[Inactive]Unable to boot in Normal Mode--Problems Removing Virus or spyware?
Hi, I am new to this board, and I am thoroughly impressed with the help you have been able to provide folks in the posts that I have read.
If someone could please help me I would greatly appreciate it. I have recently let my firewall and antivirus subscription expire, and I appear to be paying dearly for it.
When I start Windows (2000 Professional) as it is booting up, I receive two error messages (I am paraphrasing): 1) There is an error starting ss.exe.exe and Windows must Shut Down, and 2) The System is shutting down...the shutdown was initiated by NT/Authority/System...Message: The system terminated unexpectedly system32/lsass.exe with Status Code 128 (this appears to be identical to what the Sasser worm did, but as you'll see below, that's not the culprit). After this, it goes to a blue screen (sometimes) with something about C000021a and a fatal system error.
I am unfortunately not very computer savy. However, I have read on several posts and have tried several things that I saw as being suggested previously:
1) Installing Trend Office Scan in Safe Mode with Networking (my computer restarts in normal mode)...this was to no avail, it installs, but then says I need to talk to my administrator about a kernel
2) SmitfraudFix Registry Cleaner...I am not sure if this did anything. It did appear to
3) ATF Cleaner...This seems to have worked
4) AVG Anti-Spyware 7.5...downloaded and did a complete scan and it seemed to have removed some things
5) Online Panda Virus Scan...this did not seem to successfully complete in Safe Mode with Networking
6) Online Trend Virus Scan (Home Call)...this did not seem to successfully remove everything in Safe Mode with Networking
7) Running the Sasser Worm Fix...it did not detect the worm
8) Microsoft Malicious Software Remover...nothing found
9) Downloading HijackThis!...log pasted below
I am at the forum because none of my efforts have worked! If I can get it to boot normally, I think I will be able install and run Trend Office. I am in a bad situation because I have a one-time install piece of software for a class that I am taking that is needed to complete a semester project. Stupid, stupid me.
Again, I will greatly appreciate any that can be provided!
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:29:34 PM, on 12/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\11-30-06\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {B8F260C3-8907-84A6-994F-C832426FDE66} - Kargo.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45417F14-F6A0-6B2A-E485-00EB54FA83FB} - C:\WINNT\system32\qzcbibj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Fast Home] C:\WINNT\system32\svcnvt.exe home
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [jopplerg] sound64.exe
O4 - HKLM\..\Run: [Kargo] lpt.exe
O4 - HKLM\..\Run: [xdgqwp.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\xdgqwp.dll,zkpkime
O4 - HKLM\..\Run: [spoolsvv] C:\WINNT\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Nord] C:\WINNT\system32\nordsys.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [dmggw.exe] C:\WINNT\system32\dmggw.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [srbho] MSTCPDLL.exe
O4 - HKCU\..\Run: [Shaitan1678] JAguAr.exe
O4 - HKCU\..\Run: [Nord] C:\WINNT\system32\nordsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {064C57B4-B9EC-425F-B9B3-BCEFFEEA74D9} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2969c732399c0fa89816/netzip/RdxIE601.cab
O16 - DPF: {58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128381498046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6632AA50-49DC-475B-B911-A02B84C7C794} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D2080B-4857-4B96-9B7D-732634FBD01F} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E30754B-29A9-41CE-8892-70E9E07D15DC} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {A142B305-DCC9-4591-A7CB-CDB4817A1C1D} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {C9712B19-838B-45A5-ABF2-9A315DDDED50} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E06D8026-DB46-11CF-B4D1-00805F6CBBEA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E06D802B-DB46-11CF-B4D1-00805F6CBBEA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{790DA197-54A3-4F9C-A78B-14ADC456E605}: NameServer = 194.133.125.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{83028A08-5EE5-4E84-9B79-F8F430C48607}: NameServer = 194.133.125.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O21 - SSODL: CECDBEGA - {55AC4C3E-6498-094B-6C20-42472F8C157F} - C:\WINNT\system32\Edkjhe32.dll (file missing)
O21 - SSODL: mtklefa - {70E54B48-903E-475E-699A-19A7F58B2063} - C:\WINNT\system32\dkbe32.dll (file missing)
O21 - SSODL: mtkle - {6AC3F458-296F-4BF0-EFB8-4659CDB6CC27} - C:\WINNT\system32\iijdu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
If someone could please help me I would greatly appreciate it. I have recently let my firewall and antivirus subscription expire, and I appear to be paying dearly for it.
When I start Windows (2000 Professional) as it is booting up, I receive two error messages (I am paraphrasing): 1) There is an error starting ss.exe.exe and Windows must Shut Down, and 2) The System is shutting down...the shutdown was initiated by NT/Authority/System...Message: The system terminated unexpectedly system32/lsass.exe with Status Code 128 (this appears to be identical to what the Sasser worm did, but as you'll see below, that's not the culprit). After this, it goes to a blue screen (sometimes) with something about C000021a and a fatal system error.
I am unfortunately not very computer savy. However, I have read on several posts and have tried several things that I saw as being suggested previously:
1) Installing Trend Office Scan in Safe Mode with Networking (my computer restarts in normal mode)...this was to no avail, it installs, but then says I need to talk to my administrator about a kernel
2) SmitfraudFix Registry Cleaner...I am not sure if this did anything. It did appear to
3) ATF Cleaner...This seems to have worked
4) AVG Anti-Spyware 7.5...downloaded and did a complete scan and it seemed to have removed some things
5) Online Panda Virus Scan...this did not seem to successfully complete in Safe Mode with Networking
6) Online Trend Virus Scan (Home Call)...this did not seem to successfully remove everything in Safe Mode with Networking
7) Running the Sasser Worm Fix...it did not detect the worm
8) Microsoft Malicious Software Remover...nothing found
9) Downloading HijackThis!...log pasted below
I am at the forum because none of my efforts have worked! If I can get it to boot normally, I think I will be able install and run Trend Office. I am in a bad situation because I have a one-time install piece of software for a class that I am taking that is needed to complete a semester project. Stupid, stupid me.
Again, I will greatly appreciate any that can be provided!
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:29:34 PM, on 12/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\11-30-06\Hijack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {B8F260C3-8907-84A6-994F-C832426FDE66} - Kargo.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {45417F14-F6A0-6B2A-E485-00EB54FA83FB} - C:\WINNT\system32\qzcbibj.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Fast Home] C:\WINNT\system32\svcnvt.exe home
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [jopplerg] sound64.exe
O4 - HKLM\..\Run: [Kargo] lpt.exe
O4 - HKLM\..\Run: [xdgqwp.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\xdgqwp.dll,zkpkime
O4 - HKLM\..\Run: [spoolsvv] C:\WINNT\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Nord] C:\WINNT\system32\nordsys.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [dmggw.exe] C:\WINNT\system32\dmggw.exe
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [srbho] MSTCPDLL.exe
O4 - HKCU\..\Run: [Shaitan1678] JAguAr.exe
O4 - HKCU\..\Run: [Nord] C:\WINNT\system32\nordsys.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {064C57B4-B9EC-425F-B9B3-BCEFFEEA74D9} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2969c732399c0fa89816/netzip/RdxIE601.cab
O16 - DPF: {58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1128381498046
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6632AA50-49DC-475B-B911-A02B84C7C794} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D2080B-4857-4B96-9B7D-732634FBD01F} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E30754B-29A9-41CE-8892-70E9E07D15DC} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {A142B305-DCC9-4591-A7CB-CDB4817A1C1D} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {C9712B19-838B-45A5-ABF2-9A315DDDED50} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E06D8026-DB46-11CF-B4D1-00805F6CBBEA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E06D802B-DB46-11CF-B4D1-00805F6CBBEA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{790DA197-54A3-4F9C-A78B-14ADC456E605}: NameServer = 194.133.125.66
O17 - HKLM\System\CCS\Services\Tcpip\..\{83028A08-5EE5-4E84-9B79-F8F430C48607}: NameServer = 194.133.125.66
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O21 - SSODL: CECDBEGA - {55AC4C3E-6498-094B-6C20-42472F8C157F} - C:\WINNT\system32\Edkjhe32.dll (file missing)
O21 - SSODL: mtklefa - {70E54B48-903E-475E-699A-19A7F58B2063} - C:\WINNT\system32\dkbe32.dll (file missing)
O21 - SSODL: mtkle - {6AC3F458-296F-4BF0-EFB8-4659CDB6CC27} - C:\WINNT\system32\iijdu32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
0
This discussion has been closed.
Comments
As you have already mentioned, not have an Anti-Virus and Firewall has resulted in many dangerous infections.
You are strongly advised to do the following immediately!:
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
________________________
Can I confirm you cannot boot into Normal Mode and are using Safe Mode? Do you have another computer you could access if needed?
I would like to see another log from HijackThis.
I am running in safe mode. Should I only worry about accounts accessed from my infected computer?
Are you able to help me getting running in normal mode again?
Here is the log:
Adobe Reader 7.0
AirPlus G
ANIO Service
ANIWZCS2 Service
ArcSoft PhotoStudio 5.5
ArcView 9.1 (Demo Edition)
ATI Display Driver
Canon Camera Support Core Library
Canon Camera TWAIN Driver 6.5
Canon Camera Window DS for ZoomBrowser EX
Canon Camera Window DVC for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX
Classic MP6410 MP3 Player
DivX
DivX Player
Easy CD Creator 5 Basic
Elecard MPEG-2 Decoder&Streaming Pack
Getting to Know ArcGIS Desktop Exercise Data
HijackThis 1.99.1
hp deskjet 630c series (Remove only)
HP Image Zone 4.0
HP Software Update
Internet Explorer Q832894
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 5
LimeWire 4.12.6
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft Internet Explorer 6 SP1
Microsoft Office Professional Edition 2003
Outlook Express Update Q330994
Panda ActiveScan
Photosmart 320,370,7400,8100,8400 Series
Python 2.1
Python 2.1 combined Win32 extensions
QuickTime
RealPlayer
SoundMAX
Trend Micro OfficeScan Client
Viewpoint Media Player
Windows 2000 Hotfix - KB329115
Windows 2000 Hotfix - KB823182
Windows 2000 Hotfix - KB823559
Windows 2000 Hotfix - KB824105
Windows 2000 Hotfix - KB824141
Windows 2000 Hotfix - KB824146
Windows 2000 Hotfix - KB825119
Windows 2000 Hotfix - KB826232
Windows 2000 Hotfix - KB828028
Windows 2000 Hotfix - KB828035
Windows 2000 Hotfix - KB828749
Windows 2000 Hotfix - KB842773
Windows Installer 3.1 (KB893803)
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See wm828026 for more information]
Windows Media Player system update (9 Series)
WinZip
Yes!
I'll do my best.
______________________
You may need to transfer files from your spare computer to the infected one in order complete the instructions.
Lets begin...
We need to get you an Anti-Virus and Firewall protection before we continue any further. Please download one of each from the list below - They are Free!
AV
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition
Firewall
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall
______________________
The following fix requires on active Internet connection. The standard Safe Mode does not allow access to the Internet, so you need to boot the computer into Safe Mode with Networking where you will have Internet access.
Please download FixWareout from one of these sites and save it to your desktop:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
- Double click Fixwareout.exe to run it.
- Click Next, then Install.
- Make sure Run fixit is checked and click Finish.
- The fix will begin; follow the prompts.
- You will be asked to reboot your computer; please do so.
- Your system may take longer than usual to load; this is normal.
- At the end of the fix, you may need to restart your computer again.
- A report.txt file will be created in the C:\fixwareout folder. Please keep it safe as I'll need to see it soon.
______________________Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,
R3 - URLSearchHook: (no name) - {B8F260C3-8907-84A6-994F-C832426FDE66} - Kargo.dll (file missing)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: (no name) - {45417F14-F6A0-6B2A-E485-00EB54FA83FB} - C:\WINNT\system32\qzcbibj.dll
O4 - HKLM\..\Run: [Fast Home] C:\WINNT\system32\svcnvt.exe home
O4 - HKLM\..\Run: [jopplerg] sound64.exe
O4 - HKLM\..\Run: [Kargo] lpt.exe
O4 - HKLM\..\Run: [xdgqwp.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\xdgqwp.dll,zkpkime
O4 - HKLM\..\Run: [spoolsvv] C:\WINNT\system32\spoolsvv.exe
O4 - HKLM\..\Run: [Nord] C:\WINNT\system32\nordsys.exe
O4 - HKLM\..\Run: [dmggw.exe] C:\WINNT\system32\dmggw.exe
O4 - HKCU\..\Run: [srbho] MSTCPDLL.exe
O4 - HKCU\..\Run: [Shaitan1678] JAguAr.exe
O4 - HKCU\..\Run: [Nord] C:\WINNT\system32\nordsys.exe
O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {064C57B4-B9EC-425F-B9B3-BCEFFEEA74D9} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/in...altpmtscab.cab
O16 - DPF: {30355844-0000-0010-8000-00AA00389B71} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2969c732...p/RdxIE601.cab
O16 - DPF: {58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128381498046
O16 - DPF: {6632AA50-49DC-475B-B911-A02B84C7C794} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {75D2080B-4857-4B96-9B7D-732634FBD01F} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9E30754B-29A9-41CE-8892-70E9E07D15DC} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {A142B305-DCC9-4591-A7CB-CDB4817A1C1D} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {C9712B19-838B-45A5-ABF2-9A315DDDED50} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {D2BD7935-05FC-11D2-9059-00C04FD7A1BD} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E06D8026-DB46-11CF-B4D1-00805F6CBBEA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E06D802B-DB46-11CF-B4D1-00805F6CBBEA} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {FDC7A535-4070-4B92-A0EA-D9994BCC0DC5} (IERPCtl Class) - http://activex.microsoft.com/objects/ocget.dll
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.94 85.255.112.225
O21 - SSODL: CECDBEGA - {55AC4C3E-6498-094B-6C20-42472F8C157F} - C:\WINNT\system32\Edkjhe32.dll (file missing)
O21 - SSODL: mtklefa - {70E54B48-903E-475E-699A-19A7F58B2063} - C:\WINNT\system32\dkbe32.dll (file missing)
O21 - SSODL: mtkle - {6AC3F458-296F-4BF0-EFB8-4659CDB6CC27} - C:\WINNT\system32\iijdu32.dll (file missing)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
______________________
Make sure you can view hidden files and folders:
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Next, find and delete the following in RED if present:C:\WINNT\system32\svcnvt.exe
C:\WINNT\system32\sound64.exe
C:\WINNT\system32\lpt.exe
C:\WINNT\system32\spoolsvv.exe
C:\WINNT\system32\nordsys.exe
C:\WINNT\system32\dmggw.exe
C:\WINNT\system32\MSTCPDLL.exe
C:\WINNT\system32\JAguAr.exe
C:\WINNT\system32\xdgqwp.dll
C:\WINNT\system32\qzcbibj.dll
C:\WINNT\system32\Edkjhe32.dll
C:\WINNT\system32\dkbe32.dll
C:\WINNT\system32\iijdu32.dll
______________________
Now lets check some settings on your system.
(2000/XP) Only
- Click Start > Connect to > Show all connections.
- Right click on your default connection, usually local area connection for cable and dsl.
- Left click on Properties.
- Click the Networking tab.
- Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically.
- Press OK twice to get out of the properties screen and reboot if it asks. (That option might not be avaiable on some systems).
Next!- Click Start > Run type cmd and hit OK.
- Type ipconfig /flushdns then hit enter, (Note: there is a space between ipconfig and /flushdns).
- Type exit hit enter.
______________________Please post the following:
1) FixWareout Report
2) New HijackThis log
I'm working on the downloads on the spare machine...
Thanks again for all of you help!
I did everything you listed...still have not tried booting normally.
The following were not on HijackThis when I went to fix as you asked:
O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [dmggw.exe] C:\WINNT\system32\dmggw.exe
There was an IP address when I went to switch to obtain DNS automatically. Does that mean anything?
Here are the reports that you requested. Thanks.
FixWareout Report:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ztomd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmotz.exe"=-
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSAKJ.EXE 51,715 2006-11-09
C:\WINNT\SYSTEM32\DMEGP.EXE 60,976 2003-06-19
Other suspects.
Directory of C:\WINNT\system32
{1CD0F38C-D73E-4304-8F2B-5F100AE3D6B7}.exe
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
HijackThis Report:
Logfile of HijackThis v1.99.1
Scan saved at 1:25:16 AM, on 12/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\explorer.exe
C:\11-30-06\Hijack This\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F6C3EF7-F1B9-41DD-AD13-E716125EC44A}: NameServer = 195.40.0.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{83028A08-5EE5-4E84-9B79-F8F430C48607}: NameServer = 195.40.0.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5F5364-81BD-4494-8F72-69D3B39F4DE8}: NameServer = 195.40.0.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{1F6C3EF7-F1B9-41DD-AD13-E716125EC44A}: NameServer = 195.40.0.250
O17 - HKLM\System\CS2\Services\Tcpip\..\{1F6C3EF7-F1B9-41DD-AD13-E716125EC44A}: NameServer = 195.40.0.250
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
_________________________
Please do the following....
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O4 - HKCU\..\Run: [taskdir] C:\WINNT\system32\taskdir.exe
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
_________________________
Make sure you can still view hidden files and folders
Then find and delete the following in RED
C:\WINNT\system32\{1CD0F38C-D73E-4304-8F2B-5F100AE3D6B7}.exe
C:\WINNT\system32\taskdir.exe
C:\WINNT\SYSTEM32\CSAKJ.EXE
C:\WINNT\SYSTEM32\DMEGP.EXE
_________________________
Open the Fixwareout folder, click fixit.bat
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
A report.txt will be created in the C:\fixwareout folder. Please keep it safe as I'll need to see it soon.
_________________________
Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).
Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".
You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).
Copy and paste this log in your next reply.
_________________________
Try installing AVG anti-virus and see if works
_________________________
Please post the following:
1) FixWareout report
2) BlackLight log
3) New HijackThis log
Thanks.
Hope this helps.
You ran Fixwareout again. Could you post the log back here please?
You can try booting into Normal Mode now. I hope we have some luck here.
1. I did the HJT repair Safe Mode w/ networking
2. I deleted the .exe files you specified in Safe Mode w/ networking
3. I ran Fixwareout in Safe Mode w/ networking (log below)
4. Restarted in Normal Mode and updated/ran AntiVir (log below)...some viruses found (I quarantined them all for now, until you say to delete specific ones)
5. Ran Blacklight Beta in Normal Mode (log below)
6. Ran HJT in Safe Mode with Networking (log below)
I'll be gone for the next few hours and will be looking forward to the next actions!
Fix Wareout:
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
Directory of C:\WINNT\system32
»»»»» Misc files.
»»»»» Checking for older varients covered by the Rem3 tool.
AntiVir:
AntiVir PersonalEdition Classic
Report file date: Saturday, December 02, 2006 10:25
Scanning for 571968 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-WURGE-0001
Platform: Windows 2000
Windows version: (Service Pack 4) [5.0.2195]
Username: petrey
Computer name: HOME-PETREY
Version information:
AVSCAN.EXE : 7.0.0.47 200744 8/21/2006 17:06:56
AVSCAN.DLL : 7.0.0.45 41000 9/7/2006 17:56:33
LUKE.DLL : 7.0.0.47 118824 9/7/2006 17:32:33
LUKERES.DLL : 7.0.0.47 9256 9/7/2006 17:56:33
ANTIVIR0.VDF : 6.35.0.1 7371264 5/31/2006 17:35:27
ANTIVIR1.VDF : 6.36.1.24 2212864 11/14/2006 15:24:04
ANTIVIR2.VDF : 6.36.1.113 221696 12/1/2006 15:24:04
ANTIVIR3.VDF : 6.36.1.120 36864 12/2/2006 15:24:04
AVEWIN32.DLL : 7.2.0.46 1925632 12/2/2006 15:24:05
AVPREF.DLL : 7.0.0.2 23592 7/24/2006 19:36:04
AVREP.DLL : 6.36.1.111 983080 12/2/2006 15:24:04
AVRPBASE.DLL : 7.0.0.0 2162728 3/30/2006 15:43:31
AVPACK32.DLL : 7.2.0.5 368680 12/2/2006 15:24:05
AVREG.DLL : 6.31.0.90 27688 7/28/2005 17:06:36
NETNT.DLL : 6.32.0.0 6696 9/27/2005 14:56:49
NETNW.DLL : 7.0.0.0 9768 7/24/2006 19:35:55
RCIMAGE.DLL : 7.0.0.74 1642536 8/1/2006 18:22:57
RCTEXT.DLL : 7.0.1.4 77864 12/2/2006 15:24:02
Configuration settings for the scan:
Jobname.......................: Manual Selection
Configuration file............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Boot sectors..................: A,C,D,E,F
Scan memory...................: 1
Process scan..................: 1
Scan all files................: 2
Scan archives.................: 1
Recursion depth...............: 20
Smart extensions..............: 1
Macro heuristic...............: 1
File heuristic................: 0
Primary action................: 1
Secondary action..............: 0
Start of the scan: Saturday, December 02, 2006 10:25
The scan of running processes will be started
20 Processes were scanned
Start scanning boot sectors:
Boot sector 'A:\'
[NOTE] In the drive 'A:\' no data medium is inserted!
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'F:\'
[NOTE] No virus was found!
Starting to scan the registry.
The registry was scanned ( 24 files ).
Starting the file scan:
The path A:\ could not be found!
The device is not ready.
C:\777.htm
[DETECTION] Is the Trojan horse TR/HTML.Starter.A
[INFO] The file was moved to '45a89b1e.qua'!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\11-30-06\Hijack This\backups\backup-20061202-010922-336.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '45d49b50.qua'!
C:\Documents and Settings\petrey\hv8DHJl.exe
[DETECTION] Is the Trojan horse TR/Crypt.F.Gen
[INFO] The file was moved to '45a99b8b.qua'!
C:\Documents and Settings\petrey\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\petrey\NTUSER.DAT.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\petrey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\petrey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\adir.dll
[DETECTION] Contains signature of the worm WORM/Banwarum.F.17
[INFO] The file was moved to '45daa348.qua'!
C:\WINNT\system32\dlh9jkd1q6.exe
[DETECTION] Is the Trojan horse TR/Crypt.F.Gen
[INFO] The file was moved to '45d9a360.qua'!
C:\WINNT\system32\dlh9jkd1q7.exe
[DETECTION] Is the Trojan horse TR/Crypt.F.Gen
[INFO] The file was moved to '45d9a363.qua'!
C:\WINNT\system32\google.png.exe
[DETECTION] Is the Trojan horse TR/Crypt.F.Gen
[INFO] The file was moved to '45e0a36e.qua'!
C:\WINNT\system32\se.exe.exe
[DETECTION] Is the Trojan horse TR/Crypt.F.Gen
[INFO] The file was moved to '459fa37c.qua'!
C:\WINNT\system32\ss.exe.exe
[DETECTION] Contains signature of the worm WORM/Glowa
[INFO] The file was moved to '459fa38f.qua'!
C:\WINNT\system32\w.exe.exe
[DETECTION] Is the Trojan horse TR/Crypt.F.Gen
[INFO] The file was moved to '45d6a350.qua'!
C:\WINNT\system32\xdgqwp.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '45d8a38c.qua'!
C:\WINNT\system32\ActiveScan\pskavs.dll
[DETECTION] Contains signature of the Windows virus W95/Blumblebee.1738
[INFO] The file was moved to '45dca39f.qua'!
C:\WINNT\system32\config\default
[WARNING] The file could not be opened!
C:\WINNT\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\software
[WARNING] The file could not be opened!
C:\WINNT\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINNT\system32\config\system
[WARNING] The file could not be opened!
C:\WINNT\system32\config\SYSTEM.ALT
[WARNING] The file could not be opened!
C:\WINNT\Temp\ZLT02a4a.TMP
[WARNING] The file could not be opened!
C:\WINNT\Temp\ZLT02a4e.TMP
[WARNING] The file could not be opened!
The path D:\ could not be found!
The device is not ready.
The path E:\ could not be found!
The device is not ready.
The path F:\ could not be found!
The system cannot find the path specified.
End of the scan: Saturday, December 02, 2006 11:01
Used time: 36:23 min
The scan has been done completely.
3880 Scanning directories
221374 Files were scanned
12 viruses and/or unwanted programs were found
0 files were deleted
0 files were repaired
12 files were moved to quarantine
0 files were renamed
1296 Archives were scanned
17 Warnings
1 Notes
Blacklight Beta:
12/02/06 11:04:41 [Info]: BlackLight Engine 1.0.47 initialized
12/02/06 11:04:41 [Info]: OS: 5.0 build 2195 (Service Pack 4)
12/02/06 11:04:42 [Note]: 7019 4
12/02/06 11:04:42 [Note]: 7005 0
12/02/06 11:05:22 [Note]: 7006 0
12/02/06 11:05:22 [Note]: 7011 1056
12/02/06 11:05:23 [Note]: 7026 0
12/02/06 11:05:23 [Note]: 7026 0
12/02/06 11:05:38 [Note]: FSRAW library version 1.7.1020
12/02/06 11:16:21 [Note]: 7007 0
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:22:06 AM, on 12/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\11-30-06\Hijack This\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Fixwareout and Blacklight logs are clean.
Now that the computer boots into Normal Mode, I would like to see HijackThis logs from there instead of Safe Mode please.
We need run a few more scans.
Lets begin...
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
- Install AVG Anti-Spyware by double clicking the installer.
- Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
- On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
- Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Once in Safe Mode:Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act?
- Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
- All checkboxes should be ticked.
- Under Possibly unwanted software:
- All checkboxes should be ticked.
- Under Reports:
- Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
- Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan the machine.
- When the scan has finished, follow the instructions below.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
- When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes
. Reboot back into Normal ModeIMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
______________________________
Once in Normal Mode, please do an online scan with Panda ActiveScan
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
______________________________
1. Download this file to your Desktop - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
______________________________
Please post the following:
1) AVG anti-spyware log
2) Panda Report
3) ComboFix log
4) New HijackThis log from Normal Mode
Use separate posts, otherwise the logs may get cut off.
Finally, I have had a chance to complete the last set of commands. In this post is the AVG and Panda reports.
Here is the AVG anti-spyware log:
AVG Anti-Spyware - Scan Report
+ Created at: 7:17:47 PM 12/2/2006
+ Scan result:
C:\Documents and Settings\petrey\Cookies\petrey@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\petrey\Cookies\petrey@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
::Report end
Panda Report (unable to produce real report because nothing found):
No viruses or other malicious software have been found!
Combofix.exe log:
petrey - Sat 12/02/2006 21:51:21.00 Service Pack 4
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\petrey\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-11-02 to 2006-12-02 ))))))))))))))))))))))))))))))))))
2006-12-02 10:12 57,384 --a
C:\WINNT\system32\avsda.dll
2006-12-02 10:12 46,720 --a
C:\WINNT\system32\drivers\avgntdd.sys
2006-12-02 10:12 11,904 --a
C:\WINNT\system32\drivers\avgntmgr.sys
2006-12-02 10:12 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2006-12-02 10:12 <DIR> d
C:\Program Files\AntiVir PersonalEdition Classic
2006-12-02 00:51 <DIR> d
C:\fixwareout
2006-12-02 00:25 <DIR> d-a
C:\WINNT\system32\ZoneLabs
2006-12-02 00:25 <DIR> d
C:\Program Files\Zone Labs
2006-12-02 00:23 <DIR> d
C:\Program Files\Grisoft
2006-12-01 06:30 76,560 --a
C:\WINNT\system32\drivers\tmcomm.sys
2006-11-30 23:30 <DIR> d
C:\Documents and Settings\petrey\.housecall6.6
2006-11-30 20:47 3,968 --a
C:\WINNT\system32\drivers\AvgAsCln.sys
2006-11-30 20:32 <DIR> d
C:\WINNT\system32\ActiveScan
2006-11-30 20:21 <DIR> d
C:\VundoFix Backups
2006-11-30 20:12 53,248 --a
C:\WINNT\system32\Process.exe
2006-11-30 20:12 40,960 --a
C:\WINNT\system32\swsc.exe
2006-11-30 20:12 4,160 --a
C:\WINNT\system32\tmp.reg
2006-11-30 20:12 288,417 --a
C:\WINNT\system32\SrchSTS.exe
2006-11-30 20:12 135,168 --a
C:\WINNT\system32\swreg.exe
2006-11-30 20:11 <DIR> d
C:\11-30-06
2006-11-30 18:47 <DIR> d
C:\Program Files\Trend Micro
2006-11-30 07:21 59,392 --a
C:\WINNT\system32\vxga5me3.exe
2006-11-30 07:20 14 --a
C:\WINNT\system32\dlh9jkd1q8.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-02 21:42
d
C:\Program Files\iTunes
2006-12-02 21:42
d
C:\Program Files\Internet Explorer
2006-12-02 21:39
d
C:\Program Files\Bonjour
2006-12-02 00:19 44288 --a
C:\WINNT\system32\drivers\cdr4_2K.sys
2006-11-30 18:27
d
C:\Program Files\Common Files\Webroot Shared
2006-11-29 22:47
d
C:\Program Files\Roxio
2006-11-18 13:48
d
C:\Program Files\LimeWire
2006-11-18 13:02
d
C:\Program Files\Incomplete
2006-10-09 06:13
d
C:\Program Files\Common Files\AOL
2006-10-08 22:41
d-a
C:\Program Files\Common Files
2006-10-08 22:32
d
C:\Documents and Settings\petrey\Application Data\acccore
2006-10-08 22:31
d
C:\Program Files\Viewpoint
2006-10-08 22:31
d
C:\Program Files\Common Files\Nullsoft
2006-10-08 22:31
d
C:\Program Files\AOD
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AtiPTA"="atiptaxx.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"HPDJ Taskbar Utility"="C:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\hpztsb11.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HPHUPD06"="C:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HPHmon06"="C:\\WINNT\\system32\\hphmon06.exe"
"OfficeScanNT Monitor"="\"C:\\Program Files\\Trend Micro\\OfficeScan Client\\pccntmon.exe\" -HideWindow"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINNT\tasks\HP Usg Daily FY04.job
Completion time: Sat 2006-12-02 21:52:16.60
C:\ComboFix.txt ... 06-12-02 21:52
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 9:57:01 PM, on 12/2/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\hphmon06.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\11-30-06\Hijack This\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINNT\system32\hphmon06.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
Thanks again!
Find and delete the following Files in RED
C:\WINNT\system32\vxga5me3.exe
C:\WINNT\system32\dlh9jkd1q8.exe
____________________________
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Your logs are now clean. Let me know how things are.
I have completed all of your instructions, and the computer appears to be running smoother than ever. Thanks again for all of your expert help.
Through work, I am allowed a copy of Trend OfficeScan. Would you recommend installing and using it instead of continuing to use the free software?
Thanks again.
Let me know if you have any other questions, or if I can mark this resolved.
Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum
If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead