Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Brave Sentry + Unable To Start Windows In Normal Mode


  • Please log in to reply
21 replies to this topic

#1 butterfly_collector

butterfly_collector

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 May 2007 - 02:19 AM

Sunday evening my computer got infected with BraveSentry. I followed the tutorial on this forum in an effort to get rid of it. [Did I get it all out?] I ran spybot and adware and housecall. Turns out I also had kernel32.exe. Well, ever since my computer got infected, I haven't been able to get into windows in normal mode. I can only get in on safe mode. When I try to log into normal mode, I end up at the "Windows now starting up..." and it just stays there. I don't know if this matters but this log was taken while in safe mode.


Logfile of HijackThis v1.99.1
Scan saved at 12:03:23 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: 0 - {8F008927-FD4A-4EC3-3388-D0BFBDA56D67} - C:\Program Files\Internet Explorer\sahuvon.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Owner\Desktop\p2k-commander_3.3\p2k-commander 3.3.0 Beta\P2kAutostart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer = 151.11.169.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi67535.exe
O23 - Service: Background Intelligent Transfer Service BITSccEvtMgr (BITSccEvtMgr) - Unknown owner - C:\WINDOWS\system32\advpack.dllp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 09 May 2007 - 04:55 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum butterfly_collector :thumbsup:

Try the following,lets see after doing this it will start up normally.
Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Find and delete the following files:
C:\Program Files\Internet Explorer\sahuvon.dll
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\a3dxx.dll
C:\WINDOWS\system32\rpcc1.dll

Now try restarting your pc normally.
If still no joy,have you got the Microsoft Windows XP installation disk.
Posted Image
Posted Image

#3 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 09 May 2007 - 06:09 PM

i deleted the first two things on the list. but the last two i wasn't able to because it said some program or something was using them, or that they were in use. i didn't knnow what to do so i just shut down my computer.

i don't know if this is relevent but whenever i try to shut down my computer from safe mode, a little pop-up says "end program - sample" is busy or something and that i can choose to end task now or wait.

and no, i don't have the microsoft windows xp installation disk. T_T my computer came with windows xp.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 10 May 2007 - 06:32 AM

Backup the registry first by doing the following.
Click on Start>Run,type regedit then press Enter.
Click on 'File' at the top,then 'Export'.
In the opening 'Export Registry File' box,place a check in 'ALL' at the bottom left.
In the 'File name:' space,type back.reg
Make sure 'Desktop' is selected in the left hand column.
Then press 'Save'.


Click on Start/Run,type regedit then press Ok.
Navigate to:
HKEY_CURRENT_USER/Control Panel/Desktop
In the right hand pane double click on each of the following values,give each the 'Value data:' as shown below:
AutoEndTasks= 1
HungAppTimeout= 1000
WaitToKillAppTimeout= 2000

Then reset the following value:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control
WaitToKillServiceTimeout= 2000

Restart your pc,let me know whats happening now.
Posted Image
Posted Image

#5 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 12 May 2007 - 04:11 PM

okay, i did what you said. and i was still stuck on the windows starting up page but i left it alone and my computer went idle and i came back and when i moved my mouse around, it got to the sign-in page.
i signed it and a pop-up said something about the systems configuration utility is currently in diagnostic or selective startup mode. then another pop-up came saying that "the system has recovered from a serious error" and asked me to send an error report to microsoft. so i did and then my browser popped up on it's own directing me to the microsoft page telling me that microsoft detected the Win32/Nuwar.N!sys virus on my computer. they told me to download this program and i did and that is where i am now. i made screenshots of it all so if i'm unclear or anything. right now, the microsoft windows malicious software removal tool is scanning my computer.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 13 May 2007 - 03:36 AM

Restart your pc,post a new Hijackthis log in your next reply.
Let me know exactly whats happening now please.
Posted Image
Posted Image

#7 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 13 May 2007 - 06:48 PM

i'm still in the whole systems configuration utility is currently in diagnostic or selective startup mode. i ran the program that microsoft wanted me to use and when i checked my sophos antivirus again, it had some things in quarantine that they wanted me to manually delete. i still get pop-ups saying that "the system has recovered from a serious error", asking me to send an error report to microsoft, which pops up a new window telling me that microsoft detected the Win32/Nuwar.N!sys virus on my computer. i'm not hung up on the windows log in screen anymore, if that's anything. although, just a few minutes ago, my computer showed a bluescreen which some words about an error and restarted me. thank you for all your help!



Logfile of HijackThis v1.99.1
Scan saved at 4:39:33 PM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\aspi67535.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: 0 - {8F008927-FD4A-4EC3-3388-D0BFBDA56D67} - C:\Program Files\Internet Explorer\sahuvon.dll (file missing)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinSysModule] dsrss.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Owner\Desktop\p2k-commander_3.3\p2k-commander 3.3.0 Beta\P2kAutostart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer = 151.11.169.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi67535.exe
O23 - Service: Background Intelligent Transfer Service BITSccEvtMgr (BITSccEvtMgr) - Unknown owner - C:\WINDOWS\system32\advpack.dllp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 14 May 2007 - 02:34 AM

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.
* Also post a new Hijackthis log please.

Posted Image
Posted Image

#9 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 14 May 2007 - 07:14 PM

what's funny and a little sad is that i got hit up by spy sheriff again after i downloaded the sdfix file. XD also, i ran microsoft's live one online scanner and it said it found spy sheriff in the systems volume information folder but i can't get into that folder to delete it. :x thank you!!!!


[[ Report.txt ]]


SDFix: Version 1.84

Run by Owner - Mon 05/14/2007 - 16:03:58.82

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
aspi113210
core
ldrsvc

ImagePath:
C:\WINDOWS\system32\aspi67535.exe
system32\drivers\core.sys
%SystemRoot%\System32\svchost.exe -k netsvcs

aspi113210 - Deleted
core - Deleted
ldrsvc - Deleted

Killing PID 152 'smss.exe'
Killing PID 224 'winlogon.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\aspi67535.exe - Deleted
C:\WINDOWS\SYSTEM32\509.EXE - Deleted
C:\WINDOWS\SYSTEM32\CAFES.EXE - Deleted
C:\WINDOWS\SYSTEM32\DNSERSND.EXE - Deleted
C:\WINDOWS\Temp\2.dllb - Deleted
C:\WINDOWS\Temp\6.dllb - Deleted
C:\WINDOWS\Temp\7.dllb - Deleted
C:\WINDOWS\Temp\v3x1.g22me - Deleted
C:\WINDOWS\Temp\v4x6.gam5e - Deleted
C:\WINDOWS\Temp\v5x4.ga2me - Deleted
C:\WINDOWS\Temp\v6xt4.game - Deleted
C:\WINDOWS\Temp\vx1t1.game - Deleted
C:\WINDOWS\Temp\vx1t3.game - Deleted
C:\WINDOWS\Temp\vx3t2.game - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system32\4_exception.nls - Deleted
C:\WINDOWS\system32\a3dxx.dll - Deleted
C:\WINDOWS\system32\CONFIG\SYSTEM~1\APPLIC~1\INSTALL.DAT - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\dwdsregt.exe - Deleted
C:\WINDOWS\system32\ib15.dll - Deleted
C:\WINDOWS\system32\install.exe - Deleted
C:\WINDOWS\system32\kernels32.exe - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\rpcc.exe - Deleted
C:\WINDOWS\system32\spoolsvv.sys - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\vexg4am1et2.exe - Deleted
C:\WINDOWS\system32\vexg6ame4.exe - Deleted
C:\WINDOWS\system32\vexga1me4t1.exe - Deleted
C:\WINDOWS\system32\vexga4m1et4.exe - Deleted
C:\WINDOWS\system32\vexga4me1.exe - Deleted
C:\WINDOWS\system32\vexga8me6.exe - Deleted
C:\WINDOWS\system32\vx.tll - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\Temp\_check32.bat - Deleted
C:\WINDOWS\Temp\_td1.tmp - Deleted
C:\WINDOWS\Temp\_td10.tmp - Deleted
C:\WINDOWS\Temp\_td11.tmp - Deleted
C:\WINDOWS\Temp\_td12.tmp - Deleted
C:\WINDOWS\Temp\_td13.tmp - Deleted
C:\WINDOWS\Temp\_td14.tmp - Deleted
C:\WINDOWS\Temp\_td15.tmp - Deleted
C:\WINDOWS\Temp\_td16.tmp - Deleted
C:\WINDOWS\Temp\_td17.tmp - Deleted
C:\WINDOWS\Temp\_td18.tmp - Deleted
C:\WINDOWS\Temp\_td19.tmp - Deleted
C:\WINDOWS\Temp\_td1A.tmp - Deleted
C:\WINDOWS\Temp\_td1B.tmp - Deleted
C:\WINDOWS\Temp\_td1C.tmp - Deleted
C:\WINDOWS\Temp\_td1D.tmp - Deleted
C:\WINDOWS\Temp\_td1E.tmp - Deleted
C:\WINDOWS\Temp\_td1F.tmp - Deleted
C:\WINDOWS\Temp\_td2.tmp - Deleted
C:\WINDOWS\Temp\_td20.tmp - Deleted
C:\WINDOWS\Temp\_td21.tmp - Deleted
C:\WINDOWS\Temp\_td22.tmp - Deleted
C:\WINDOWS\Temp\_td23.tmp - Deleted
C:\WINDOWS\Temp\_td24.tmp - Deleted
C:\WINDOWS\Temp\_td25.tmp - Deleted
C:\WINDOWS\Temp\_td26.tmp - Deleted
C:\WINDOWS\Temp\_td27.tmp - Deleted
C:\WINDOWS\Temp\_td28.tmp - Deleted
C:\WINDOWS\Temp\_td29.tmp - Deleted
C:\WINDOWS\Temp\_td2A.tmp - Deleted
C:\WINDOWS\Temp\_td2B.tmp - Deleted
C:\WINDOWS\Temp\_td2C.tmp - Deleted
C:\WINDOWS\Temp\_td2D.tmp - Deleted
C:\WINDOWS\Temp\_td2E.tmp - Deleted
C:\WINDOWS\Temp\_td2F.tmp - Deleted
C:\WINDOWS\Temp\_td3.tmp - Deleted
C:\WINDOWS\Temp\_td30.tmp - Deleted
C:\WINDOWS\Temp\_td31.tmp - Deleted
C:\WINDOWS\Temp\_td32.tmp - Deleted
C:\WINDOWS\Temp\_td33.tmp - Deleted
C:\WINDOWS\Temp\_td34.tmp - Deleted
C:\WINDOWS\Temp\_td35.tmp - Deleted
C:\WINDOWS\Temp\_td36.tmp - Deleted
C:\WINDOWS\Temp\_td38.tmp - Deleted
C:\WINDOWS\Temp\_td4.tmp - Deleted
C:\WINDOWS\Temp\_td42.tmp - Deleted
C:\WINDOWS\Temp\_td43.tmp - Deleted
C:\WINDOWS\Temp\_td44.tmp - Deleted
C:\WINDOWS\Temp\_td45.tmp - Deleted
C:\WINDOWS\Temp\_td46.tmp - Deleted
C:\WINDOWS\Temp\_td47.tmp - Deleted
C:\WINDOWS\Temp\_td48.tmp - Deleted
C:\WINDOWS\Temp\_td49.tmp - Deleted
C:\WINDOWS\Temp\_td4A.tmp - Deleted
C:\WINDOWS\Temp\_td4B.tmp - Deleted
C:\WINDOWS\Temp\_td4C.tmp - Deleted
C:\WINDOWS\Temp\_td5.tmp - Deleted
C:\WINDOWS\Temp\_td57.tmp - Deleted
C:\WINDOWS\Temp\_td58.tmp - Deleted
C:\WINDOWS\Temp\_td59.tmp - Deleted
C:\WINDOWS\Temp\_td5A.tmp - Deleted
C:\WINDOWS\Temp\_td5B.tmp - Deleted
C:\WINDOWS\Temp\_td5C.tmp - Deleted
C:\WINDOWS\Temp\_td5D.tmp - Deleted
C:\WINDOWS\Temp\_td5E.tmp - Deleted
C:\WINDOWS\Temp\_td5F.tmp - Deleted
C:\WINDOWS\Temp\_td6.tmp - Deleted
C:\WINDOWS\Temp\_td60.tmp - Deleted
C:\WINDOWS\Temp\_td61.tmp - Deleted
C:\WINDOWS\Temp\_td62.tmp - Deleted
C:\WINDOWS\Temp\_td66.tmp - Deleted
C:\WINDOWS\Temp\_td67.tmp - Deleted
C:\WINDOWS\Temp\_td6D.tmp - Deleted
C:\WINDOWS\Temp\_td6E.tmp - Deleted
C:\WINDOWS\Temp\_td6F.tmp - Deleted
C:\WINDOWS\Temp\_td7.tmp - Deleted
C:\WINDOWS\Temp\_td70.tmp - Deleted
C:\WINDOWS\Temp\_td7A.tmp - Deleted
C:\WINDOWS\Temp\_td7B.tmp - Deleted
C:\WINDOWS\Temp\_td7C.tmp - Deleted
C:\WINDOWS\Temp\_td7D.tmp - Deleted
C:\WINDOWS\Temp\_td7E.tmp - Deleted
C:\WINDOWS\Temp\_td7F.tmp - Deleted
C:\WINDOWS\Temp\_td8.tmp - Deleted
C:\WINDOWS\Temp\_td80.tmp - Deleted
C:\WINDOWS\Temp\_td82.tmp - Deleted
C:\WINDOWS\Temp\_td83.tmp - Deleted
C:\WINDOWS\Temp\_td84.tmp - Deleted
C:\WINDOWS\Temp\_td85.tmp - Deleted
C:\WINDOWS\Temp\_td8F.tmp - Deleted
C:\WINDOWS\Temp\_td9.tmp - Deleted
C:\WINDOWS\Temp\_td90.tmp - Deleted
C:\WINDOWS\Temp\_td91.tmp - Deleted
C:\WINDOWS\Temp\_td94.tmp - Deleted
C:\WINDOWS\Temp\_tdA.tmp - Deleted
C:\WINDOWS\Temp\_tdB.tmp - Deleted
C:\WINDOWS\Temp\_tdC.tmp - Deleted
C:\WINDOWS\Temp\_tdD.tmp - Deleted
C:\WINDOWS\Temp\_tdE.tmp - Deleted
C:\WINDOWS\Temp\_tdF.tmp - Deleted
C:\WINDOWS\Temp\2.dllb - Deleted
C:\WINDOWS\Temp\6.dllb - Deleted
C:\WINDOWS\Temp\7.dllb - Deleted
C:\WINDOWS\Temp\kaw - Deleted
C:\WINDOWS\Temp\temp_21773949.bat - Deleted
C:\WINDOWS\ws386.ini - Deleted
C:\WINDOWS\xpupdate.exe - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\Replay Converter\14_43260.dll
C:\Program Files\Replay Converter\28_83260.dll
C:\Program Files\Replay Converter\atrc3260.dll
C:\Program Files\Replay Converter\cook3260.dll
C:\Program Files\Replay Converter\cygwin1.dll
C:\Program Files\Replay Converter\cygz.dll
C:\Program Files\Replay Converter\dnet3260.dll
C:\Program Files\Replay Converter\drv23260.dll
C:\Program Files\Replay Converter\drv33260.dll
C:\Program Files\Replay Converter\drv43260.dll
C:\Program Files\Replay Converter\ivvideo.dll
C:\Program Files\Replay Converter\qtmlClient.dll
C:\Program Files\Replay Converter\raac.dll
C:\Program Files\Replay Converter\sipr3260.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\Documents and Settings\Owner\Desktop\~WRL0001.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0003.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0005.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0180.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0230.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0277.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0295.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0377.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0412.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0476.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0514.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0567.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0588.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0705.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0751.tmp
C:\Documents and Settings\Owner\Desktop\~WRL0996.tmp
C:\Documents and Settings\Owner\Desktop\~WRL1063.tmp
C:\Documents and Settings\Owner\Desktop\~WRL1118.tmp
C:\Documents and Settings\Owner\Desktop\~WRL1207.tmp
C:\Documents and Settings\Owner\Desktop\~WRL1532.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2010.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2055.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2116.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2173.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2294.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2487.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2684.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2907.tmp
C:\Documents and Settings\Owner\Desktop\~WRL2946.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3098.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3251.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3352.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3563.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3647.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3818.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3891.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3894.tmp
C:\Documents and Settings\Owner\Desktop\~WRL3915.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT5.tmp

Finished


[[ Hijack Log ]]
Logfile of HijackThis v1.99.1
Scan saved at 5:07:20 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: 0 - {8F008927-FD4A-4EC3-3388-D0BFBDA56D67} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: 0 - {FB0EA130-FC7E-4B78-5EA6-D617E77FB971} - C:\Program Files\Internet Explorer\sahuvon.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [{C9-99-9A-A8-ZN}] c:\windows\system32\dwdsregt.exe SKY002
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer = 151.11.169.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Background Intelligent Transfer Service BITSccEvtMgr (BITSccEvtMgr) - Unknown owner - C:\WINDOWS\system32\advpack.dllp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 15 May 2007 - 02:33 AM

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.com/news/article.php/3561546

You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player


Then restart your pc.

**************************

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\rpcc1.dll
C:\Program Files\Internet Explorer\sahuvon.dll
c:\windows\system32\dwdsregt.exe

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

**************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Also post a new Hijackthis log please.
Posted Image
Posted Image

#11 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 15 May 2007 - 02:15 PM

i've done everything in the order that you told me except the combofix. i've clearly saved it on my desktop but it says that windows cannot access it and that i may not have appropriate permission to access the item which is strange because i am on the computer administrator account.




[[ Avenger ]]
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fmdjjgbt

*******************

Script file located at: \??\C:\WINDOWS\omarrrxc.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\perfc000.dat deleted successfully.
File C:\WINDOWS\system32\rpcc1.dll deleted successfully.
File C:\Program Files\Internet Explorer\sahuvon.dll deleted successfully.


File c:\windows\system32\dwdsregt.exe not found!
Deletion of file c:\windows\system32\dwdsregt.exe failed!

Could not process line:
c:\windows\system32\dwdsregt.exe
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.




[[ Smitfraud ]]
SmitFraudFix v2.176

Scan done at 11:59:16.49, Tue 05/15/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Owner


C:\Documents and Settings\Owner\Application Data


Start Menu


C:\DOCUME~1\Owner\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\perfc000.dat"


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
DNS Server Search Order: 151.11.169.10

Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 151.11.169.10

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer=151.11.169.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer=151.11.169.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer=151.11.169.10
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer=151.11.169.10
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer=151.11.169.10
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer=151.11.169.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer=151.11.169.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer=151.11.169.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer=151.11.169.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130


Scanning for wininet.dll infection


End


[[ Hijack Log ]]
Logfile of HijackThis v1.99.1
Scan saved at 12:05:32 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: 0 - {8F008927-FD4A-4EC3-3388-D0BFBDA56D67} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: 0 - {FB0EA130-FC7E-4B78-5EA6-D617E77FB971} - C:\Program Files\Internet Explorer\sahuvon.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer = 151.11.169.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Background Intelligent Transfer Service BITSccEvtMgr (BITSccEvtMgr) - Unknown owner - C:\WINDOWS\system32\advpack.dllp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 15 May 2007 - 02:39 PM

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Double click on Smitfraudfix.cmd
Select #2 and hit Enter to delete the infected files.
You will be prompted: 'Do you want to clean the registry?' answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): 'Replace infected file ?' answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process.
The report can be found at the root of the system drive, usually at C:\rapport.txt

Post the smitfraudfix report,and a new Hijack This log into your next reply.
Posted Image
Posted Image

#13 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 15 May 2007 - 08:17 PM

thank you. thank you for not giving up on me!! T_T


[[smitfraudfix report]]
SmitFraudFix v2.176

Scan done at 17:58:41.77, Tue 05/15/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer=151.11.169.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer=151.11.169.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer=151.11.169.10
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer=151.11.169.10
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer=151.11.169.10
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer=151.11.169.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer=151.11.169.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer=151.11.169.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer=151.11.169.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1 68.87.76.178 68.87.78.130


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End


[[hijack log]]
Logfile of HijackThis v1.99.1
Scan saved at 6:07:15 PM, on 5/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: 0 - {8F008927-FD4A-4EC3-3388-D0BFBDA56D67} - (no file)
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: 0 - {FB0EA130-FC7E-4B78-5EA6-D617E77FB971} - C:\Program Files\Internet Explorer\sahuvon.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer = 151.11.169.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer = 151.11.169.10
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Background Intelligent Transfer Service BITSccEvtMgr (BITSccEvtMgr) - Unknown owner - C:\WINDOWS\system32\advpack.dllp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 16 May 2007 - 01:51 AM

Click on Start/Run,type CMD then press Ok.
At the Command Prompt copy and paste the following commands pressing Enter after each one:

SC STOP BITSccEvtMgr
SC DELETE BITSccEvtMgr


Then type EXIT then press Enter.

Restart your pc.

************************

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: 0 - {8F008927-FD4A-4EC3-3388-D0BFBDA56D67} - (no file)
O2 - BHO: 0 - {FB0EA130-FC7E-4B78-5EA6-D617E77FB971} - C:\Program Files\Internet Explorer\sahuvon.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
O20 - Winlogon Notify: rpcc1 - C:\WINDOWS\system32\rpcc1.dll (file missing)

Exit Hijackthis.

Now scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
* Also post a new Hijackthis log,and let me know how your pc is running now please.

Edited by RichieUK, 16 May 2007 - 01:53 AM.

Posted Image
Posted Image

#15 butterfly_collector

butterfly_collector
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 19 May 2007 - 04:08 AM

i did the first two things you asked me to do. i wasn't able to do the last one (i don't know how to reboot.) but after i did what i could, i started it up in normal mode with all devices and startups loaded and it works!! yay!!! i want to thank you very much for all the time and effort you've put into helping me!!! i'm eternally grateful!! if you could possibly take a look at my hijack log and tell me if there's something that's still wrong or that i need/should fix, please, i'll be very grateful!!!

well, actually, i do have a question about my hijacklog. this ---> O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
i have no idea how it got there and i don't know how to stop it from booting up at startup. i tried going to the file and looking at it's properties but nothing. thank you again!!!!

plus, if it's okay i ask you (if not, i'll post to the appropriate subforum), whenever i open a file or basically anything on my computer, my computer gets really loud and stays loud for a while. i took a look at the cpu usage and it spikes from 1 to 55 back to 1 and sometimes even to 100. is this normal? and what can i do to fix it?


Logfile of HijackThis v1.99.1
Scan saved at 1:58:17 AM, on 5/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ucdavis.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.lib.ucdavis.edu/proxy/pacserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ofb1 - {3E1500AC-87A5-416b-A211-82E848649DA9} - C:\PROGRA~1\Ofb11\Ofb11.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O15 - Trusted Zone: http://onecare.live.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DCF2B4D-B30F-4CCB-9A65-547DAF66039E}: NameServer = 217.16.28.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC142483-E00E-40BB-8EF8-0AE56C3C5EFD}: NameServer = 217.16.28.119
O17 - HKLM\System\CCS\Services\Tcpip\..\{D205A688-818D-4009-9D59-60762493ED5F}: NameServer = 217.16.28.119
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe

Edited by butterfly_collector, 19 May 2007 - 04:18 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users