2007/02/06 20:01:36

Norman Scanner Engine Version: 5.90.30
Nvcbin.def Version: 5.90.00, Date: 2007/02/06 20:01:36, Variants: 202204
Nvcmacro.def Version: 5.90.00, Date: 2007/02/06 20:01:36, Variants: 12
Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600 Service Pack 2
Logged on user: MAIN\little

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "" -> ""
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000




Scanning running processes and process memory...

Number of processes/threads found: 1474
Number of processes/threads scanned: 1471
Number of processes/threads not scanned: 3
Number of infected processes/threads terminated: 0
Total scanning time: 23s


Scanning file system...

Scanning: C:\*.*

Scanning: D:\*.*

Scanning: E:\*.*

Scanning: F:\*.*

Scanning: G:\*.*

Scanning: H:\*.*

Scanning: I:\*.*

Scanning: J:\*.*

Scanning: K:\*.*

Scanning: N:\*.*


Running post-scan cleanup routine:


Number of files found: 96879
Number of archives unpacked: 0
Number of files scanned: 96811
Number of files not scanned: 68
Number of files skipped due to exclude list: 0
Number of infected files found: 0
Number of infected files repaired/deleted: 0
Number of infections removed: 0
Total scanning time: 39m 18s




SDFix: Version 1.64

Run by: little - Wed 02/14/2007 @ 17:35:30.89

Microsoft Windows XP [Version 5.1.2600]

Running From: K:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

K:\WINDOWS\system32\TFTP2956 - Deleted
K:\WINDOWS\system32\TFTP6844 - Deleted



ADS Check:

K:\WINDOWS\system32
No streams found.

Final Check:


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"K:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="K:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"K:\\Program Files\\Google\\Google Talk\\googletalk.exe"="K:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"E:\\program files\\Microsoft Games\\Rise of Nations\\rise.exe"="E:\\program files\\Microsoft Games\\Rise of Nations\\rise.exe:*:Disabled:Rise of Nations"
"K:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="K:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"H:\\Main computer\\LimeWire\\LimeWire.exe"="H:\\Main computer\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"F:\\Program Files\\LimeWire\\LimeWire.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"f:\\Program Files\\BitTorrent\\bittorrent.exe"="f:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"J:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin\\java.exe"="J:\\Program Files\\Java\\jdk1.5.0_06\\jre\\bin\\java.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\ODINNSEBSEMCXNCDEX\\Client\\ODINFTP.exe"="C:\\ODINNSEBSEMCXNCDEX\\Client\\ODINFTP.exe:*:Enabled:ODINFTP Application"
"K:\\Program Files\\MSN Messenger\\msnmsgr.exe"="K:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"K:\\Program Files\\InternetCalls.com\\InternetCalls\\InternetCalls.exe"="K:\\Program Files\\InternetCalls.com\\InternetCalls\\InternetCalls.exe:*:Enabled:InternetCalls"
"E:\\Program Files\\Skype\\Phone\\Skype.exe"="E:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"K:\\Program Files\\Rediff Bol\\RediffMessenger.exe"="K:\\Program Files\\Rediff Bol\\RediffMessenger.exe:*:Enabled:Rediff Bol 8.0"
"K:\\WINDOWS\\system32\\mshta.exe"="K:\\WINDOWS\\system32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host"
"K:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="K:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
"K:\\Program Files\\Internet Explorer\\iexplore.exe"="K:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"K:\\Program Files\\Skype\\Phone\\Skype.exe"="K:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"K:\\StubInstaller.exe"="K:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"K:\\Program Files\\DAP\\DAP.exe"="K:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus"
"H:\\Age of Empires 2 - The Age of Kings and Conquerors\\empires2.exe"="H:\\Age of Empires 2 - The Age of Kings and Conquerors\\empires2.exe:*:Enabled:Age of Empires II"
"H:\\Age of Empires 2 - The Age of Kings and Conquerors\\age2_x1.exe"="H:\\Age of Empires 2 - The Age of Kings and Conquerors\\age2_x1.exe:*:Enabled:Age of Empires II Expansion"
"K:\\WINDOWS\\system32\\dplaysvr.exe"="K:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"E:\\Program Files\\Keeper Interactive\\Quake 4 EB\\msdvc.exe"="E:\\Program Files\\Keeper Interactive\\Quake 4 EB\\msdvc.exe:*:Enabled:msdvc"
"H:\\Charlie's Angels Angel X\\Charlie's Angels Angel X.exe"="H:\\Charlie's Angels Angel X\\Charlie's Angels Angel X.exe:*:Disabled:Charlie's Angels Angel X"
"H:\\ee\\Empire Earth.exe"="H:\\ee\\Empire Earth.exe:*:Disabled:Empire Earth"
"K:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="K:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"K:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe"="K:\\Program Files\\Intuwave Ltd\\Shared\\mRouterRunTime\\mRouterRuntime.exe:*:Enabled:mRouterRuntime"
"E:\\Age Of Wonders 2\\MYTAW2\\AoW2.exe"="E:\\Age Of Wonders 2\\MYTAW2\\AoW2.exe:*:Enabled:Age of Wonders 2"
"K:\\WINDOWS\\system32\\dpnsvr.exe"="K:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"N:\\rail\\RT2_TSC.EXE"="N:\\rail\\RT2_TSC.EXE:*:Enabled:Railroad Tycoon II"
"N:\\wrlords\\Battlecry III.exe"="N:\\wrlords\\Battlecry III.exe:*:Enabled:Warlords Battlecry III"
"N:\\nfs\\nfs3.exe"="N:\\nfs\\nfs3.exe:*:Enabled:Need For Speed III for Win32"
"C:\\ODINNSEBSEMCXNCDEX\\Client\\odin95.exe"="C:\\ODINNSEBSEMCXNCDEX\\Client\\odin95.exe:*:Enabled:odin95"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"K:\\Program Files\\MSN Messenger\\msnmsgr.exe"="K:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------

Backups Folder: - K:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

K:\Program Files\iolo\System Mechanic 7\unins000.exe
K:\Program Files\Outlook Express\msimn.exe
K:\Program Files\MSN Apps\Updater\Download\AU15659281\BIT48.tmp

Finished




"little" - 07-02-14 17:54:13 Service Pack 2
ComboFix 07-02-11 - Running from: "K:\Documents and Settings\little\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


K:\Program Files\winupdates


((((((((((((((((((((((((((((((( Files Created from 2007-01-14 to 2007-02-14 ))))))))))))))))))))))))))))))))))


2007-02-14 17:25 <DIR> d-------- K:\SDFix
2007-02-11 08:44 3,968 --a------ K:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-08 13:41 406,048 --a------ K:\WINDOWS\system32\XceedZip.dll
2007-02-08 07:48 <DIR> d-------- K:\Program Files\MSXML 4.0
2007-02-01 09:45 <DIR> d-------- K:\DOCUME~1\indra\Application Data\iolo
2007-02-01 01:36 696,320 --a------ K:\WINDOWS\system32\libeay32.dll
2007-02-01 01:36 436,328 --a------ K:\WINDOWS\system32\Incinerator.dll
2007-02-01 01:36 41,472 --a------ K:\WINDOWS\system32\iolobtdfg.exe
2007-02-01 01:36 25,264 --a------ K:\WINDOWS\system32\smrgdf.exe
2007-02-01 01:36 155,648 --a------ K:\WINDOWS\system32\ssleay32.dll
2007-02-01 01:35 <DIR> d-------- K:\Program Files\iolo
2007-02-01 01:31 <DIR> d-------- K:\DOCUME~1\little\Application Data\iolo
2007-02-01 01:31 <DIR> d-------- K:\DOCUME~1\ALLUSE~1\Application Data\iolo
2007-01-30 10:15 <DIR> d-------- K:\DOCUME~1\little\Application Data\Webshots
2007-01-23 19:15 <DIR> d-------- K:\DOCUME~1\indra\Application Data\Lavasoft
2007-01-23 19:01 <DIR> d-------- K:\DOCUME~1\little\Application Data\Lavasoft
2007-01-23 19:00 <DIR> d-------- K:\Program Files\Lavasoft
2007-01-22 02:15 <DIR> d-------- K:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-22 00:38 512,096 --a------ K:\WINDOWS\system32\drivers\amon.sys
2007-01-22 00:38 299,392 --a------ K:\WINDOWS\system32\imon.dll
2007-01-22 00:38 15,424 --a------ K:\WINDOWS\system32\drivers\nod32drv.sys
2007-01-21 15:11 <DIR> d-------- K:\DOCUME~1\indra\Application Data\AVG7
2007-01-21 12:14 <DIR> dr-h----- K:\$VAULT$.AVG
2007-01-21 11:24 <DIR> d-------- K:\Program Files\Grisoft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-13 17:12 96256 --a------ K:\WINDOWS\system32\drivers\sptd2509.sys
2007-02-08 12:55 -------- d-------- K:\Program Files\mcafee.com
2007-02-02 19:38 -------- d-------- K:\Program Files\online services
2007-01-30 10:15 -------- d--h----- K:\Program Files\installshield installation information
2007-01-30 10:15 -------- d-------- K:\Program Files\cyberlink
2007-01-09 23:47 76560 --a------ K:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-04 08:44 -------- d---s---- K:\DOCUME~1\little\Application Data\microsoft
2006-12-21 21:31 0 --a------ K:\WINDOWS\powerreg.dat
2006-12-21 21:04 287 --a------ K:\WINDOWS\ereg072.dat
2006-12-21 16:49 73 --a--c--- K:\WINDOWS\system32\ssprs.dll
2006-12-19 09:43 -------- d-------- K:\Program Files\dap
2006-12-07 10:59 2374472 --a------ K:\WINDOWS\system32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="K:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"K:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"
"updateMgr"="K:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_0 -reboot 1"
"msnmsgr"="\"K:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Logitech Utility"="Logi_MwX.Exe"
"IgfxTray"="K:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="K:\\WINDOWS\\System32\\hkcmd.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"RTHDCPL"="RTHDCPL.EXE"
"SMSERIAL"="sm56hlpr.exe"
"nod32kui"="\"K:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"!AVG Anti-Spyware"="\"K:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Win32 Network Driver"="crss.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Registry Server"="regsrv32.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Win32 Network Driver"="crss.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Registry Server"="regsrv32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"F:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033 -noicon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
?"
"hkey"="HKCU"
"command"="???
?"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft IIS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="syshost"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???
?"
"hkey"="HKCU"
"command"="???
?"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SMSystemAnalyzer"
"hkey"="HKLM"
"command"="\"K:\\Program Files\\iolo\\System Mechanic 7\\SMSystemAnalyzer.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=dword:00000002
"SCardSvr"=dword:00000003
"RSVP"=dword:00000003
"RemoteRegistry"=dword:00000002
"RDSessMgr"=dword:00000003
"Netlogon"=dword:00000003
"MSDTC"=dword:00000003
"mnmsrvc"=dword:00000003
"LmHosts"=dword:00000002
"FastUserSwitchingCompatibility"=dword:00000003
"cisvc"=dword:00000003
"Browser"=dword:00000003
"WZCSVC"=dword:00000002
"TlntSvr"=dword:00000003
"SSDPSRV"=dword:00000003
"helpsvc"=dword:00000002
"McAfee AntiSpyware Service"=dword:00000002
"Tally License Server"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Registry Server"="regsrv32.exe"
"Win32 Network Driver"="crss.exe"
"Security Antivirus Xp 1"="inetfor.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Registry Server"="regsrv32.exe"
"Win32 Network Driver"="crss.exe"
"Security Antivirus Xp 1"="inetfor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-14 17:57:42





Regards,
Anish.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 14 February 2007 - 09:42 AM

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Go here:
http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
K:\WINDOWS\system32\ssprs.dll
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
K:\WINDOWS\system32\ssprs.dll
Then click on 'Send'.
Post the results into your next reply.
Posted Image
Posted Image

#7 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 14 February 2007 - 02:53 PM

Hi Richie,
Here are the results:

Antivirus Version Update Result
AntiVir 7.3.1.37 02.14.2007 no virus found
Authentium 4.93.8 02.14.2007 no virus found
Avast 4.7.936.0 02.14.2007 no virus found
AVG 386 02.14.2007 no virus found
BitDefender 7.2 02.14.2007 no virus found
CAT-QuickHeal 9.00 02.14.2007 no virus found
ClamAV devel-20060426 02.14.2007 no virus found
DrWeb 4.33 02.14.2007 no virus found
eSafe 7.0.14.0 02.14.2007 no virus found
eTrust-Vet 30.4.3397 02.14.2007 no virus found
Ewido 4.0 02.14.2007 no virus found
Fortinet 2.85.0.0 02.14.2007 no virus found
F-Prot 4.2.1.29 02.14.2007 no virus found
F-Secure 6.70.13030.0 02.14.2007 no virus found
Ikarus T3.1.0.31 02.14.2007 no virus found
Kaspersky 4.0.2.24 02.14.2007 no virus found
McAfee 4963 02.14.2007 no virus found
Microsoft 1.2204 02.14.2007 no virus found
NOD32v2 2061 02.14.2007 no virus found
Norman 5.80.02 02.14.2007 no virus found
Panda 9.0.0.4 02.14.2007 no virus found
Prevx1 V2 02.14.2007 no virus found
Sophos 4.14.0 02.13.2007 no virus found
Sunbelt 2.2.907.0 02.09.2007 no virus found
Symantec 10 02.14.2007 no virus found
TheHacker 6.1.6.057 02.14.2007 no virus found
UNA 1.83 02.14.2007 no virus found
VBA32 3.11.2 02.13.2007 no virus found
VirusBuster 4.3.19:9 02.14.2007 no virus found


Aditional Information
File size: 73 bytes
MD5: a2d43d3a0c116e2cb9906ecb059d86a7
SHA1: a587fe4219b57c67ac8198fba6d0c588aa9d929a

VirusTotal is a free service offered by Hispasec Sistemas

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 14 February 2007 - 04:00 PM

You are using Download Accelerator Plus - DAP.
Be informed that it delivers popup/popunder ads,and tracks your internet usage.
You can find safer alternatives here: SpywareInfo :. Software Recommendations:
http://www.spywareinfo.com/downloads.php?cat=dlman#dlman
I strongly suggest you remove this program.
If you agree, go to Start > Control Panel > Add/Remove Programs and remove 'Download Accelerator Plus' if present,then reboot.

***************************

Backup the registry.
Click on Start>Run,type regedit then press Enter.
Click on 'File' at the top,then 'Export'.
In the opening 'Export Registry File' box,place a check in 'ALL' at the bottom left.
In the 'File name:' space,type back.reg
Make sure 'Desktop' is selected in the left hand column.
Then press 'Save'.

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================================
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Win32 Network Driver"=-
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"Win32 Network Driver"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Registry Server"=-
"Win32 Network Driver"=-
"Security Antivirus Xp 1"=-
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Registry Server"=-
"Win32 Network Driver"=-
"Security Antivirus Xp 1"=-

==============================================

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete if present:
C:\WINDOWS\System32\inetfor.exe
C:\WINDOWS\system32\crss.exe
K:\Program Files\dap

Reboot normally,post a new Hijackthis log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#9 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 15 February 2007 - 02:16 PM

Hi Richie,
Thanks again for trying to help me out..Well...I did all the above that you had mentioned... The broadband continues to disconnect as usual.
Just that when I tried to delete crss.exe....It gave a message of Access denied.
Also, when I tried to scan using hijack this...I got an error...but the scan was completed...and the following report generated...:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:40 AM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
K:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
K:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
K:\Program Files\Eset\nod32krn.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\system32\wscntfy.exe
K:\WINDOWS\system32\WgaTray.exe
K:\WINDOWS\system32\wuauclt.exe
K:\Program Files\Logitech\MouseWare\system\em_exec.exe
K:\WINDOWS\System32\hkcmd.exe
K:\Program Files\Eset\nod32kui.exe
K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\MSN Messenger\msnmsgr.exe
K:\Documents and Settings\little\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rediff.com/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.rediff.com/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - K:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - K:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - K:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - K:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IgfxTray] K:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] K:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [nod32kui] "K:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "K:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] K:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "K:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - K:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - K:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - K:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - K:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BADA82CB-BF48-4D76-9611-78E2C6F49F03} (BolDownloader Control) - http://messenger.rediff.com/newbol/Bol.CAB
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by21fd.bay21.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "K:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - K:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - K:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - K:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - K:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - K:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - K:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - K:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - K:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - K:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - K:\Program Files\Eset\nod32krn.exe
O23 - Service: NT Online Protection - Unknown owner - F:\PROGRA~1\ONLNSVC.EXE (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - K:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - K:\WINDOWS\System32\HPZipm12.exe

Edited by Anish_kol, 15 February 2007 - 02:51 PM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 15 February 2007 - 04:44 PM

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\crss.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\crss.exe
Then click on 'Send'.
Post the results into your next reply.
Posted Image
Posted Image

#11 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 16 February 2007 - 01:25 AM

Hi richie,
My computer had csrss.exe rather than crss.exe.
Here is the result of the scan.

STATUS: FINISHEDComplete scanning result of "csrss.exe", received in VirusTotal at 02.16.2007, 07:16:04 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.15.2007 no virus found
Authentium 4.93.8 02.15.2007 no virus found
Avast 4.7.936.0 02.15.2007 no virus found
AVG 386 02.15.2007 no virus found
BitDefender 7.2 02.16.2007 no virus found
CAT-QuickHeal 9.00 02.15.2007 no virus found
ClamAV devel-20060426 02.16.2007 no virus found
DrWeb 4.33 02.15.2007 no virus found
eSafe 7.0.14.0 02.15.2007 no virus found
eTrust-Vet 30.4.3400 02.15.2007 no virus found
Ewido 4.0 02.14.2007 no virus found
Fortinet 2.85.0.0 02.16.2007 no virus found
F-Prot 4.2.1.29 02.15.2007 no virus found
F-Secure 6.70.13030.0 02.16.2007 no virus found
Ikarus T3.1.0.31 02.16.2007 no virus found
Kaspersky 4.0.2.24 02.16.2007 no virus found
McAfee 4964 02.15.2007 no virus found
Microsoft 1.2204 02.16.2007 no virus found
NOD32v2 2064 02.15.2007 no virus found
Norman 5.80.02 02.15.2007 no virus found
Panda 9.0.0.4 02.15.2007 no virus found
Prevx1 V2 02.16.2007 no virus found
Sophos 4.14.0 02.13.2007 no virus found
Sunbelt 2.2.907.0 02.15.2007 no virus found
Symantec 10 02.16.2007 no virus found
TheHacker 6.1.6.059 02.16.2007 no virus found
UNA 1.83 02.14.2007 no virus found
VBA32 3.11.2 02.16.2007 no virus found
VirusBuster 4.3.19:9 02.15.2007 no virus found


Aditional Information
File size: 6144 bytes
MD5: f12b178b1678d778cfd3ff1fc38c71fb
SHA1: d9aa29288951e94773caa1054237d29734e79f34

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

Edited by Anish_kol, 16 February 2007 - 01:29 AM.


#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 16 February 2007 - 07:11 AM

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\system32\crss.exe
Then press the red button with the white cross.
It will then provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

******************************

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Posted Image
Posted Image

#13 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 17 February 2007 - 11:51 PM

Hey Richie,
There was no crss.exe file...So killbox could not delete anything. I had mistaken csrss.exe to be the other file.
Also, it is almost impossible for me to download the online virus scanner, because my broadband internet keeps disconnecting and reconnecting every time I try to download. Its really frustrating.

Though I will keep trying to do it. Lemme know if there is anything else I can try.

Thanks,
Anish.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 18 February 2007 - 05:00 AM

Download and run Winsock XP Fix:
http://www.snapfiles.com/get/winsockxpfix.html

***********************

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Reboot,post the Counterspy report and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#15 Anish_kol

Anish_kol
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:01 PM

Posted 19 February 2007 - 01:36 PM

Hey Richie,
I had run the winsock program. It is impossible for me to download the other huge program due to my broadband constantly disconnecting on download. Sorry.. :thumbsup:

Anish.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users