Jump to content
Sign in to follow this  
DK64_MASTER

HJT from topic: Cn91x.exe, iexpl0re.exe, crasos.exe, sdbot virus

Recommended Posts

Cross referenced from:

http://forums.pcpitstop.com/index.php?showtopic=138352

 

Hey eveyone, my HJT log is attached (non-beta version):

 

Logfile of HijackThis v1.99.1

Scan saved at 10:45:46 AM, on 4/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT2\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\taskrgm.exe,

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [j4tbvw] C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

O4 - Startup: [email protected] 5.03.lnk = C:\Program Files\[email protected]\winFAH.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: ActiveGS.cab - http://virtualapple.org/activegs.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120614987440

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136501044079

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

 

The bold item is suspect... Also, in my temporary directory, the old cn91x files are still there (in addition to the bolded item), along with some shady dlls. I have deleted all I can, but some dlls are locked. Nothing bad has started up, except avg (autostartup) caught something in C:/program files/internet explorer/iexploer.exe as Downloader.VB.anf, which I immediately quarantined!

 

it seem that some of the other stuff has disappeared...

 

Also, I am having trouble running scans in safe mode (said in crosslinked topic)

 

Thanks everyone!

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Hi and welcome

 

download & run this file Flash_Disinfector.exe

 

Restart the computer normally.

 

This will not take very long to run.

 

Let me know how it goes.

 

 

 

Please download the Killbox.By Option^Explicit and save it to your desktop.

 

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Please double-click Killbox.exe to run it.
  • From the main Killbox window, select:
"Delete on Reboot".

"All Files".

  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C:
(or, after highlighting, right-click and choose copy):

 

C:\WINDOWS\system32\taskrgm.exe

C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

C:\DOCUME~1\username\LOCALS~1\Temp\Cn911.exe

C:\DOCUME~1\Amar\LOCALS~1\Temp\iexpl0re.exe

 

 

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt ..Click "No" at the Pending Operations prompt.

 

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

If Killbox gives you a PendingFile rename operations, manually reboot at this point.

 

If your computer does not reboot automatically, please reboot it manually.

After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log

Post this log in your next reply.

NOTE: If you receive a message such as, "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, Click Here to download and run missingfilesetup.exe Then try Killbox again.

 

 

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

 

Download AVG Anti-Spyware 7.5 from Here

And save that file to your desktop.

  • Once you have downloaded AVG anti-spyware, locate the icon on the your desk top and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware 7.5 and definition files.
  • On the main screen select the icon "Update then select the"Update Now" link.

    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
*Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.

*Once in the Settings screen click on "Recommended Actions" and then select "Quarantine". <--VERY IMPORTANT"

*Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

 

Close AVG Anti-Spyware 7.5, Do not run a scan yet.

 

 

Reboot your computer into Safe Mode. Tap the F8 key just before Windows starts to load and select Safe Mode from the menu.

 

Important.. Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning proccess:

  • Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan"tab then click on "Complete Scan".
  • AVG will now begin the scanning process, be patient this may take a little time to complete.
Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system, (Make sure to remember where you have saved the file, this is important.
  • Close AVG Anti-Spyware 7.5 and reboot your system back into Normal Mode
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

 

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE)6u1 1.6.0_01-b06 (Vista Compatible Java)
  • Scroll to Java Runtime Environment (JRE) 6u1 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

 

In your next reply I need:

Killbox log

SDFix reort

AVG A/S log

New HJT log

Comments on how the computer is running now

Edited by Juliet

Share this post


Link to post
Share on other sites

Hi and welcome

 

download & run this file Flash_Disinfector.exe

 

Restart the computer normally.

 

This will not take very long to run.

 

Let me know how it goes.

 

From the first part, it ran and said done. I plugged in a second flash drive that seemed to be also infected, and avg detected malware (trojan downloader). It needed to restarted, so I did.

 

 

I booted windows, and got the error message saying something about "cannot clean some process" I dunno the exact message.

 

Now I tried to open internet explorer, and it cannot find it :( . I had to type in a url using the regular windows explorer bar...

 

I will try the next step(s) now.

 

 

EDIT 2:

Killbox Log

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Tuesday, April 03, 2007, 4:13 PM

 

Killbox Closed(Exit) @ 4:15:13 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Tuesday, April 03, 2007, 4:15 PM

 

# 1 [Delete on Reboot]

Path = C:\WINDOWS\system32\taskrgm.exe

 

 

# 2 [Delete on Reboot]

Path = C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

 

 

# 3 [Delete on Reboot]

Path = C:\DOCUME~1\username\LOCALS~1\Temp\Cn911.exe

 

 

# 4 [Delete on Reboot]

Path = C:\DOCUME~1\username\LOCALS~1\Temp\Cn911.exe

 

 

# 5 [Delete on Reboot]

Path = C:\DOCUME~1\Amar\LOCALS~1\Temp\iexpl0re.exe

 

 

I Rebooted @ 4:17:45 PM

Killbox Closed(Exit) @ 4:17:48 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Tuesday, April 03, 2007, 4:22 PM

 

EDIT 3

 

sdfix log

 

SDFix: Version 1.76

 

Run by Amar - Tue 04/03/2007 - 16:28:14.10

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

 

 

 

 

Restoring Windows Registry Entries

Restoring Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\WINDOWS\system32\Del.bat - Deleted

 

 

 

ADS Check:

 

C:\WINDOWS\system32

No streams found.

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"

"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Enabled:btdownloadgui"

"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"

"C:\\Program Files\\[email protected]\\winFAH.exe"="C:\\Program Files\\[email protected]\\winFAH.exe:*:Enabled:[email protected] 5.03"

"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"

"C:\\Program Files\\Media Player Classic\\mplayerc.exe"="C:\\Program Files\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"

"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

"C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe"="C:\\Program Files\\National Instruments\\LabVIEW 7.0\\LabVIEW.exe:*:Enabled:LabVIEW 7.0 Development System"

"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"

"C:\\Documents and Settings\\Amar\\Desktop\\utorrent.exe"="C:\\Documents and Settings\\Amar\\Desktop\\utorrent.exe:*:Enabled:µTorrent"

"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:µTorrent"

"C:\\Program Files\\X-Chat 2\\xchat.exe"="C:\\Program Files\\X-Chat 2\\xchat.exe:*:Enabled:X-Chat IRC Client"

"C:\\MATLAB7\\bin\\win32\\MATLAB.exe"="C:\\MATLAB7\\bin\\win32\\MATLAB.exe:*:Enabled:MATLAB"

"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVU Player Component"

"C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe"="C:\\Program Files\\RealVNC\\VNC4\\vncviewer.exe:*:Enabled:VNC Viewer Free Edition for Win32"

"C:\\Documents and Settings\\Amar\\Desktop\\Amar's Stuff\\ZSNES\\znes.exe"="C:\\Documents and Settings\\Amar\\Desktop\\Amar's Stuff\\ZSNES\\znes.exe:*:Enabled:znes"

"C:\\Documents and Settings\\Amar\\Desktop\\Amar's Stuff\\ZSNES\\ZSNESW.exe"="C:\\Documents and Settings\\Amar\\Desktop\\Amar's Stuff\\ZSNES\\ZSNESW.exe:*:Enabled:ZSNESW"

"C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\age2_x1.icd:*:Enabled:Age of Empires II Expansion"

"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Checking For Files with Hidden Attributes :

 

C:\WINDOWS\system32\nwlpri.dll

C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\18c83148b0660f13686fb5867a4bd7ea\BIT1.tmp

 

Finished

 

HJT LOG

Logfile of HijackThis v1.99.1

Scan saved at 4:51:32 PM, on 4/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe

C:\HJT2\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [j4tbvw] C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

O4 - Startup: [email protected] 5.03.lnk = C:\Program Files\[email protected]\winFAH.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: ActiveGS.cab - http://virtualapple.org/activegs.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120614987440

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136501044079

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

 

 

As said before, I was unable to complete the scan in safe-mode (the computer would reboot randomly), so I have no AVG scan.

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

I don't remember getting a message from kill box at all.

 

I have done all the scans. I couldn't run AVG, as in safe mode the computer would restart randomly, before finishing the scan. It might be due to heat issues, as I am running a laptop, but I doubt it. I will mention that I was able to run the full scan not in safe mode without any problems.

 

The IE fix is not working. It can't even find the whole exe. I should mention that when I ran the full system scan (in normal mode), AVG detected iexplorer (no 0) as a trojan (Downloader.VB.anf), and deleted it. False positive? If I restore the quarantined file, I can probably gain back IE functionality, but I don't want to risk another outbreak. All I need is the EXE.

 

 

EDIT2: I still have those suspicious dlls in my temp directory, but the cn91x files are gone, and now there's an exe called "nircmd.exe".

 

EDIT3: I still have crasos.exe in my msconfig startup items. This exe no longer resides in my temp folder. Should I remove it from msconfig? Or will the HJT guys (and gals!) take care of me there.

 

Honestly my computer seems to be working perfectly, other than a faulty IE, which was deleted and quarantined by AVG. Nothing bad is starting up, and it runs smoothly.

 

I almost would like if it someone could just attach iexplore.exe here so I can place it in my temporary directory. I really don't want to restore the quarantined and infected iexplore.exe, and I don't have a system restore disk.

 

The only thing I am afraid of is if I put one of my usb keys back in, I really don't want to get infected again. And I have important work on both keys...

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Did you install DCPlusPlus.exe?

 

 

 

Please go to at least two of the below sites to scan the following files:

jotti.org

or

virustotal

or

http://www.kaspersky.com/scanforvirus.html

 

click on Browse, and upload the following file for analysis:

 

C:\WINDOWS\system32\nwlpri.dll

 

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

 

 

I booted windows, and got the error message saying something about "cannot clean some process" I dunno the exact message

See if you can look in event viewer to find the exact message

 

As said before, I was unable to complete the scan in safe-mode (the computer would reboot randomly), so I have no AVG scan

OK, try again in normal mode

 

 

Open HJT and click scan only place a check by these

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O4 - HKCU\..\Run: [j4tbvw] C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

 

Close all windows and click fix checked

 

 

Please download the OTMoveIt by OldTimer.

  • Save it to your desktop.

     

    Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

    C:\SDFix\backups

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

 

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

 

 

Next go Here to run Panda's ActiveScan.

Once you are on the Panda site click the Scan your PC button

A new window will open...click the Check Now button.

Enter your State/Providence

Enter your E-mail address and click send.

Select either Home user or Company.

Click the big Scan Now button

  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a few minutes)
When the download is complete, click on My Computer to start the scan.

When the scan completes, if anything malicious is detected, click the See Report button, then Save report and save it to a convenient location (activescan.txt to desktop).

Post the contents of the ActiveScan report

 

 

In your next reply I need:

 

File scanned

OT log

ComboFix log

Panda log

New HJT log

Comments on what new!

Edited by Juliet

Share this post


Link to post
Share on other sites

Scanned that file:

AntiVir Found TR/Delphi.Downloader.Gen

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found BehavesLike:Trojan.WUDisable (probable variant)

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

 

Bad!!

 

Currently running the other scans (look for my edit)

 

 

OT LOG (Before restart)

 

File/Folder C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe not found.

Folder move failed. C:\SDFix\backups\HOSTS scheduled to be moved on reboot.

C:\SDFix\backups moved successfully.

 

Created on 04/03/2007 17:31:54

 

Combofix Log:

 

"Amar" - 07-04-03 17:33:30 Service Pack 2

ComboFix 07-04-04 - Running from: "C:\Documents and Settings\Amar\Desktop"

 

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\foxitreader\gmzavhen.dll

C:\Program Files\foxitreader\wlpxwice.dll

C:\Program Files\foxitreader\zdgvmjau.dll

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\wftbvaxz.dll

C:\Program Files\Intel\Wireless\Bin\ejunjgdp.dll

C:\Program Files\Internet Explorer\xiodqlzt.dll

C:\Program Files\X-Chat 2\phpglqwj.dll

C:\WINDOWS\DOWNLO~1.\Quarantine\ppqdb.dat

C:\WINDOWS\DOWNLO~1.\Quarantine\ppqsdb.dat

C:\WINDOWS\system32\cmdbcs.dll

C:\WINDOWS\DOWNLO~1.\Quarantine

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-03-03 to 2007-04-03 ))))))))))))))))))))))))))))))))))

 

 

2007-04-03 16:55 <DIR> d-------- C:\WINDOWS\LastGood

2007-04-03 16:13 <DIR> d-------- C:\!KillBox

2007-04-03 16:03 <DIR> drahs---- C:\autorun.inf

2007-04-03 09:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-04-03 09:35 <DIR> d-------- C:\HJT2

2007-04-03 02:36 <DIR> d-------- C:\startups

2007-04-03 02:35 <DIR> d-------- C:\HJT

2007-04-03 01:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb

2007-04-03 01:07 <DIR> d-------- C:\DOCUME~1\Amar\DoctorWeb

2007-04-03 00:26 <DIR> d-------- C:\sysclean

2007-04-02 23:30 307 --a------ C:\WINDOWS\system32\permil.dll

2007-03-30 00:11 <DIR> d-------- C:\Program Files\PokerStars

2007-03-29 12:37 <DIR> d-------- C:\Program Files\Teamspeak2_RC2

2007-03-28 15:36 <DIR> d-------- C:\DOCUME~1\Amar\APPLIC~1\teamspeak2

2007-03-24 15:30 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys

2007-03-24 15:30 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

2007-03-24 15:30 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

2007-03-07 22:49 <DIR> d-------- C:\Program Files\Microsoft.NET

2007-03-07 22:45 <DIR> dr-h----- C:\MSOCache

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-04-03 17:36 -------- d-------- C:\Program Files\x-chat 2

2007-04-03 17:36 -------- d-------- C:\Program Files\foxitreader

2007-04-03 11:44 -------- d-------- C:\DOCUME~1\Amar\APPLIC~1\x-chat 2

2007-04-03 11:44 -------- d-------- C:\DOCUME~1\Amar\APPLIC~1\utorrent

2007-04-03 01:47 -------- d-------- C:\Program Files\[email protected]

2007-03-17 23:52 -------- d-------- C:\Program Files\spywareblaster

2007-03-07 23:35 45992 --a------ C:\DOCUME~1\Amar\APPLIC~1\gdipfontcachev1.dat

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"

"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "

"item"="Adobe Reader Speed Launch"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"

"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"

"item"="America Online 9.0 Tray Icon"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"

"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "

"item"="Digital Line Detect"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"

"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\MICROS~4\\Office10\\OSA.EXE -b -l"

"item"="Microsoft Office"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"

"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "

"item"="QuickBooks Update Agent"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Amar^Start Menu^Programs^Startup^BitTorrent.lnk]

"path"="C:\\Documents and Settings\\Amar\\Start Menu\\Programs\\Startup\\BitTorrent.lnk"

"backup"="C:\\WINDOWS\\pss\\BitTorrent.lnkStartup"

"location"="Startup"

"command"="C:\\PROGRA~1\\BITTOR~1\\BITTOR~1.EXE "

"item"="BitTorrent"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Amar^Start Menu^Programs^Startup^Konfabulator.lnk]

"path"="C:\\Documents and Settings\\Amar\\Start Menu\\Programs\\Startup\\Konfabulator.lnk"

"backup"="C:\\WINDOWS\\pss\\Konfabulator.lnkStartup"

"location"="Startup"

"command"="C:\\Program Files\\Pixoria\\Konfabulator\\Konfabulator.exe "

"item"="Konfabulator"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Amar^Start Menu^Programs^Startup^Stardock ObjectDock.lnk]

"path"="C:\\Documents and Settings\\Amar\\Start Menu\\Programs\\Startup\\Stardock ObjectDock.lnk"

"backup"="C:\\WINDOWS\\pss\\Stardock ObjectDock.lnkStartup"

"location"="Startup"

"command"="C:\\WINDOWS\\BRICOP~1\\VISTAI~1\\OBJECT~1\\OBJECT~1.EXE "

"item"="Stardock ObjectDock"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Amar^Start Menu^Programs^Startup^Y'z ToolBar.lnk]

"path"="C:\\Documents and Settings\\Amar\\Start Menu\\Programs\\Startup\\Y'z ToolBar.lnk"

"backup"="C:\\WINDOWS\\pss\\Y'z ToolBar.lnkStartup"

"location"="Startup"

"command"="C:\\WINDOWS\\BRICOP~1\\VISTAI~1\\YZTOOL~1\\YZTOOL~1.EXE "

"item"="Y'z ToolBar"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="aim"

"hkey"="HKCU"

"command"="C:\\PROGRA~1\\AIM\\aim.exe -cnetwait.odl"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM ®]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="aim"

"hkey"="HKCU"

"command"="C:\\Program Files\\AIM95\\aim.exe -cnetwait.odl"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="bldbubg"

"hkey"="HKLM"

"command"="c:\\dell\\bldbubg.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="200619132740_mcappins"

"hkey"="HKLM"

"command"="C:\\DOCUME~1\\Amar\\LOCALS~1\\Temp\\200619132740_mcappins.exe /v=3 /cleanup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="daemon"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DSAgnt"

"hkey"="HKCU"

"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="tfswctrl"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DMXLauncher"

"hkey"="HKLM"

"command"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="DVDLauncher"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C60 Series]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="E_A10IC2"

"hkey"="HKCU"

"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_A10IC2.EXE /P23 \"EPSON Stylus C60 Series\" /O6 \"USB001\" /M \"Stylus C60\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="hkcmd"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\hkcmd.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="hkcmd"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\hkcmd.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="igfxpers"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\igfxpers.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="igfxtray"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\system32\\igfxtray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ifrmewrk"

"hkey"="HKLM"

"command"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ZCfgSvc"

"hkey"="HKLM"

"command"="C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ISUSPM"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="issch"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="dumprep 0 -k"

"hkey"="HKLM"

"command"="%systemroot%\\system32\\dumprep 0 -k"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkwgigik]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iexpl0re"

"hkey"="HKCU"

"command"="C:\\DOCUME~1\\Amar\\LOCALS~1\\Temp\\iexpl0re.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="McAgent"

"hkey"="HKLM"

"command"="c:\\PROGRA~1\\mcafee.com\\agent\\McAgent.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mcupdate"

"hkey"="HKLM"

"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mmtask"

"hkey"="HKLM"

"command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mm_tray"

"hkey"="HKLM"

"command"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ICO"

"hkey"="HKLM"

"command"="ICO.EXE"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="MpfTray"

"hkey"="HKLM"

"command"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="200619132734_mcinfo"

"hkey"="HKLM"

"command"="C:\\DOCUME~1\\Amar\\LOCALS~1\\Temp\\200619132734_mcinfo.exe /insfin"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="oasclnt"

"hkey"="HKLM"

"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="QBReminder"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Intuit\\QuickBooks 2005\\Atom\\QBReminder.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="RealPlay"

"hkey"="HKLM"

"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rqs6xq2c]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="crasos"

"hkey"="HKCU"

"command"="C:\\DOCUME~1\\Amar\\LOCALS~1\\Temp\\crasos.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="spyaxe"

"hkey"="HKLM"

"command"="C:\\Program Files\\SpyAxe\\spyaxe.exe /h"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="jusched"

"hkey"="HKLM"

"command"="C:\\Program Files\\Java\\j2re1.4.2_08\\bin\\jusched.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SynTPEnh"

"hkey"="HKLM"

"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SynTPLpr"

"hkey"="HKLM"

"command"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="realsched"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="UnlockerAssistant"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="AdobeUpdateManager"

"hkey"="HKCU"

"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_7"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="Cn913"

"hkey"="HKLM"

"command"="C:\\DOCUME~1\\Amar\\LOCALS~1\\Temp\\Cn913.Exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mcvsshld"

"hkey"="HKLM"

"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="mcmnhdlr"

"hkey"="HKLM"

"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"

"inimapping"="0"

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E272C1EF-275E-4733-FF5E-13455234524F}"="nwlpri.dll"

"{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}"=""

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

"{F9380104-ED78-482b-AA88-714D773131C4}"=""

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=dword:00000000

"NoColorChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"NoDispBackgroundPage"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoDispCPL"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"AllowLegacyWebView"=dword:00000001

"AllowUnhashedWebView"=dword:00000001

"NoCDBurning"=dword:00000000

"NoActiveDesktopChanges"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=dword:00000000

"NoThemesTab"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Authentication Packages REG_MULTI_SZ msv1_0\0\0

Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0

Notification Packages REG_MULTI_SZ scecli\0\0

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

 

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]

Shell\adobe\command E:\goodies\ar405eng.exe

Shell\AutoRun\command E:\aocsetup.exe /autorun

Shell\log\command E:\goodies\machine\machine.exe -l

Shell\machine\command E:\goodies\machine\machine.exe

Shell\setup\command E:\aocsetup.exe /autorun

Shell\zone\command E:\goodies\mszone\zonea660.exe

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1163416-edd8-11d9-81cd-0012f0aa89ca}]

Shell\Auto\command F:\0wen0.exe

Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL 0wen0.exe

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bafe9f3c-873b-11db-82b5-0012f0aa89ca}]

Shell\AutoRun\command E:\podcastready.exe

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef4f2881-9006-11db-82bb-0012f0aa89ca}]

Shell\adobe\command E:\goodies\ar405eng.exe

Shell\AutoRun\command E:\aocsetup.exe /autorun

Shell\log\command E:\goodies\machine\machine.exe -l

Shell\machine\command E:\goodies\machine\machine.exe

Shell\setup\command E:\aocsetup.exe /autorun

Shell\zone\command E:\goodies\mszone\zonea660.exe

 

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f6fade12-4ac3-11db-8299-0012f0aa89ca}]

Shell\AutoRun\command F:\LaunchU3.exe

 

 

 

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

 

backup-20070403-172934-917

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

backup-20070403-172934-697

O4 - HKCU\..\Run: [j4tbvw] C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

 

********************************************************************

 

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006

http://www.gmer.net

 

scanning hidden processes ...

 

scanning hidden services ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

********************************************************************

 

Completion time: 07-04-03 17:37:45

C:\ComboFix-quarantined-files.txt ... 07-04-03 17:37

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

 

C:\Program Files\DC++\DCPlusPlus.exe

 

[*] Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

[*]Click the red Moveit! button.

[*]Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

[*]Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

AFter you reboot search for this folder and delete it

 

C:\Program Files\DC++

 

If you have trouble finding any of those files/folders, then configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done).

 

To enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked.

Share this post


Link to post
Share on other sites

This is before the panda active scan, but dc++ is a popular peer to peer network that is spyware free (it's distributed on sourceforge as open source software). And I use it for legal purposes only. See here: http://dcplusplus.sourceforge.net/

 

Is this file infected, or just suspicious. I can remove it, by just uninstalling it...

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Suspicious....if you've been using this for a while it should be OK..

 

If you could post the AVG A/S log

Panda log please

 

give me a few minutes to prepare anther fix

Share this post


Link to post
Share on other sites

Panda log and avg log is coming up in the next 1-4 hours. It takes a long time to scan my system. :/

 

I'm doing panda first, just giving you a heads up. And it has found a lot of stuff.

 

Once again, thanks for all your help. I hope I can return the favor like I used to before I got busy.

Share this post


Link to post
Share on other sites

[*] Open HiJackThis

[*] Click on the "Config..." button on the bottom right

[*] Click on the tab "Misc Tools"

[*] Click on "Open Process Manager"

[*] Find and Click on

iexpl0re.exe

crasos.exe

Cn913.Exe

[*] Click on "Kill Process" button

[*] Click Yes

 

 

Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

 

C:\DOCUMENTS AND SETTINGS\Amar\LOCAL SETTINGS\Temp\iexpl0re.exe

C:\DOCUMENTS AND SETTINGS\Amar\LOCAL SETTINGS\Temp\crasos.exe

C:\Program Files\SpyAxe\spyaxe.exe

C:\\DOCUMENTS AND SETTINGS\Amar\LOCAL SETTINGS\Temp\Cn913.Exe

 

[*] Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

[*]Click the red Moveit! button.

[*]Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

[*]Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

 

 

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

 

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

 

In your next reply I need

OT log

Smitfruad log

New HJT log

Panda and AVG A/S logs

 

 

We have Tornado warnings so I might not be back tonight...

Just make your replies and I'll be back as soon as I can

Share this post


Link to post
Share on other sites

HJT:

 

Logfile of HijackThis v1.99.1

Scan saved at 6:45:03 PM, on 4/3/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\X-Chat 2\xchat.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\FOXITR~1\FOXITR~1.EXE

C:\Documents and Settings\Amar\Desktop\OTMoveIt.exe

C:\HJT2\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Startup: [email protected] 5.03.lnk = C:\Program Files\[email protected]\winFAH.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: ActiveGS.cab - http://virtualapple.org/activegs.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120614987440

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136501044079

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

 

 

 

 

OT Log:

 

File/Folder C:\DOCUMENTS AND SETTINGS\Amar\LOCAL SETTINGS\Temp\iexpl0re.exe not found.

File/Folder C:\DOCUMENTS AND SETTINGS\Amar\LOCAL SETTINGS\Temp\crasos.exe not found.

File/Folder C:\Program Files\SpyAxe\spyaxe.exe not found.

File/Folder C:\\DOCUMENTS AND SETTINGS\Amar\LOCAL SETTINGS\Temp\Cn913.Exe not found.

 

Created on 04/03/2007 18:42:56

 

 

I had a spyaxe infestation a year ago, but I think we fixed that. I remember using smithfraud to clean up the mess.

 

Smithfraud log:

 

SmitFraudFix v2.162

 

Scan done at 18:46:58.66, Tue 04/03/2007

Run from C:\Documents and Settings\Amar\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\X-Chat 2\xchat.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\FOXITR~1\FOXITR~1.EXE

C:\Documents and Settings\Amar\Desktop\OTMoveIt.exe

C:\HJT2\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\cmd.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amar

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Amar\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Amar\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Intel® PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport

DNS Server Search Order: 192.168.0.1

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{924F2367-59EC-4E84-87E4-3C0209E47EE5}: DhcpNameServer=194.168.8.100 194.168.4.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E9609B2D-2535-4051-B82D-697251797F83}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{924F2367-59EC-4E84-87E4-3C0209E47EE5}: DhcpNameServer=194.168.8.100 194.168.4.100

HKLM\SYSTEM\CS1\Services\Tcpip\..\{E9609B2D-2535-4051-B82D-697251797F83}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{924F2367-59EC-4E84-87E4-3C0209E47EE5}: DhcpNameServer=194.168.8.100 194.168.4.100

HKLM\SYSTEM\CS2\Services\Tcpip\..\{E9609B2D-2535-4051-B82D-697251797F83}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{924F2367-59EC-4E84-87E4-3C0209E47EE5}: DhcpNameServer=194.168.8.100 194.168.4.100

HKLM\SYSTEM\CS3\Services\Tcpip\..\{E9609B2D-2535-4051-B82D-697251797F83}: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

Panda and avg coming soon

 

Hopefully those tornadoes aren't too bad!

 

 

Panda log:

 

 

Incident Status Location

 

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-33de4130-49ecf8d4.zip[GetAccess.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-33de4130-49ecf8d4.zip[insecureClassLoader.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-33de4130-49ecf8d4.zip[Dummy.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-33de4130-49ecf8d4.zip[installer.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f7fb66c-6f623b67.zip[blackBox.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f7fb66c-6f623b67.zip[VerifierBug.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f7fb66c-6f623b67.zip[Dummy.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-1f7fb66c-6f623b67.zip[beyond.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5ccfdeef-4443932d.zip[blackBox.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5ccfdeef-4443932d.zip[VerifierBug.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5ccfdeef-4443932d.zip[Dummy.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-5ccfdeef-4443932d.zip[beyond.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cf2508a-72e283b7.zip[GetAccess.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cf2508a-72e283b7.zip[NewSecurityClassLoader.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cf2508a-72e283b7.zip[NewURLClassLoader.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0502b.jar-4cf2508a-72e283b7.zip[installer.class]

Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-423255d0.zip[GetAccess.class]

Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-423255d0.zip[installer.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-423255d0.zip[NewSecurityClassLoader.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-2898a363-423255d0.zip[NewURLClassLoader.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv599.jar-762b5a16-39623327.zip[Matrix.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv599.jar-762b5a16-39623327.zip[Counter.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv599.jar-762b5a16-39623327.zip[Dummy.class]

Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Amar\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv599.jar-762b5a16-39623327.zip[Parser.class]

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Amar\Cookies\[email protected][1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Amar\Desktop\SDFix.exe[sDFix\apps\Process.exe]

Virus:Trj/Lineage.DAR Disinfected C:\QooBox\Quarantine\07-04-03\WINDOWS\system32\cmdbcs.dll.vir

Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

 

 

Seems like most of the stuff is byte verifies which I've had before. Cool Web Search stuff annoys me but that's definitely fixable, and the other stuff in quarantine, and false positives, which you've mentioned processor.exe is one.

 

 

FINALLY AVG REPORT:

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 8:42:06 PM 4/3/2007

 

+ Scan result:

 

 

 

C:\Documents and Settings\Amar\Cookies\[email protected][1].txt -> TrackingCookie.Netflame : Cleaned.

C:\Documents and Settings\Amar\Cookies\[email protected][2].txt -> TrackingCookie.Revsci : Cleaned.

C:\Documents and Settings\Amar\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.

C:\Documents and Settings\Amar\Cookies\[email protected][2].txt -> TrackingCookie.Webtrends : Cleaned.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP257\A0018282.exe -> Trojan.OnLineGames.lc : Cleaned.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP257\A0018319.exe -> Trojan.OnLineGames.lc : Cleaned.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP257\A0019339.exe -> Trojan.OnLineGames.lc : Cleaned.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP258\A0022349.exe -> Trojan.OnLineGames.lc : Cleaned.

 

 

::Report end

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Sorry for the double post, but I seemed to have some CWS crap according to panda, should I try out the famous cool web shredder?

 

-Thanks in advance.

Share this post


Link to post
Share on other sites

Welcome back

 

Had a rough night but we lived through it!

 

 

Please open Notepad and copy and paste the text present inside the quote box below (don't forget to copy and paste REGEDIT4 as well):

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j4tbvw]

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

 

 

 

Please open Notepad and copy and paste the text present inside the quote box below (don't forget to copy and paste REGEDIT4 as well):

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{E272C1EF-275E-4733-FF5E-13455234524F}"=-

"{05397E9D-30D1-4216-AACB-F9EA1F1E4E85}"=-

"{F9380104-ED78-482b-AA88-714D773131C4}"=-

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=-

"NoColorChoice"=-

"NoSizeChoice"=-

"NoDispBackgroundPage"=-

"NoDispScrSavPage"=-

"NoDispCPL"=-

"NoVisualStyleChoice"=-

"NoDispSettingsPage"=-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoCDBurning"=-

"NoActiveDesktopChanges"=-

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSaveSettings"=-

"NoThemesTab"=-

 

[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b1163416-edd8-11d9-81cd-0012f0aa89ca}]

[-HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bafe9f3c-873b-11db-82b5-0012f0aa89ca}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kkwgigik]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rqs6xq2c]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAxe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]

Save this as fix.reg2 and change the "Save as type" to "All Files" and place it on your desktop

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

 

 

 

Looking back over logs I found that these entries are located in your startups folder

 

iexpl0re

crasos.exe

spyaxe.exe

j2re1.4.2_08\\bin\\jusched.exe < means older version....

Cn913.Exe

 

Go to start> run> type in msconfig

Select the Startup Tab

Locate those entries and remove the check by those

Click apply then OK

REBOOT

 

 

To clear the Java Runtime Environment (JRE) cache:

Click Start > Control Panel.

Double-click the Java icon in the control panel. (coffeecup icon)

If you can't find it, Make sure the items are dislayed in Classic View in Control Panel. To change that, in the Right Panel, choose: Switch to Classic View

-The Java Control Panel appears.

Click Settings under Temporary Internet Files.

-The Temporary Files Settings dialog box appears.

Click Delete Files.

-The Delete Temporary Files dialog box appears.

-There are three options on this window to clear the cache.

Delete Files

View Applications

View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.

Close the Java Control Panel

 

 

 

If you haven't install the most current version follow this

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE)6u1 1.6.0_01-b06 (Vista Compatible Java)
  • Scroll to Java Runtime Environment (JRE) 6u1 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

    Go to Start > Control Panel double-click on the Software icon > add/remove programs.

    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have this icon next to it: Posted Image

    Select it and click Remove.

  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

 

 

 

 

there's an exe called "nircmd.exe".

nircmd.exe <--is a part of ComboFix

 

So are these

 

ComboFix.exe

commandprocessor.reg

commandprocessor2.reg

international.reg

international2.reg

region.reg

TSF\ComboSC.exe

TSF\handle.exe

TSF\nircmd.exe

TSF\NTP.EXE

TSF\Ntrights.exe

TSF\RestartIt.exe

TSF\swreg.exe

 

It's found in a link here

http://www.castlecops.com/posts171628-0.html

 

 

 

Using windows explorer search for and if found delete these files/folders in bold

C:\QooBox

C:\documents and settings\haier\LOCAL Settings\Temp\iexpl0re.exe

C:\documents and settings\haier\LOCAL Settings\Temp\crasos.exe

C:\WINDOWS\system32\permil.dll

 

 

 

Close all windows and programs, then:

 

Clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

 

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

 

Then use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

 

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

 

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

 

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

 

Go to Start > Control Panel > Display.

Select the Desktop Tab, click on Customise Desktop... and then select the Web Tab.

Under Web pages: you should see a checked entry called Security info - or similar. Highlight this entry and then click the Delete button.

Finally click OK > Apply > OK.

 

RIGHT Click on Start then click on Explore. Locate and delete these items:

 

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)

 

 

[*]Go to start > run and type: cleanmgr and click ok.

[*]Let it scan your system for files to remove.

[*]Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.

[*]Press OK to remove them.

 

 

 

I'm trying to cover all avenues here.....

verify if the file exist - C:\Program Files\Internet Explorer\iexplore.exe

 

It has to be somewhere in the machine. Otherwise, you wouldnt have been able to do a Panda Scan

 

If file exist, doubleclick on it & then post any error messages that may appear.

 

 

Below are links with suggestions on how to repair IE6

http://www.theeldergeek.com/repair_reinstall_ie_and_oe_6.htm

http://www.theeldergeek.com/repair_ie6.htm

http://www.dougknox.com/xp/tips/xp_ie_reinstall.htm

http://www.computerhope.com/issues/chsafe.htm .. Safe boot

 

http://support.microsoft.com/kb/318378 .. How to reinstall or repair Internet Explorer

 

 

 

Please download Bit Defender 8 Free Edition

  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Post back and let me know what issues remain Edited by Juliet

Share this post


Link to post
Share on other sites

It has to be somewhere in the machine. Otherwise, you wouldnt have been able to do a Panda Scan

Well I wasn't for a while. I had to do some crazy view source things, and copy and past javascript urls into the explorer bar.

 

I got IE working now (I had a friend send me iexplore.exe, I hope doing that action wasn't illegal, but oh well).

 

I will do the aformentioned things right now. It seems that most, if not all of the pests are gone now :). I will post back a bitdefender log in a few hours. (I am away from my computer now).

 

Thanks again, and look for my edit.

 

 

Go to Start > Control Panel > Display.

Select the Desktop Tab, click on Customise Desktop... and then select the Web Tab.

Under Web pages: you should see a checked entry called Security info - or similar. Highlight this entry and then click the Delete button.

Finally click OK > Apply > OK.

I don't see this checked entry called security

 

To clear the Java Runtime Environment (JRE) cache:

Click Start > Control Panel.

Double-click the Java icon in the control panel. (coffeecup icon)

If you can't find it, Make sure the items are dislayed in Classic View in Control Panel. To change that, in the Right Panel, choose: Switch to Classic View

-The Java Control Panel appears.

Click Settings under Temporary Internet Files.

-The Temporary Files Settings dialog box appears.

Click Delete Files.

-The Delete Temporary Files dialog box appears.

-There are three options on this window to clear the cache.

Delete Files

View Applications

View Applets

Click OK on Delete Temporary Files window.

-Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.

Close the Java Control Panel

I don't see a "temporary internet files" button. I see a cache tab, and and option to clear the cache. I did that. Or I could manually delete the cache.

 

my "temp" folder is empty, which is good news. Instead of running cleanmngr, can I just run Stephen Gould's Cleanup? cleanmgr can be very slow at times.

 

The reg fixes were successful. I will do the bitdefender scan soon.

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Welcome back

 

I got IE working now (I had a friend send me iexplore.exe, I hope doing that action wasn't illegal, but oh well).

shhhhhhh, I won't tell.

It seems that most, if not all of the pests are gone now

Yeah!!!

I don't see this checked entry called security

That's actually a good thing

don't see a "temporary internet files" button. I see a cache tab, and and option to clear the cache. I did that.

good

my "temp" folder is empty, which is good news. Instead of running cleanmngr, can I just run Stephen Gould's Cleanup? cleanmgr can be very slow at times.

I run both, cleanmngr first then let CCleanup catch the left overs.

The reg fixes were successful.

wheww!...I had help with those. Glad it worked.

Do not put that infected flash drive back in, or I go into hiding.

Share this post


Link to post
Share on other sites

wheww!...I had help with those. Glad it worked.

 

Actually, FYI, the second regfix should be named fix2.reg, not fix.reg2. You may want to fix that in-case someone else has this same problem.

 

(I'm computer-savvy enough to recognize file extensions :P)

 

BitDefender is running (slowly) will have the log up within the next few hours. I'm feeling very optimistic :D.

 

Do not put that infected flash drive back in, or I go into hiding.

I think I'll go into hiding too.

 

Would a full format of its contents get rid of the viruses? (don't worry, I won't format it on this computer, maybe a computer with linux on it)

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Would a full format of its contents get rid of the viruses?

LOL, it would be nice if you could ask me something I knew.....

 

May need to send you to User to User with that question but, I know that a wipe and clean of a OS system usually does what your asking....doesn't it?

second regfix should be named fix2.reg, not fix.reg2

Dang, I put the 2 in the wrong place!!

Share this post


Link to post
Share on other sites

new bitdefender log:

[ ] Ignore

[X] Disinfect

[ ] Delete

[ ] Copy to quarantine

[ ] Move to quarantine

[ ] Rename

[ ] Prompt user

 

Second action

[ ] Ignore

[ ] Delete

[ ] Copy to quarantine

[X] Move to quarantine

[ ] Rename

[ ] Prompt user

 

Scan options

[X] Enable warnings

[X] Enable heuristics

[ ] Show all files in log

[X] Report file: vscan.log

[ ] Append to existing report

 

Summary:

 

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\gmzavhen.dll.vir Suspect Generic.Malware.Fdldg.2565C127

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\gmzavhen.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\gmzavhen.dll.vir Moved

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\wlpxwice.dll.vir Suspect Generic.Malware.Fdldg.2565C127

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\wlpxwice.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\wlpxwice.dll.vir Moved

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\zdgvmjau.dll.vir Suspect Generic.Malware.Fdldg.2565C127

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\zdgvmjau.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\foxitreader\zdgvmjau.dll.vir Moved

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Grisoft\AVG Anti-Spyware 7.5\wftbvaxz.dll.vir Suspect Generic.Malware.Fdldg.631E8609

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Grisoft\AVG Anti-Spyware 7.5\wftbvaxz.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Grisoft\AVG Anti-Spyware 7.5\wftbvaxz.dll.vir Moved

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Intel\Wireless\Bin\ejunjgdp.dll.vir Suspect Generic.Malware.Fdldg.2565C127

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Intel\Wireless\Bin\ejunjgdp.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Intel\Wireless\Bin\ejunjgdp.dll.vir Moved

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Internet Explorer\xiodqlzt.dll.vir Suspect Generic.Malware.Fdldg.2565C127

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Internet Explorer\xiodqlzt.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\Internet Explorer\xiodqlzt.dll.vir Moved

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\X-Chat 2\phpglqwj.dll.vir Suspect Generic.Malware.Fdldg.631E8609

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\X-Chat 2\phpglqwj.dll.vir Disinfection failed

C:\RECYCLER\S-1-5-21-3041384506-2576806245-3432160194-1006\Dc8\Quarantine\07-04-03\Program Files\X-Chat 2\phpglqwj.dll.vir Moved

C:\WINDOWS\system32\nwlpri.dll Infected BehavesLike:Trojan.WUDisable

C:\WINDOWS\system32\nwlpri.dll Disinfection failed

C:\WINDOWS\system32\nwlpri.dll Moved

 

 

 

The stuff in the recycler is prety much benign, as they seemed to have come from quarantine.

 

Alas, I forgot about nwlpri.dll.

 

What should I do?

 

EDIT:

 

From this website (I can't read chinese) http://72.14.253.104/search?q=cache:L7biq-...;cd=1&gl=us

 

They reference the dll file, and it's corresponding registry entry. I can confirm that my windows updates have been disabled, and I cannot enable them.

 

I have found the registry key that they talk about in this post, but I won't remove it without someone else confirming it.

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

I can't read chinese either

 

Empty C:\RECYCLER

 

 

Please download the Killbox.By Option^Explicit and save it to your desktop.

 

Note: In the event you already have Killbox, this is a new version that I need you to download.

  • Please double-click Killbox.exe to run it.
  • From the main Killbox window, select:
"Delete on Reboot".

"All Files".

  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C:
(or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\nwlpri.dll

 

Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt ..Click "No" at the Pending Operations prompt.

 

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

If Killbox gives you a PendingFile rename operations, manually reboot at this point.

 

If your computer does not reboot automatically, please reboot it manually.

After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log

Post this log in your next reply.

NOTE: If you receive a message such as, "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, Click Here to download and run missingfilesetup.exe Then try Killbox again.

 

 

 

Try IEFix now

http://windowsxp.mvps.org/IEFIX.htm

 

 

 

In your next reply I need

Killbox log

New HJT log

Comments on how it's running

Edited by Juliet

Share this post


Link to post
Share on other sites

Killbox log:

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Tuesday, April 03, 2007, 4:13 PM

 

Killbox Closed(Exit) @ 4:15:13 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Tuesday, April 03, 2007, 4:15 PM

 

# 1 [Delete on Reboot]

Path = C:\WINDOWS\system32\taskrgm.exe

 

 

# 2 [Delete on Reboot]

Path = C:\DOCUME~1\Amar\LOCALS~1\Temp\crasos.exe

 

 

# 3 [Delete on Reboot]

Path = C:\DOCUME~1\username\LOCALS~1\Temp\Cn911.exe

 

 

# 4 [Delete on Reboot]

Path = C:\DOCUME~1\username\LOCALS~1\Temp\Cn911.exe

 

 

# 5 [Delete on Reboot]

Path = C:\DOCUME~1\Amar\LOCALS~1\Temp\iexpl0re.exe

 

 

I Rebooted @ 4:17:45 PM

Killbox Closed(Exit) @ 4:17:48 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Tuesday, April 03, 2007, 4:22 PM

 

Killbox Closed(Exit) @ 4:24:07 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Wednesday, April 04, 2007, 5:26 PM

 

# 1 [Delete on Reboot]

Path = C:\WINDOWS\system32\nwlpri.dll

 

 

I Rebooted @ 5:32:40 PM

Killbox Closed(Exit) @ 5:32:42 PM

__________________________________________________

 

Pocket Killbox version 2.0.0.881

Running on Windows XP as Amar(Administrator)

was started @ Wednesday, April 04, 2007, 5:36 PM

 

 

 

HJT:

Logfile of HijackThis v1.99.1

Scan saved at 5:39:16 PM, on 4/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Softwin\BitDefender8\bdmcon.exe

C:\Program Files\Softwin\BitDefender8\bdnagent.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT2\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

O4 - Startup: Foldin[email protected] 5.03.lnk = C:\Program Files\[email protected]\winFAH.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: ActiveGS.cab - http://virtualapple.org/activegs.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120614987440

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136501044079

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

 

 

Recycler was already empty. It seems bitdefender has moved all those those nasties somewhere to its quarantine place. Should I go empty the quarantine files?

 

 

Also, the registry entry for nwl.pri is still there. I still cannot enable automatic updates.

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

Welcome back

 

C:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll

 

What version of java have you installed?

If you downloaded and installed the most recent you need to remove all older ones located in the Control panel

 

 

http://www.theeldergeek.com/forum/index.php?showtopic=23764

scroll to post 5

 

See if this helps with windows updates

 

 

I'm still searching for info on C:\WINDOWS\system32\nwlpri.dll

Share this post


Link to post
Share on other sites

I have held back on installing the new version of java. I well get to it right now.

 

Windows updates work fine if I go to the main site and click "custom"

 

Also, should I delete the bitdefender quarantine files?

 

EDIT:

 

 

HOOOOOOOOORAAAAAAAAAAY!!

 

Dial-a-fix solved the update problems!! Thanks so much!!!!

 

Now all that's left is that weird dll.

 

I will provide a new HJT log in a new post just for good measure.

Edited by DK64_MASTER

Share this post


Link to post
Share on other sites

HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 6:52:53 PM, on 4/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Softwin\BitDefender8\bdmcon.exe

C:\Program Files\Softwin\BitDefender8\bdnagent.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\X-Chat 2\xchat.exe

C:\Program Files\utorrent\utorrent.exe

C:\HJT2\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

O4 - Startup: [email protected] 5.03.lnk = C:\Program Files\[email protected]\winFAH.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)

O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O15 - Trusted Zone: http://*.download.microsoft.com

O15 - Trusted Zone: http://*.update.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

O16 - DPF: ActiveGS.cab - http://virtualapple.org/activegs.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120614987440

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136501044079

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

 

 

So what about those quarantine files? I have 2 antiviruses installed (AVG and bitdefender), a bunch of other exes... I think we've beating this bug :D.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...