Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.cinmeng And Possibly Other Malwares


  • This topic is locked This topic is locked
21 replies to this topic

#1 Rebel66

Rebel66

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 30 April 2007 - 06:28 AM

Hi! I'm facing this problem on my PC. About a month ago, I got infected by Trojan.Cinmeng. Although according to Symantec.com the risk level is very low, but somehow it brought my browser to multiple chinese sites where I was infected with many kinds of malwares. At one time it opened up 15 pop-up windows even when I'm using the latest explorer that blocks out the pop-up. My pc started to slow down at a super crawling speed and even the smallest program like hijackthis couldn't start up citing "insufficient resources".

I have followed all the instructions on your Preparation Guide but somehow just can't get rid of 2 BHOs that are found in my pc and possibly other malwares.

I'm running on Windows XP Home Edition with Service Pack 2. I have updated all the critical updates. Updated and run ad-aware and spybot search and destroy. My anti-virus program AVG 7.5 is updated but didn't find anything. Below is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:31:33 AM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\lfrmewrk.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\Documents and Settings\Man\Desktop\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: CPPIE Class - {C6844939-C324-41E0-84D0-D42F8DA5EBAD} - C:\WINDOWS\system32\hbcmd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinPatrol] C:\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Man\Desktop\HijackThis.exe /startupscan
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Man\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168680948531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - http://images.hi5.com/cab/wabctrl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CLB - AVlFILE.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: NetCheck - {F5B7DDBE-5f02-4244-96DB-386DFA24496B} - (no file)
O23 - Service: 6A1CD792 - Unknown owner - C:\WINDOWS\system32\6A1CD792.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cryptographic Server (CryptographicServer) - Unknown owner - C:\WINDOWS\system32\mshtmlsed.exe (file missing)
O23 - Service: error monitor (EmonSrv) - Unknown owner - C:\WINDOWS\system32\lfrmewrk.exe
O23 - Service: IEAgent service (IEAgent) - Unknown owner - C:\WINDOWS\system32\ieagent.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 30 April 2007 - 06:59 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Rebel66 :thumbsup:

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

*********************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 02 May 2007 - 03:18 AM

Hi RichieUK. :thumbsup: Sorry for the delayed response. Was having trouble downloading the DrWeb-Cureit. It seems like Zonealarm was blocking the ftp site and I couldn't figure out how to let it allow me to access it.

Firstly, let me thank you for the warm welcome and the fast response to my problem. Really appreciate it! :flowers:

I'll post the contents of the log from DrWeb in my next reply.

#4 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 02 May 2007 - 03:21 AM

This is the log from DrWeb-Cureit.

usb8028.sys;c:\windows\system32\drivers;Adware.Baidu;Incurable.Moved.;
usb8028x.sys;c:\windows\system32\drivers;Adware.Baidu;Incurable.Moved.;
ieagent.exe;c:\windows\system32;Adware.IEAgent;Incurable.Moved.;
cml13.tmp;C:\Documents and Settings\Man\Local Settings\Temp;Adware.Baidu;Incurable.Moved.;
cmlCB.tmp;C:\Documents and Settings\Man\Local Settings\Temp;Adware.Baidu;Incurable.Moved.;
usb8028x.sys;C:\Documents and Settings\Man\Local Settings\Temp;Adware.Baidu;Incurable.Moved.;
cdn.dll;C:\Documents and Settings\Man\Local Settings\Temp\29;Adware.Cdn;Incurable.Moved.;
idnconvs.dll;C:\Documents and Settings\Man\Local Settings\Temp\29;Adware.Cdn;Incurable.Moved.;
setup.exe;C:\Documents and Settings\Man\Local Settings\Temp\29;Adware.Cdn;Incurable.Moved.;
20287[1].exe;C:\Documents and Settings\Man\Local Settings\Temp\Temporary Internet Files\Content.IE5\DAOP4XOB;Adware.Newweb;Incurable.Moved.;
backup-20070411-171655-662.dll;C:\Downloaded Softwares\backups;Adware.Adx;Incurable.Moved.;
backup-20070411-171655-816.dll;C:\Downloaded Softwares\backups;Adware.Newweb;Incurable.Moved.;
mirc.exe;C:\mIRC;Program.mIRC.603;Incurable.Moved.;
woinstall.exe;C:\WINDOWS;Adware.Ezula;Incurable.Moved.;
1nf0.dll;C:\WINDOWS\SYSTEM32;Tool.Moo;Incurable.Moved.;
20287.exe;C:\WINDOWS\SYSTEM32;Adware.Newweb;Incurable.Moved.;
Anti.exe;C:\WINDOWS\SYSTEM32;BackDoor.IRC.based;Deleted.;
FP30PY.dll;C:\WINDOWS\SYSTEM32;Adware.Baidu;Incurable.Moved.;
ipcfg.exe;C:\WINDOWS\SYSTEM32;BackDoor.IRC.Critical;Deleted.;
player.dll;C:\WINDOWS\SYSTEM32;Adware.Baidu;Incurable.Moved.;
tcprnonui.dll;C:\WINDOWS\SYSTEM32;Adware.IEAgent;Incurable.Moved.;
winuog19.dll;C:\WINDOWS\SYSTEM32;Adware.Baidu;Moved.;
xahuog19.dll;C:\WINDOWS\SYSTEM32;Adware.Baidu;Moved.;
usb8028.sys;C:\WINDOWS\SYSTEM32\DRIVERS;Adware.Baidu;Incurable.Moved.;
usb8028x.sys;C:\WINDOWS\SYSTEM32\DRIVERS;Adware.Baidu;Moved.;
base.exe;C:\WINDOWS\Temp;Trojan.MulDrop.5851;Deleted.;
~my1.tmp;C:\WINDOWS\Temp;Trojan.Click.2107;Deleted.;
~my2.tmp;C:\WINDOWS\Temp;Trojan.Click.2107;Deleted.;

I'll post the log from Combofix in my next reply.

#5 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 02 May 2007 - 03:23 AM

This is the log from Combofix.

"Man" - 07-05-02 6:16:23 Service Pack 2
ComboFix 07-05.01.V - Running from: "C:\Documents and Settings\Man\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\dodolook133.exe
C:\WINDOWS\system32\ad_1485.exe
C:\WINDOWS\system32\winlje59.bin
C:\WINDOWS\system32\winuog19.bin
C:\WINDOWS\system32\winxxg73.bin
C:\WINDOWS\system32\Tmp28.tmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools\pctools.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\a1005.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\b1005.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\k1005.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\p1005.dat
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td\r1005.dat
C:\Program Files\7b6d~1\uninst.exe
C:\dwnsetup\wxpSetup117.exe
C:\WINDOWS\DOWNLO~1.\rave\avirexe.vdm
C:\WINDOWS\DOWNLO~1.\rave\avirscr.vdm
C:\WINDOWS\DOWNLO~1.\rave\base.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdt
C:\WINDOWS\DOWNLO~1.\rave\filters.vdm
C:\WINDOWS\DOWNLO~1.\rave\kernel.vdk
C:\WINDOWS\DOWNLO~1.\rave\keyring.vdk
C:\WINDOWS\DOWNLO~1.\rave\mapi_vdm.vdm
C:\WINDOWS\DOWNLO~1.\rave\modules.vdk
C:\WINDOWS\DOWNLO~1.\rave\rav8def.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufs.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufsplg.vdm
C:\WINDOWS\DOWNLO~1.\rave\unarch.vdm
C:\WINDOWS\DOWNLO~1.\rave\unmail.vdm
C:\WINDOWS\DOWNLO~1.\rave\unpack.vdm
C:\Program Files\install.log
C:\WINDOWS\system32\1010s.exe
C:\WINDOWS\system32\d3d1caps.srg
C:\WINDOWS\system32\ims.ini
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\system32\mserver.ini
C:\WINDOWS\system32\msrundll.exe
C:\WINDOWS\system32\mstype.txt
C:\WINDOWS\system32\scia.dll
C:\WINDOWS\system32\tmp333.tmp
C:\WINDOWS\system32\tmp334.tmp
C:\WINDOWS\system32\wbem\mof\good\esery.mof
C:\WINDOWS\hosts
C:\WINDOWS\inf\68000.PNF
C:\WINDOWS\system\dvl
C:\WINDOWS\usb8028x.log
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Microsoft\PCTools
C:\DOCUME~1\ALLUSE~1\APPLIC~1\td
C:\Program Files\Common Files\cpush
C:\Program Files\7b6d~1
C:\WINDOWS\system32\mdserivces
C:\WINDOWS\system32\winup
C:\dwnsetup
C:\Program Files\Common Files\Ruango
C:\WINDOWS\DOWNLO~1.\rave
C:\WINDOWS\system32\drivers\sgmpsj75.sys
C:\WINDOWS\system32\drivers\uogdeb73.sys


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\acpidisk
-------\cdnprot
-------\CryptographicServer
-------\EmonSrv
-------\IEAgent
-------\sgmpsj75
-------\uogdeb73
-------\usb8028
-------\usb8028x
-------\WmdmPWD


((((((((((((((((((((((((((((((( Files Created from 2007-04-02 to 2007-05-02 ))))))))))))))))))))))))))))))))))


2007-05-02 06:23 0 --a------ C:\WINDOWS\SYSTEM32\uogdeb73.dll
2007-05-02 06:23 0 --a------ C:\WINDOWS\SYSTEM32\sgmpsj75.dll
2007-05-01 23:38 50,688 --a------ C:\WINDOWS\SYSTEM32\wbhelp2.dll
2007-05-01 23:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021
2007-05-01 23:38 <DIR> d-------- C:\Program Files\Ipswitch
2007-05-01 23:38 <DIR> d-------- C:\DOCUME~1\Man\APPLIC~1\Ipswitch
2007-05-01 23:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ipswitch
2007-05-01 22:11 <DIR> d-------- C:\DOCUME~1\Man\DoctorWeb
2007-04-30 00:51 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-04-24 03:16 <DIR> d-------- C:\DOCUME~1\Man\.housecall6.6
2007-04-23 00:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
2007-04-22 21:46 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-04-22 21:45 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-04-22 21:42 1,087,216 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-04-22 21:42 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-04-22 21:38 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-04-21 15:05 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-21 15:05 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-04-09 17:51 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2007-04-09 17:48 <DIR> d-------- C:\DOCUME~1\Man\APPLIC~1\WholeSecurity
2007-04-08 13:57 664 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-04-07 04:32 <DIR> d-------- C:\Program Files\safe360
2007-04-06 22:13 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-04-06 22:12 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgArCln.sys
2007-04-06 19:47 232 --a------ C:\WINDOWS\SYSTEM32\6A1CD792.dat
2007-04-06 19:47 111,879 --a------ C:\WINDOWS\SYSTEM32\gb01.exe
2007-04-05 00:40 <DIR> d-------- C:\Program Files\2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 15:38:52 -------- d-----w C:\DOCUME~1\Man\APPLIC~1.\Ipswitch
2007-05-01 15:38:15 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-09 09:48:26 -------- d-----w C:\DOCUME~1\Man\APPLIC~1.\WholeSecurity
2007-04-06 15:41:24 -------- d-----w C:\Program Files\Mobius Phone Explorer
2007-04-06 05:57:27 -------- d-----w C:\Program Files\DSL100U
2007-04-05 23:53:38 -------- d-----w C:\Program Files\DivX
2007-03-30 15:30:25 -------- d-----w C:\DOCUME~1\Man\APPLIC~1.\PC Suite
2007-03-30 11:37:32 -------- d-----w C:\Program Files\Multi_Media
2007-03-29 23:51:22 -------- d-----w C:\DOCUME~1\Man\APPLIC~1.\Nokia
2007-03-29 23:43:55 -------- d-----w C:\Program Files\Nokia
2007-03-29 23:29:24 -------- d-----w C:\Program Files\DIFX
2007-03-29 23:26:39 -------- d-----w C:\Program Files\PC Connectivity Solution
2007-03-29 23:24:21 -------- d-----w C:\Program Files\Common Files\PCSuite
2007-03-29 17:41:09 -------- d-----w C:\Program Files\Common Files\LogoManager
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 16:59:13 -------- d-----w C:\DOCUME~1\Man\APPLIC~1.\Datalayer
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{C6844939-C324-41E0-84D0-D42F8DA5EBAD}"="C:\WINDOWS\system32\hbcmd.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"UpdReg"="C:\\WINDOWS\\Updreg.exe"
"AHQInit"="C:\\Program Files\\Creative\\SBLive\\Program\\AHQInit.exe"
"GSICONEXE"="GSICON.EXE"
"DSLAGENTEXE"="dslagent.exe USB"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"WinPatrol"="C:\\BILLPS~1\\WINPAT~1\\WinPatrol.exe"
"EPSON Stylus Photo RX510"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I3K2.EXE /P24 \"EPSON Stylus Photo RX510\" /O6 \"USB001\" /M \"Stylus Photo RX510\""
"nwiz"="nwiz.exe /install"
"DataLayer"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"BTUSRBDG"="BtUsrBdg.exe"
"BTSETBOOTKEY"="BTSetBootKey.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Creative Detector"="C:\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"HijackThis startup scan"="C:\\Documents and Settings\\Man\\Desktop\\HijackThis.exe /startupscan"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CLB

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0lsanp\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dordo

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0
bthsvcs BthServ\0\0


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-02 06:38:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-02 6:55:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-02 06:55

#6 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 02 May 2007 - 03:30 AM

Finally, this is my latest HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 7:00:32 AM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Documents and Settings\Man\Desktop\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinPatrol] C:\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Man\Desktop\HijackThis.exe /startupscan
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Man\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168680948531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - http://images.hi5.com/cab/wabctrl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: CLB - AVlFILE.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: NetCheck - {F5B7DDBE-5f02-4244-96DB-386DFA24496B} - (no file)
O23 - Service: 6A1CD792 - Unknown owner - C:\WINDOWS\system32\6A1CD792.EXE (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Seems like the two BHOs are gone.

Waiting for the next set of instructions. :thumbsup:

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 02 May 2007 - 06:40 AM

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one.

SC STOP 6A1CD792
SC DELETE 6A1CD792


Then type EXIT then press Enter.
Restart your pc.

***************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\SYSTEM32\uogdeb73.dll
C:\WINDOWS\SYSTEM32\sgmpsj75.dll
C:\WINDOWS\SYSTEM32\wbhelp2.dll
C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021
C:\WINDOWS\SYSTEM32\6A1CD792.dat

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

**************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O20 - Winlogon Notify: CLB - AVlFILE.DLL (file missing)
O21 - SSODL: NetCheck - {F5B7DDBE-5f02-4244-96DB-386DFA24496B} - (no file)
O23 - Service: 6A1CD792 - Unknown owner - C:\WINDOWS\system32\6A1CD792.EXE (file missing)

Exit Hijackthis.

**************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Post a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#8 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 03 May 2007 - 06:27 AM

Hi RichieUK. My PC is running much faster than it was before. Thanks for your help. :thumbsup:

Here is the log from Avenger.

LR*S

File C:\WINDOWS\SYSTEM32\sgmpsj75.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\wbhelp2.dll deleted successfully.

Error: C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021 is a folder, not a file!

Deletion of file C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021 failed!
Could not process line:C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021

Status: 0xc00000ba

File C:\WINDOWS\SYSTEM32\6A1CD792.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#9 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 03 May 2007 - 06:29 AM

This is my latest HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:56:02 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Man\Desktop\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinPatrol] C:\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Man\Desktop\HijackThis.exe /startupscan
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Man\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168680948531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - http://images.hi5.com/cab/wabctrl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe


Waiting for the next set of instructions.

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 03 May 2007 - 06:39 AM

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Folders to delete:
C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

**********************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

Restart your pc.
Post the Avenger output.txt,and a new Hijackthis log into your next reply.

Posted Image
Posted Image

#11 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 04 May 2007 - 12:03 AM

Hi RichieUK :thumbsup:

Below is the log from Avenger.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\chmipbtq

*******************

Script file located at: bqrxdqyi

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!

*********************************************

Here is my latest HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:51:38 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINDOWS\system32\BtUsrBdg.exe
C:\WINDOWS\system32\BTSetBootKey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\BitComet\BitComet.exe
C:\Documents and Settings\Man\Desktop\HijackThis_v1.99.1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.friendster.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [WinPatrol] C:\BILLPS~1\WINPAT~1\WinPatrol.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [BTSETBOOTKEY] BTSetBootKey.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Man\Desktop\HijackThis.exe /startupscan
O4 - Global Startup: NaturalColorLoad.lnk = ?
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Man\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168680948531
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - http://images.hi5.com/cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D393232-2502-497A-AA67-9116ECECBD87}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D393232-2502-497A-AA67-9116ECECBD87}: NameServer = 192.169.34.181 203.120.90.40
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 04 May 2007 - 02:43 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\Man\Desktop\HijackThis.exe /startupscan
Exit Hijackthis.

Your log is clean :thumbsup:
If all's ok,please do the following:

Find and delete:
C:\QooBox
C:\WINDOWS\SYSTEM32\E177E04D548C4006A465EEB92D3DE021

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

Edited by RichieUK, 04 May 2007 - 02:43 AM.

Posted Image
Posted Image

#13 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 04 May 2007 - 06:52 AM

Hi RichieUK. I can't seem to delete the folder "c:\QooBox".

It says "Cannot delete pctools.dll.vir: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use."

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 04 May 2007 - 07:05 AM

I can't seem to delete the folder "c:\QooBox".

Try in Safe Mode:
Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".
Posted Image
Posted Image

#15 Rebel66

Rebel66
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 05 May 2007 - 12:50 AM

I tried removing it in safe mode but still get the same error message. I can delete the rest of the files in the folder except for that particular file "pctools.dll.vir". When I tried to remove the read only attributes, I get the message "An error occured applying attributes to the file: Access is denied". I can't delete it even in command prompt.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users