I have run spybot and ad-ware, here's the hijack file. THanks in advance!


Logfile of HijackThis v1.98.0
Scan saved at 9:00:43 PM, on 8/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\svchosts.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\raofim.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\hjtlog.exe
c:\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [zmcihozlt] C:\WINNT\System32\raofim.exe
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40

You've got a the SDBot Trojan Horse (http://www.sophos.com/virusinfo/analyses/trojsdbotn.html) on your machine. I didn't notice any antivirus software running. I suggest you install something ASAP!

First, stop these services (hit CTRL-ALT-DEL to bring up the Task Manager. Right-click on the entries below and select End Process)

C:\WINNT\System32\svchosts.exe
C:\WINNT\System32\raofim.exe

Next, go into HiJackThis and delete these entries:

O4 - HKLM\..\Run: [Windows Config] svchosts.exe
O4 - HKLM\..\Run: [zmcihozlt] C:\WINNT\System32\raofim.exe
O4 - HKLM\..\RunServices: [Windows Config] svchosts.exe

Reboot and post another log.

thanks for your quick reply :) But i cant seem to access that link.
My CPU was 100% before deleting svchost, now it's back to almost 0% already!
I often notice a process called 'NotifyPhoneBook' in my task manager. Can I delete it permanently? How to do that?
If possible, could you please recommend a few good antivirus software?
here's the new hijack log file, thanks once again! :thumbsup:


Logfile of HijackThis v1.98.0
Scan saved at 10:33:43 PM, on 8/4/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40

I've also notice another svchosts.exe in my system32 folder.
can I just delete it?
sorry for asking so many questions, but i am pretty hopeless in this :banghead:

If possible, could you please recommend a few good antivirus software?
here's the new hijack log file, thanks once again! :thumbsup:



Short-Media Selects: Anti-Virus Software (http://www.short-media.com/forum/showthread.php?t=12261)

Pick an AV package. If you have some money to spend, get Norton. If you are being a cheapskate, then use the free AVG. With over 100,000 viruses on the internet, it is better to spend some money though, you might as well support companies who seek to make your computer safer, and it's hard to feel sorry for anyone who does not have anti-virus software.

Run a scan with whatever you select, then re-post your log. The scan may solve the other problems you are having.

Dexter...

I've also notice another svchosts.exe in my system32 folder.
can I just delete it?
sorry for asking so many questions, but i am pretty hopeless in this :banghead:


Try to delete it if you can, but do not delete the legitimate file SVCHOST.exe.

If you cannot delete svchosts.exe normally, try it in SAFE MODE.

Also, remove these 2 entries in HJT:

O4 - Startup: folder.htt
O4 - Global Startup: folder.htt


Dexter...

Hi Dexter, I have installed the free AVG temporarily.
But I cant delete the following using HijackThis:
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt

This is the new log file

Logfile of HijackThis v1.98.0
Scan saved at 2:21:38 PM, on 8/6/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\WINNT\System32\NotifyPhoneBook.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nus.edu.sg/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nus.edu.sg/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pcwebtools.support.hp.com/goto/?Platform=hpaddon&ObjectType=us&Name=Buttonwww
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINNT\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Startup: folder.htt
O4 - Global Startup: folder.htt
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40
O17 - HKLM\System\CS1\Services\Tcpip\..\{26B64F17-BDF4-43AD-A732-7BD57B760BA9}: NameServer = 192.169.34.181 203.120.90.40

Check your START menu, Programs, look for the STARTUP folder and see if any items are in there. If there are, delete them. If not, let me know. Did AVG identify these as a problem?

Did AVG detect and repair anything else?

Dexter...

Hi Dexter, my startup folder is empty. If I am not wrong, AVG didn't detect anything wrong with the startup. Here is the result of running AVG.
Thanks once again :)

Results of Complete Test, date and time 8/6/2004 13:39:37 :

Testing C:\ volume OICRP10ABA serial 4259-140F
C:\WINNT\NEM219.DLL Trojan horse Downloader.Dyfica.2.AA
C:\WINNT\ALCHEM.EXE repaired
C:\WINNT\SYSTEM32\WINHLP~1.EXE repaired
C:\WINNT\SYSTEM32\TFTP3092 repaired
C:\WINNT\SYSTEM32\RAOFIM.EXE repaired
C:\Documents and Settings\Administrator\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\Administrator\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\Administrator\Local Settings\TEMP\ALCHEM.EXE repaired
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\JNSPY98T\BETTER~1.EXE repaired
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\4VZHV362\ISTSVC~1.EXE Trojan horse Downloader.Istbar.4.H
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\CONTENT.IE5\7G4PZOV7\NEM219~1.DLL Trojan horse Downloader.Dyfica.2.AA
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\RECYCLED\DC192\FOLDER.HTT Virus found VBS/Redlof
Testing E:\ volume STORAGE serial AC91-36CE

Test finished, duration 00:34:28.5 s
33090 objects tested, 10 found infected

Looks good. Now keep that virus protection up to date, and go out and invest in Norton or McAfee.

Dexter...