Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clean Vbs Solow Virus From Windows Registry And Fixed The Registry Like Before Infected


  • Please log in to reply
6 replies to this topic

#1 Jarakal

Jarakal

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 11 April 2007 - 04:05 AM

Logfile of HijackThis v1.99.1
Scan saved at 3:55:55 PM, on 4/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\system32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\mnmsrvc.exe
C:\notes7\ntmulti.exe
C:\ODI\Ostore\bin\oscmgr6.exe
C:\ODI\Ostore\bin\osserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DWRCST.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\winnt\myip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\WScript.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINNT\system32\internat.exe
C:\WINNT\System32\svchost.exe
D:\My Documents\Yak\Yak.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\notes7\NLNOTES.EXE
C:\notes7\ntaskldr.EXE
C:\notes7\nxpcdmn.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
D:\My Documents\Software\dictionary\dict.exe
C:\orant\DISCVR31\DIS31USR.EXE
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
D:\Flash_Disinfector.exe
C:\WINNT\system32\notepad.exe
D:\Flash_Disinfector.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Zay
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.68.8.62:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.68.*.*;10.96.*.*;finance.ypfint.jkt;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network Associates\VirusScan\bho.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [MyIp] c:\winnt\myip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yak!] D:\My Documents\Yak\Yak.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: BI Designer Content Transfer Applets - http://jktkm01/wdk/wdk/contentXfer/DwContentXfer35FS2.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124088226061
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124088112577
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IND.ROOT
O17 - HKLM\System\CCS\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: Domain = ind.root
O17 - HKLM\System\CCS\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: NameServer = 10.68.32.5,10.68.8.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IND.ROOT
O17 - HKLM\System\CS1\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: Domain = ind.root
O17 - HKLM\System\CS1\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: NameServer = 10.68.32.5,10.68.8.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IND.ROOT
O17 - HKLM\System\CS2\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: Domain = ind.root
O17 - HKLM\System\CS2\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: NameServer = 10.68.32.5,10.68.8.2
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINNT\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\system32\DWRCS.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes7\ntmulti.exe
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\Ostore\bin\oscmgr6.exe
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\Ostore\bin\osserver.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 PM

Posted 16 April 2007 - 03:52 PM

Hi Jarakal, :flowers:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

#3 Jarakal

Jarakal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 16 April 2007 - 08:48 PM

ok, thanks for u'r help.

Logfile of HijackThis v1.99.1
Scan saved at 8:43:58 AM, on 4/17/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\system32\DWRCS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\System32\mnmsrvc.exe
C:\notes7\ntmulti.exe
C:\ODI\Ostore\bin\oscmgr6.exe
C:\ODI\Ostore\bin\osserver.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\System32\locator.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\DWRCST.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\winnt\myip.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
D:\My Documents\Yak\Yak.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\notes7\NLNOTES.EXE
C:\notes7\ntaskldr.EXE
C:\notes7\nxpcdmn.EXE
C:\orant\DISCVR31\DIS31USR.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\FlashDisinfector.exe
C:\WINNT\system32\notepad.exe
D:\FlashDisinfector.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Microsoft Office\Office\POWERPNT.EXE
D:\My Documents\Software\dictionary\dict.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Zay
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.68.8.62:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.68.*.*;10.96.*.*;finance.ypfint.jkt;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: VS_IEHlprObj Class - {829CAB51-A4EA-4a15-87B6-4B7D0747939C} - C:\Program Files\Network Associates\VirusScan\bho.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Persistence] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [MyIp] c:\winnt\myip.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Yak!] D:\My Documents\Yak\Yak.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: BI Designer Content Transfer Applets - http://jktkm01/wdk/wdk/contentXfer/DwContentXfer35FS2.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124088226061
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124088112577
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IND.ROOT
O17 - HKLM\System\CCS\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: Domain = ind.root
O17 - HKLM\System\CCS\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: NameServer = 10.68.32.5,10.68.8.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IND.ROOT
O17 - HKLM\System\CS1\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: Domain = ind.root
O17 - HKLM\System\CS1\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: NameServer = 10.68.32.5,10.68.8.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = IND.ROOT
O17 - HKLM\System\CS2\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: Domain = ind.root
O17 - HKLM\System\CS2\Services\Tcpip\..\{1133BB1D-2635-4543-9DB4-828CF821A2C3}: NameServer = 10.68.32.5,10.68.8.2
O18 - Protocol: textwareilluminatorbase - {CE5CD329-1650-414A-8DB0-4CBF72FAED87} - C:\WINNT\system32\textwareilluminatorbaseProtocol.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxdev.dll
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\system32\DWRCS.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\notes7\ntmulti.exe
O23 - Service: ObjectStore Cache Manager R6.0 - eXcelon Corp. - C:\ODI\Ostore\bin\oscmgr6.exe
O23 - Service: ObjectStore Server R6.0 - eXcelon Corp. - C:\ODI\Ostore\bin\osserver.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 PM

Posted 19 April 2007 - 09:49 AM

Hi Jarakal, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Run HijackThis, click Scan and checkmark the following entry:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Zay

These lines indicate that you have another means of accessing and setting Internet Options and that your registry editor has been disabled. Did you or a system admin set these restrictions? If not fix these also:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

2. Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.

3. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6u1). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6u1
Please reboot and post the Deckard's System Scanner report.

#5 Jarakal

Jarakal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 24 April 2007 - 12:57 AM

Dear Falu,
I already download deckard's system scanner and ran it, but the scanning process couldn't be finished eventhough run for day along. It stopped when the deckard created log file, It means i don't have log file that can be posted. Any suggestions?

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:53 PM

Posted 24 April 2007 - 05:40 AM

Hi Jarakal, :thumbsup:

I already download deckard's system scanner and ran it, but the scanning process couldn't be finished eventhough run for day along. It stopped when the deckard created log file, It means i don't have log file that can be posted. Any suggestions?


I am not sure I understand what you want to say:

1. You clicked the link I provided to download Deckard's System Scanner?
2. When you double clicked the dss.exe on your desktop did you see a small screen telling you what the program was doing and a bar showing how much the program already did (in a percentage)?
3. When finished you saw the main.txt file on your screen?
4. Was there an error message?

I suggest you rightclick the dss.exe and choose Delete. Then try again:

Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.

If it works continue with the other instructions.

#7 Jarakal

Jarakal
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 24 April 2007 - 11:15 PM

1You clicked the link I provided to download Deckard's System Scanner?
Yes, i have download the software
2. When you double clicked the dss.exe on your desktop did you see a small screen telling you what the program was doing and a bar showing how much the program already did (in a percentage)?
Yes, there is a toolbar that showing the scanning progress, but at 62% (when log file was created) the program not showed any progress (like not responding).
3. When finished you saw the main.txt file on your screen?
That's the problem, the program didn't finished eventhough ran a day log, so no txt file created.
4. Was there an error message?
No error message when stopped, but when the program created log file there is a error message: syntax error or path not specified.
This message usually appeared when the windows started (followed by notepad window)

I think the worm blocked the program to create the log file
I will try to re-do the procedure with new downloaded program




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users