Hijack help needed. Thank you!

impalaboy

I believe I've been hijacked. Any help would be appreciated. Here's my log:


Logfile of HijackThis v1.99.1
Scan saved at 8:20:53 AM, on 9/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\mscdt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\vjdfzwh.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\kybrdff_e7.exe
C:\nwnmff_e7.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Cable One Suite A\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,wkssvr.exe,vgojscv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [null] axux.exe
O4 - HKLM\..\Run: [Intel GFX Initializer] C:\WINNT\system32\igfxinit.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e7.exe
O4 - HKLM\..\Run: [tsusiu] C:\WINNT\system32\ucqbiw.exe reg_run
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e7.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\ucqbiw.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [win32099108474324] C:\WINNT\win32099108474324.exe
O4 - HKLM\..\Run: [vjdfzwhA] C:\WINNT\vjdfzwhA.exe
O4 - HKLM\..\RunServices: [ClipSrv] clipservr.exe
O4 - HKLM\..\RunServices: [null] axux.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [ClipSrv] clipservr.exe
O4 - HKCU\..\Run: [null] axux.exe
O4 - HKCU\..\Run: [qpctj] C:\WINNT\system32\ucqbiw.exe reg_run
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\rlls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\jt0s07d7e.dll (file missing)
O20 - Winlogon Notify: Reinstall - C:\WINNT\system32\l8p2li7o18.dll (file missing)
O20 - Winlogon Notify: RunServices - C:\WINNT\system32\g840lihm184a.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINNT\system32\mscdt.exe
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\vjdfzwh.exe

skywalker45

Yes you certainly have been Hijacked.


Please follow the below instructions:

• Download this file - combofix.exe
• [Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Post that log in your next reply
  
  Note: Do not mouseclick combofix's window while it's running. That may cause it to stall

Next

• Please download LSPFix from here.
• Unzip the file to you desktop.
• Disconnect from the internet (physically pull the cable) and run the LSPFix.exe that you have just unzipped to the desktop.
• Check the I know what I'm doing box.
• In the Keep box you should see one or more instances of rlls.dll.
• Select every instance of rlls.dll and move each one to the Remove box by clicking the >> button.
• When you are done click Finish>>.

Do NOT move any other files to the remove box, only rlls.dll.

Once you've finished please post the log from Combofix and a fresh Hijack This log.

impalaboy

Thanks for your help.

Here is my ComboFix log:

Cable One Suite A - Thu 09/28/2006 15:39:44.17 Service Pack 4
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Cable One Suite A\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{F2C3165B-9282-4281-A22F-714A72BE2500}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{F2C3165B-9282-4281-A22F-714A72BE2500}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2C3165B-9282-4281-A22F-714A72BE2500}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{F2C3165B-9282-4281-A22F-714A72BE2500}\InprocServer32]
@="C:\\WINNT\\system32\\mbd32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{309BD454-94DF-4D24-B864-F045F2A390B5}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\CLSID\{309BD454-94DF-4D24-B864-F045F2A390B5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{309BD454-94DF-4D24-B864-F045F2A390B5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{309BD454-94DF-4D24-B864-F045F2A390B5}\InprocServer32]
@="C:\\WINNT\\system32\\mojet40.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{649FD9A4-63DB-4A98-94E2-60FFCAA9D7E1}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{649FD9A4-63DB-4A98-94E2-60FFCAA9D7E1}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{649FD9A4-63DB-4A98-94E2-60FFCAA9D7E1}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{649FD9A4-63DB-4A98-94E2-60FFCAA9D7E1}\InprocServer32]
@="C:\\WINNT\\system32\\mcw3prt.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINNT\system32\ILROP.DLL


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-09-13 08:01 218 twwiy.dll.qoo
06-08-31 16:30 53 vcwpqp.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Cable One Suite A\Application Data\Sskcwrd.dll
C:\Documents and Settings\Cable One Suite A\Application Data\Sskknwrd.dll
C:\Documents and Settings\Cable One Suite A\Application Data\Sskuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndrff_e7.exe
C:\drsmartload45a45a45a.exe
C:\deskbar.exe
C:\deskbar2.exe
C:\deskbar3.exe
C:\deskbar4.exe
C:\deskbar7.exe
C:\kybrdff_e4.exe
C:\kybrdff_e7.exe
C:\nwnmff_e4.exe
C:\nwnmff_e7.exe
C:\warebundlenewer.exe
C:\WINNT\system32\cemetrix.dll
C:\WINNT\system32\dwdsregt.exe
C:\WINNT\system32\tsuninst.exe
C:\WINNT\system32\WinNB58.dll
C:\ucmoreiex.exe
C:\WINNT\offun.exe
C:\WINNT\MirarSetup_876075.exe
C:\WINNT\Eim03.exe
C:\WINNT\uninstall_nmon.vbs
C:\WINNT\system32\W000t32w.dll
C:\Documents and Settings\Default User\Application Data\NetMon
C:\Program Files\Common Files\misc002
C:\Program Files\Deskbar
C:\WINNT\system32\crunner
C:\Program Files\Common Files\{40A7DE51-03EC-1033-1102-010228010001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-28 to 2006-09-28 ))))))))))))))))))))))))))))))))))


2006-09-18 12:43 578,560 --a

---

C:\Installer4.exe
2006-09-18 12:41 23,238 --ahs---- C:\WINNT\system32\net32b.exe
2006-09-15 12:04 1,100,000 -r-hs---- C:\WINNT\vjdfzwhA.exe
2006-09-15 12:04 1,077,824 -r-hs---- C:\WINNT\vjdfzwh.exe
2006-09-13 08:22 729,088 --a

---

C:\WINNT\system32\LDPackage.dll
2006-09-13 08:22 53,248 --a

---

C:\WINNT\system32\silc_dll.dll
2006-09-13 08:20 307,200 --a

---

C:\WINNT\system32\rlls.dll
2006-09-13 08:06 777,472 --a

---

C:\WINNT\system32\drivers\avg7core.sys
2006-09-13 08:06 4,992 --a

---

C:\WINNT\system32\drivers\avgtdi.sys
2006-09-13 08:06 4,288 --a

---

C:\WINNT\system32\drivers\avg7rsw.sys
2006-09-13 08:06 27,904 --a

---

C:\WINNT\system32\drivers\avg7rsxp.sys
2006-09-13 08:06 26,912 --a

---

C:\WINNT\system32\drivers\avg7rsnt.sys
2006-09-13 08:06 23,424 --a

---

C:\WINNT\system32\drivers\avgmfrs.sys
2006-08-31 16:30 927 --a

---

C:\WINNT\system32\winpfg32.sys
2006-08-31 16:30 45,056 --a

---

C:\TIGEN001.exe
2006-08-31 08:53 144 --a

---

C:\WINNT\file.bat
2006-08-30 19:12 25 --a

---

C:\WINNT\win320991084743242006.exe
2006-08-30 16:11 880,000 -r-hs---- C:\WINNT\nmftekk.exe
2006-08-30 16:11 345,775 --a

---

C:\803_104.exe
2006-08-30 14:22 716 --a

---

C:\WINNT\system32\dxn17.dll
2006-08-30 14:22 603,136 --a

---

C:\WINNT\system32\mscdt.exe
2006-08-30 14:22 53,248 --a

---

C:\WINNT\system32\scansql.exe
2006-08-30 14:22 39,424 --a

---

C:\WINNT\system32\xsys.dll
2006-08-30 14:22 37,376 --a

---

C:\WINNT\system32\psexec.exe
2006-08-30 14:22 190 --a

---

C:\WINNT\system32\start.bat
2006-08-30 14:22 162,816 --a

---

C:\WINNT\system32\wget.exe
2006-08-30 14:22 122,880 --a

---

C:\WINNT\system32\osql.exe
2006-08-30 14:22 10 --a

---

C:\WINNT\system32\bot.dll
2006-08-30 14:21 29,696 --a

---

C:\WINNT\system32\Libparse.exe
2006-08-30 14:21 176 --a

---

C:\WINNT\system32\KAHOL.bat
2006-08-30 14:21 118 --a

---

C:\WINNT\system32\edit.BAT
2006-08-30 14:21 1,634 --a

---

C:\WINNT\system32\find.bat
2006-08-30 09:05 80,384 --a

---

C:\WINNT\system32\nsl7D.dll
2006-08-29 10:16 81,920 --a

---

C:\WINNT\system32\Packet.dll
2006-08-29 10:16 61,440 --a

---

C:\WINNT\system32\WanPacket.dll
2006-08-29 10:16 32,512 --a

---

C:\WINNT\system32\drivers\npf.sys
2006-08-29 10:16 233,472 --a

---

C:\WINNT\system32\wpcap.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-28 15:40

---

d-a

---

C:\Program Files\Common Files
2006-09-18 11:10

---

d-a

---

C:\Program Files\ewido anti-spyware 4.0
2006-09-15 12:26

---

d-a

---

C:\Program Files\Accessories
2006-09-13 09:40

---

d

---

C:\Program Files\Common Files\orqi
2006-09-13 08:07

---

d

---

C:\Documents and Settings\Cable One Suite A\Application Data\AVG7
2006-09-13 08:06

---

d

---

C:\Program Files\Grisoft
2006-08-31 09:03

---

d-a

---

C:\Program Files\NetMeeting
2006-08-30 16:14 8464 --a

---

C:\WINNT\system32\sporder.dll
2006-08-23 13:40

---

d--h

---

C:\Program Files\InstallShield Installation Information
2006-08-23 13:40

---

d

---

C:\Program Files\Canon


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ClipSrv"="clipservr.exe"
"null"="axux.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows Kernel System Service"="wkssvr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Matrox Powerdesk"="C:\\WINNT\\System32\\PDesk\\PDesk.exe /Autolaunch"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"null"="axux.exe"
"Intel GFX Initializer"="C:\\WINNT\\system32\\igfxinit.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"win32099108474324"="C:\\WINNT\\win32099108474324.exe"
"vjdfzwhA"="C:\\WINNT\\vjdfzwhA.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"ClipSrv"="clipservr.exe"
"null"="axux.exe"
"Windows Kernel System Service"="wkssvr.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,99,01,00,00,00,00,00,00,67,06,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,c0
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"InsideofYou"="oxcellent.exe"
"null"="axux.exe"
"orqi"="C:\\PROGRA~1\\COMMON~1\\orqi\\orqim.exe"
"qpctj"="C:\\WINNT\\system32\\ucqbiw.exe reg_run"
"cprocsvc"="C:\\WINNT\\system32\\crunner\\cproc.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"^SetupICWDesktop"=""
"Del23959"=""

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows Kernel System Service"="wkssvr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
"{40A7DE51-03EC-1033-1102-010228010001}"="\"C:\\Program Files\\Common Files\\{40A7DE51-03EC-1033-1102-010228010001}\\Update.exe\" mc-110-12-0000509"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ycsrgb.sys

Completion time: Thu 2006-09-28 15:46:36.78
ComboFix.txt



HERE IS MY HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 3:55:17 PM, on 9/28/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\mscdt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\vjdfzwh.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Cable One Suite A\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [null] axux.exe
O4 - HKLM\..\Run: [Intel GFX Initializer] C:\WINNT\system32\igfxinit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [win32099108474324] C:\WINNT\win32099108474324.exe
O4 - HKLM\..\Run: [vjdfzwhA] C:\WINNT\vjdfzwhA.exe
O4 - HKLM\..\RunServices: [ClipSrv] clipservr.exe
O4 - HKLM\..\RunServices: [null] axux.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [ClipSrv] clipservr.exe
O4 - HKCU\..\Run: [null] axux.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINNT\system32\mscdt.exe
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\vjdfzwh.exe



HOW'S SHE LOOK???

skywalker45

Much better, but not quite there. There's a lot of malware still in there likely added by various worms/trojans. I see you have Ewido installed. Could you please follow the instructions below to run a full scan with Ewido:

• Lauch Ewido Anti-Spyware.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
    • Click on Update on the toolbar.
    • Under Manual update, click on the Start Update button.
    • Wait until you see the Update succesfull message.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

______________________________

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Please post the Ewido Log and a fresh Hijack This log in your next reply. If for any reason you cannot run Ewido or are having difficulty let me know.

impalaboy

Thanks for your help. I will not be able to try the suggested help until Monday probably.

You're all too kind!

skywalker45

No problem. We'll still be here.

impalaboy

Thanks again for your help.
First of all, I could not get ewido to run in Safe Mode. I tried restarting the computer in Safe Mode again but it still would not run. Task Manager had it listed in Processes but it never came up on the screen.
I restarted normally and ran it there.

Also, after deleting Temp Internet files and cookies, I tried to do the next step (Start/Control Panel/Display). I did not have a Desktop tab and therefor was unable to perform that step. I am using Windows 2000 and not sure if your instructions applied to my OS.

Here are my logs. The ewido scan had some errors.

---

ewido anti-spyware - Scan Report

---

+ Created at: 10:58:55 AM 10/2/2006

+ Scan result:



C:\WINNT\system32\nsl7D.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\Installer4.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\NDNuninstall4_85.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINNT\NDNuninstall6_30.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINNT\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\TIGEN001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINNT\system32\net32b.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
[716] C:\WINNT\system32\net32b.exe -> Backdoor.IRCBot.st : Error during cleaning.
C:\WINNT\vjdfzwh.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
[944] C:\WINNT\vjdfzwh.exe -> Dropper.Agent.mu : Error during cleaning.
C:\WINNT\system32\scansql.exe -> Not-A-Virus.NetTool.Win32.SQLAccount.180 : Cleaned with backup (quarantined).


::Report end


.. .. .. .. .. .. .. .. .. .. .. .. ..


Logfile of HijackThis v1.99.1
Scan saved at 10:59:38 AM, on 10/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\mscdt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Documents and Settings\Cable One Suite A\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [null] axux.exe
O4 - HKLM\..\Run: [Intel GFX Initializer] C:\WINNT\system32\igfxinit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [win32099108474324] C:\WINNT\win32099108474324.exe
O4 - HKLM\..\Run: [vjdfzwhA] C:\WINNT\vjdfzwhA.exe
O4 - HKLM\..\RunServices: [ClipSrv] clipservr.exe
O4 - HKLM\..\RunServices: [null] axux.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [ClipSrv] clipservr.exe
O4 - HKCU\..\Run: [null] axux.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINNT\system32\mscdt.exe
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\vjdfzwh.exe (file missing)

skywalker45

Also, after deleting Temp Internet files and cookies, I tried to do the next step (Start/Control Panel/Display). I did not have a Desktop tab and therefor was unable to perform that step. I am using Windows 2000 and not sure if your instructions applied to my OS.

Sorry about that. You're OK though. I'd like you to visit the link below and run a Trend Micro Housecall scan.

http://housecall.trendmicro.com/

You have an RBOT worm infection and I want to try to root it out with a tool rather than by hand. Allow the scan to remove whatever it finds. Please post back here with the results of the scan and a fresh Hijack This log.

impalaboy

I ran Housecall, it found a bunch of stuff and I told it to fix the problems. About an hour and a half later it was supposedly still scanning although the progress bar was still empty. Couldn't tell it it was actually running or not so I told it to fix the problems again. It scanned a bunch of stuff again, then just sat there for a long time.
I will set it to scan tonight and get you a log in the morning.

-Terry

skywalker45

OK. I'll be waiting. If that doesn't work we have plenty of tools in the chest.

impalaboy

Afer another scan and a list of malware and other unwated files, I told it to fix the problems. It quickly scanned through a bunch of files but then stopped on one "WORM_SDBOT.AAB". It's been sitting on that one for about 50 minutes. This seems like the same thing that happened last Monday.
Any other suggestions? Other programs to run other than this one?

Thanks again.

skywalker45

Yes. I need to do some research on some of your log entries and may ask for your help. In the meantime could you please run a Bit Defender online scan from my signature below. It will generate a log. Please post that log back here and another Hijack This log.

impalaboy

Bit Defender scan in progress...







.

impalaboy

How do I post the Bit Defender log here? I saved it as an .html file and as a .txt file.
I've tried to attached the files but not sure I did it correctly.



Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:49:05 AM, on 10/5/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\mscdt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cable One Suite A\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [null] axux.exe
O4 - HKLM\..\Run: [Intel GFX Initializer] C:\WINNT\system32\igfxinit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [win32099108474324] C:\WINNT\win32099108474324.exe
O4 - HKLM\..\Run: [vjdfzwhA] C:\WINNT\vjdfzwhA.exe
O4 - HKLM\..\RunServices: [ClipSrv] clipservr.exe
O4 - HKLM\..\RunServices: [null] axux.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [ClipSrv] clipservr.exe
O4 - HKCU\..\Run: [null] axux.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{423D671F-B807-4D13-874E-375FA18CD6D1}: NameServer = 24.116.0.201,24.116.0.202
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: MS System Spooler (MSpool) - Unknown owner - C:\WINNT\system32\mscdt.exe
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINNT\system32\net32b.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\vjdfzwh.exe (file missing)

skywalker45

Bit Defender attachment worked. We need to deal with this worm problem you have but I don't want to do it manually. We will if we have to but for now try the below:

Please make a new folder on your desktop and name it sysclean. After that please download Trend Micro's Sysclean Package from here. Put the file into the sysclean folder.

Next download Trend Micro's latest pattern files (lpt819.zip) for the Sysclean Package here. Unzip the contents into the sysclean folder. This step is very important--The pattern files MUST be in the same folder as sysclean.com

Reboot into safe mode and open the sysclean folder. Double click on sysclean.com.

Allow the scan to run and clean whatever it finds. It will take some time so be patient. At the end it will save a log. Post that log and a fresh Hijack This log in your next reply.

impalaboy

Help! My computer keeps rebooting itself. I first tried to reboot in Safe Mode and after choosing Safe Mode and Windows 2000 it rebooted itself. I tried it again and same result.
Then I let it try to reboot itself in normal mode but it won't boot up all the way...it keeps rebooting.

skywalker45

Nothing to those files I asked you to download that would cause that problem. Can you try disconnecting the PC completely from the internet then try booting? This worm/worms in your log can open backdoors to all kinds of other malware that could cause problems like these. Do you have your Windows 2000 CD? We might have to boot from that and we may need to get the emergency help forum moderator to help as well.

I would turn off the PC totally. Disconnect it from the internet. Wait about 10 minutes then try to boot again.

Did this happen before or after you downloaded the files? Did it happen after you ran the scans? Try the above and let me know what you find out.

impalaboy

This happened after running the Bit Defender scan, downloading and unzipping sysclean stuff. I tried to reboot in Safe Mode as directed and that's when the problem started.
I have since disconnected my Internet connection.
If I power off the computer, then turn it back on I get the BIOS screen (I think that's what it is) and it tells me:
"During the last boot up, your system hung for an improper CPU speed setting. Your system is now working in safe mode. To optimize the system performance and reliablikity, make sure the CPU speed conforms to the specifications of your CPU".

I select Save and Exit to continue booting and it just reboots over and over. I have never seen this problem before.

skywalker45

This sounds like you're overclocking the CPU and you don't know it. Follow these steps.

Reboot the PC and just pressing the delete key. Keep pressing delete until the BIOS screen appears. In the BIOS there should be an advanced features menu. Scroll to that and press enter. (keep in mind that I have no idea what BIOS you have so I'm guessing here. You might need to look around for it.)

You need to find the field in your BIOS that has to do with memory timings. Basically you want to slow the bus down to the lowest speed that your BIOS will allow. Right now it might be set to By SPD which should work, but if not try setting it to the lowest speed. Again not knowing your BIOS it's difficult for me to tell you what to do. I have this problem with my home PC whenever I try to overclock. Some chips will do it and some won't. Post back with some BIOS specs if you can including manufacturer and BIOS version. You should be able to see this information in the top left hand corner of the screen right before Windows boots.

impalaboy

I will try those things...
Here's the BIOS info I got off the screen:
ASUS CUV4X-DLS ACPI BIOS Revision 1014.
Does that mean anything to you?

impalaboy

Is it the same as CPU Speed in the BIOS?

skywalker45

The BIOS version doesn't mean much to me since I am used to seeing Award BIOS but where you see CPU speed you should be able to adjust that to like 166MHz or 133MHz. Whichever speed you have that's the lowest, use that. By the way what CPU do you have and how much and what type of memory (i.e. DDR, SDRAM, RAMBUS, etc.)?

impalaboy

We have two Pentium 3 500E Mhz procesors and 1G Ram.
I changed the speed from 133 down to 66, saved & exited and rebooted. Still wouldn't boot.

impalaboy

Award Medallion Bios v.6 is what we have.

skywalker45

profdlp of one our super moderators in the emergency help forum says this: You can also get the CPU error by inadvertently underclocking. The BIOS can't properly identify the CPU and throws up its little digital hands in frustration. Have him tell you the exact speed and model of his CPU so you can tell him the right FSB and Multiplier. I'll be glad to help you if you need it.

He has also subcribed to this thread. So you're running this on a dual CPU board, correct? Based on that config I think I'll let prof weigh in here on what multiplier to use to match the CPU speed to memory speed. He will likely post in this thread to let you know how to set up the multiplier for this config. It also could be related to partially removed malware that we can hopefully deal with after we get the machine up.

impalaboy

Where do I find the info he's requested? I want to make sure I get the exact info for you.

skywalker45

Here is a quote from him:

Have him tell you the exact speed and model of his CPU so you can tell him the right FSB and Multiplier. I'll be glad to help you if you need it.

Since the PC won't boot you will have to get this information from the BIOS screen, either by pressing the delete key or watching in the corner of the screen as the PC boots.

impalaboy

I'm still not sure exactly where this info will appear and on which screen.
I entered the BIOS and here's some of the info:
CPU Speed - 1000MHz
CPU: System Frequency Multiple - 7.5x
System/PCI Frequency - 133.0/33.25

Does any of this help? If not, please tell me exactly where I need to look to get the info. I can't find anything about the model number but, again, I'm not sure where to look to find it.

Thanks again for your help and sorry I'm not more knowledgeable about this stuff. Then again, I guess that's why I'm here.

profdlp

What's the CPU supposed to run at?

skywalker45

You are running dual 500MHz P3 CPU's right?

impalaboy

Yes, dual 500s.

How do I know what it's supposed to run at?

If it helps, we have an identical machine in the office that's working properly.