WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Have tried 6 different spyware and virus removal tools.

Started by SimonJacques , Mar 19 2007 04:37 AM

This topic is locked

32 replies to this topic

#1 SimonJacques

New Member

Authentic Member
18 posts

Posted 19 March 2007 - 04:37 AM

Hi,
AVG anti-virus intermittently say I have Worm Allaple A or B. Recently it said I had a trojan dropper
internat or something. I have picked up a few problems scanning with Trend Micro, AVG, and Super Anti Spyware. These were apparently fixed but I still keep getting messages from AVG. Ad-aware and AVG anti spyware found nothing.

Here is my log file as of today,

Logfile of HijackThis v1.99.1
Scan saved at 6:34:13 PM, on 19/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WL.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\STDSB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\help\lsass.exe
C:\Program Files\analyse.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.135.4:1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Comodo Firewall] C:\Program Files\Comodo\Firewall\CPF.exe /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Windows Network Security Management Service (nsms) - Unknown owner - C:\WINDOWS\system32\3C.tmp (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#2 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 22 March 2007 - 01:39 AM

Hello and welcome to the Forums

You're infected. One or more of the identified infections allows the attacker to steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

UNITE & ASAP member since 2006

#3 SimonJacques

New Member

Authentic Member
18 posts

Posted 24 March 2007 - 02:43 AM

Hi,

Thank you for helping me.
Here is the SDFix log

SDFix: Version 1.74

Run by Administrator - Sat 24/03/2007 - 16:32:27.24

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\SDFix

Safe Mode:
Checking Services:

SDFix: Version 1.74

Run by Administrator - Sat 24/03/2007 - 16:32:27.24

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\SDFix

Safe Mode:
Checking Services:

Name:
nsms

ImagePath:
C:\WINDOWS\system32\3C.tmp

nsms Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\o - Deleted

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\WINDOWS\LastGood.Tmp\Twain.dll
C:\WINDOWS\LastGood.Tmp\Twain_32.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\System Volume Information\_restore{48A15741-7F38-4981-86DB-5BE7832CB273}\RP12\A0001021.exe
C:\System Volume Information\_restore{48A15741-7F38-4981-86DB-5BE7832CB273}\RP7\A0000509.exe
C:\WINDOWS\LastGood.Tmp\Twunk_16.exe
C:\WINDOWS\LastGood.Tmp\Twunk_32.exe
C:\WINDOWS\LastGood.Tmp\Twain.dll
C:\WINDOWS\LastGood.Tmp\Twain_32.dll
C:\WINDOWS\LastGood.Tmp\Twunk_16.exe
C:\WINDOWS\LastGood.Tmp\Twunk_32.exe
C:\WINDOWS\LastGood.Tmp\INF\oem10.inf
C:\WINDOWS\LastGood.Tmp\INF\oem10.PNF
C:\WINDOWS\LastGood.Tmp\INF\PmxScan.inf
C:\WINDOWS\LastGood.Tmp\INF\PmxScan.PNF
C:\WINDOWS\LastGood.Tmp\twain_32\3600\lutgray.plg

Finished

And the Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 4:43:41 PM, on 24/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\WL.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\STDSB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\analyse.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.135.4:1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Comodo Firewall] C:\Program Files\Comodo\Firewall\CPF.exe /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again,
Simon

#4 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 25 March 2007 - 03:22 AM

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - (no file)

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Do you know anything about this entry?
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe

Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\System32\WL.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- virustotal results

UNITE & ASAP member since 2006

#5 SimonJacques

New Member

Authentic Member
18 posts

Posted 29 March 2007 - 06:16 AM

Thank you for all your help.

Here are the results of the AVG anti spyware scan.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:45:03 PM 29/03/2007

+ Scan result:

C:\WINDOWS\Help\lsass.exe -> Not-A-Virus.Exploit.DCom.58 : Cleaned with backup (quarantined).

::Report end

I have the 30 day trial version of AVG anti spyware. What happens to the quarantined file when the trial period ends?

Here is the new Hijack This Scan.

Logfile of HijackThis v1.99.1
Scan saved at 7:55:00 PM, on 29/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WL.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\analyse.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.135.4:1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Comodo Firewall] C:\Program Files\Comodo\Firewall\CPF.exe /background
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: (no name) - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I am wondering about the entry at 021. But you're the expert!

Here is the result of the virus total scan of the file you asked me to check

Antivirus Version Update Result
AhnLab-V3 2007.3.27.0 03.29.2007 no virus found
AntiVir 7.3.1.44 03.29.2007 no virus found
Authentium 4.93.8 03.29.2007 no virus found
Avast 4.7.936.0 03.28.2007 no virus found
AVG 7.5.0.447 03.28.2007 no virus found
BitDefender 7.2 03.29.2007 no virus found
CAT-QuickHeal 9.00 03.28.2007 no virus found
ClamAV devel-20070312 03.29.2007 no virus found
DrWeb 4.33 03.29.2007 no virus found
eSafe 7.0.15.0 03.29.2007 no virus found
eTrust-Vet 30.6.3522 03.29.2007 no virus found
Ewido 4.0 03.29.2007 no virus found
FileAdvisor 1 03.29.2007 no virus found
Fortinet 2.85.0.0 03.29.2007 no virus found
F-Prot 4.3.1.45 03.28.2007 no virus found
F-Secure 6.70.13030.0 03.29.2007 no virus found
Ikarus T3.1.1.3 03.29.2007 no virus found
Kaspersky 4.0.2.24 03.29.2007 no virus found
McAfee 4994 03.28.2007 no virus found
Microsoft 1.2306 03.29.2007 no virus found
NOD32v2 2154 03.29.2007 no virus found
Norman 5.80.02 03.28.2007 no virus found
Panda 9.0.0.4 03.28.2007 no virus found
Prevx1 V2 03.29.2007 no virus found
Sophos 4.16.0 03.29.2007 no virus found
Sunbelt 2.2.907.0 03.24.2007 no virus found
Symantec 10 03.29.2007 no virus found
TheHacker 6.1.6.080 03.23.2007 no virus found
UNA 1.83 03.16.2007 no virus found
VBA32 3.11.2 03.29.2007 no virus found
VirusBuster 4.3.7:9 03.28.2007 no virus found
Webwasher-Gateway 6.0.1 03.29.2007 no virus found

Aditional Information
File size: 192512 bytes
MD5: e121b46e957dbf783819ddf243a7f17e
SHA1: 9d5aff394ec17459903587ee24337bec391bca2d

Thank you again, Simon

#6 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 29 March 2007 - 11:27 AM

Hello

That O21 is definately bad (a leftover)...

You should print these instructions or save these to a text file. Follow these instructions carefully.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O21 - SSODL: (no name) - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

UNITE & ASAP member since 2006

#7 SimonJacques

New Member

Authentic Member
18 posts

Posted 31 March 2007 - 06:09 AM

Hi,

I did the scan using Dr Web
Nothing was found.

However I just scanned using AVG Anti Virus.

It found -

Trojan Horse Dropper. Generic. INF
C\Windows\Help\internat.exe

Virus Win 32/CryptExeC:\WINDOWS\system32\config\systemprofile\LocalSettings\TemporaryInternetFiles\Content.IE5\
Y3YXOBE9\bootchk[1].exe

Worm/Padobot.V
C\Windows\system32\config\systemprofile\LocalSettings\TemporaryInternetFiles\Content.IE5\Y3YXOBE9\x[1].exe

Here is the HJ scan as well

Logfile of HijackThis v1.99.1
Scan saved at 8:13:29 PM, on 31/03/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\WL.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\STDSB.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\analyse.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.135.4:1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Comodo Firewall] C:\Program Files\Comodo\Firewall\CPF.exe /background
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: (no name) - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks, Simon

#8 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 01 April 2007 - 12:12 AM

Hi again, we'll continue

Let's try to remove the bad line in safe mode.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O21 - SSODL: (no name) - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)

Reboot in Normal Mode.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

UNITE & ASAP member since 2006

#9 SimonJacques

New Member

Authentic Member
18 posts

Posted 01 April 2007 - 04:41 AM

Hi,

Here is the combo fix log.

"wbellman" - 07-04-01 18:37:42 Service Pack 1
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\wbellman\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\wl.exe
C:\install.log

((((((((((((((((((((((((((((((( Files Created from 2007-03-01 to 2007-04-01 ))))))))))))))))))))))))))))))))))

2007-04-01 18:15 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-04-01 14:28 23,510,720 --a------ C:\Program Files\dotnetfx.exe
2007-03-31 16:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-03-31 16:35 6,062,784 --a------ C:\Program Files\drweb-cureit.exe
2007-03-29 18:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-28 19:48 50,688 --a------ C:\Program Files\ATF-Cleaner.exe
2007-03-24 16:29 699,657 --a------ C:\Program Files\SDFix.exe
2007-03-23 20:37 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-03-19 20:34 <DIR> d-------- C:\DOCUME~1\wbellman\APPLIC~1\TrojanHunter
2007-03-19 20:10 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-03-14 21:10 164 --a------ C:\install.dat
2007-03-12 21:30 <DIR> d-------- C:\DOCUME~1\wbellman\APPLIC~1\Business Logic
2007-03-12 20:31 <DIR> d-------- C:\DOCUME~1\wbellman\.housecall6.6
2007-03-12 20:28 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-03-12 18:12 26 --a------ C:\WINDOWS\winstart.bat
2007-03-12 18:12 156 --a------ C:\WINDOWS\tmpcpyis.bat
2007-03-12 18:12 122 --a------ C:\WINDOWS\tmpdelis.bat
2007-03-12 18:12 <DIR> d-------- C:\SWWIN
2007-03-11 21:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-11 21:26 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-11 15:06 <DIR> d-------- C:\Program Files\Trend Micro
2007-03-11 13:46 <DIR> d-------- C:\All Set Ups
2007-03-10 21:13 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-10 21:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-03-10 19:00 <DIR> d-------- C:\Program Files\Security Task Manager
2007-03-10 15:39 <DIR> d-------- C:\Program Files\Advanced Spyware Remover
2007-03-07 20:32 <DIR> d-------- C:\Program Files\BillP Studios
2007-03-07 20:32 <DIR> d-------- C:\DOCUME~1\wbellman\APPLIC~1\WinPatrol
2007-03-01 13:19 <DIR> d-------- C:\Program Files\DOSBox-0.65

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-31 20:23 -------- d-------- C:\DOCUME~1\wbellman\APPLIC~1\skype
2007-03-24 16:07 651643 --a------ C:\Program Files\sdfix.zip
2007-03-13 18:57 13083 --a--c--- C:\WINDOWS\mozver.dat
2007-03-12 21:35 -------- d-------- C:\Program Files\pc-linq
2007-03-12 20:24 -------- d-------- C:\DOCUME~1\wbellman\APPLIC~1\msn6
2007-03-11 21:26 -------- d-------- C:\DOCUME~1\wbellman\APPLIC~1\superantispyware.com
2007-03-11 14:03 -------- d-------- C:\DOCUME~1\wbellman\APPLIC~1\lavasoft
2007-03-04 13:53 -------- d-------- C:\DOCUME~1\wbellman\APPLIC~1\spyware terminator
2007-03-01 18:22 4 --a------ C:\WINDOWS\vx86036.dat
2007-03-01 14:48 -------- d-------- C:\DOCUME~1\wbellman\APPLIC~1\help
2007-02-24 17:31 -------- d-------- C:\Program Files\ccleaner
2007-02-24 13:40 0 --a------ C:\Program Files\stat.log
2007-02-24 13:39 -------- d--h----- C:\Program Files\installshield installation information
2007-02-24 13:38 2509824 --a------ C:\Program Files\stylewriterdemo.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WL"="C:\\WINDOWS\\System32\\WL.exe"
"SynTPLpr"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe\""
"SynTPEnh"="\"C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe\""
"STDSB"="C:\\WINDOWS\\System32\\STDSB.exe"
"SSC_UserPrompt"="\"C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe\""
"SoundMan"="SOUNDMAN.EXE"
"SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
"Microsoft Works Update Detection"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe\""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"Comodo Firewall"="C:\\Program Files\\Comodo\\Firewall\\CPF.exe /background"
"WinPatrol"="\"C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
@="{E61B5E20-DE35-11CF-9C87-1579005127ED}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Disk Cleanup.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\ISP signup reminder 2.job
C:\WINDOWS\tasks\ISP signup reminder 3.job
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 3.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-01 18:41:10

I cannot delete that entry at 021 shown on HJ This.
Do I have to use regedit or turn off system restore? Or something else?

Logfile of HijackThis v1.99.1
Scan saved at 6:45:39 PM, on 1/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\STDSB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\analyse.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.135.4:1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WL] C:\WINDOWS\System32\WL.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Comodo Firewall] C:\Program Files\Comodo\Firewall\CPF.exe /background
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: (no name) - {E61B5E20-DE35-11CF-9C87-1579005127ED} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ok, thanks
Simon

#10 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 01 April 2007 - 12:28 PM

Hi, we'll try with a regfix.

Backup your registry:

Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WL"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
@=-

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Restart the computer.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply along with a fresh HijackThis log.

Warning ! Please, do not select the "Show all" checkbox during the scan.

UNITE & ASAP member since 2006

Advertisements

Register to Remove

#11 SimonJacques

New Member

Authentic Member
18 posts

Posted 02 April 2007 - 04:30 AM

Hi,

Here is the gmer.exe result

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-02 18:33:04
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 188 80502604 4 Bytes [ 32, 42, 0F, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C4 80502640 4 Bytes [ 26, 41, 0F, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1D4 80502650 4 Bytes [ 16, 4B, 0F, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ 7A, 3D, 0F, FA ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 80502684 4 Bytes [ 56, 4E, 0F, FA ]
.text ...
? C:\WINDOWS\System32\Drivers\mchInjDrv.sys The system cannot find the file specified.

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE[344] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE[344] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE[344] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE[344] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\WINDOWS\explorer.exe[1196] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\explorer.exe[1196] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\explorer.exe[1196] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1624] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1828] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1828] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1828] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1828] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1836] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1836] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1836] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[1836] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1872] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1872] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1872] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe[1872] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\WINDOWS\system32\STDSB.exe[1888] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\STDSB.exe[1888] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\STDSB.exe[1888] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\STDSB.exe[1888] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\WINDOWS\SOUNDMAN.EXE[1904] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\SOUNDMAN.EXE[1904] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\SOUNDMAN.EXE[1904] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SOUNDMAN.EXE[1904] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\WINDOWS\system32\khooker.exe[1948] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\WINDOWS\system32\khooker.exe[1948] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\WINDOWS\system32\khooker.exe[1948] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\khooker.exe[1948] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1956] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1956] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1956] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe[1956] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Real\RealPlayer\realplay.exe[1964] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Real\RealPlayer\realplay.exe[1964] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Real\RealPlayer\realplay.exe[1964] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Real\RealPlayer\realplay.exe[1964] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1980] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1980] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Comodo\Firewall\cpf.exe[1980] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F08001E
.text C:\Program Files\Comodo\Firewall\cpf.exe[1980] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[1996] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[1996] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[1996] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe[1996] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Messenger\msmsgs.exe[2020] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\Messenger\msmsgs.exe[2020] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\Messenger\msmsgs.exe[2020] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]
.text C:\Program Files\gmer.exe[2292] ntdll.dll!LdrUnloadDll 77F557F8 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\gmer.exe[2292] ntdll.dll!LdrUnloadDll + 4 77F557FC 2 Bytes [ 05, 5F ]
.text C:\Program Files\gmer.exe[2292] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes JMP 5F070F5A
.text C:\Program Files\gmer.exe[2292] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes [ 9B, 19, 18, E7 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3E485A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3E485A] avgtdi.sys
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E17BC380
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CLOSE E17BC380
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_DEVICE_CONTROL E17BC380
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E147ABC0
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CLOSE E147ABC0
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_DEVICE_CONTROL E147ABC0
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3E485A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3E485A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [FA3E485A] avgtdi.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F307D143
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE F307D1BD
Device \FileSystem\Fastfat \Fat IRP_MJ_READ F30798A5
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE F3079627
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION F307DE1E
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION F3081081
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA F3091AC6
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA F309149A
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS F308ED7B
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION F307DB3F
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION F3098CCC
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL F307F6C8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL F307C90C
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL F308E526
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN F3098219
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL F3097996
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP F307CF94
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP F3086411
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible F30939C6

---- EOF - GMER 1.0.12 ----

Here is the Hijack This Log File

Logfile of HijackThis v1.99.1
Scan saved at 6:34:33 PM, on 2/04/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\STDSB.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\gmer.exe
C:\Program Files\analyse.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 169.254.135.4:1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [STDSB] C:\WINDOWS\System32\STDSB.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Comodo Firewall] C:\Program Files\Comodo\Firewall\CPF.exe /background
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks, Simon

#12 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 02 April 2007 - 12:27 PM

Hello, it is looking good now

The computer runs fine?

Then the first priority is to visit Windows Update and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

Now you can clean AVG's Quarantine:

Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program

You can remove the tools we used.

Then you should update your Java to the latest version (6 update 1)

Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 6
Download the latest version of Java Runtime Environment (JRE) 6 Update 1.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly. How to enable Automatic Updates?
Keep your antivirus and firewall up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

UNITE & ASAP member since 2006

#13 SimonJacques

New Member

Authentic Member
18 posts

Posted 03 April 2007 - 03:54 AM

Sorry to tell you that AVG is still detecting trojan horses and viruses as of yesterday and also today These are Virus Exploit C/Windows debug + Trojan Horse IRC backdoor. Sdbot I have used firefox for over a year. There must be something else in the registry??????????????

#14 Mr_JAk3

Authentic Member

Authentic Member
182 posts

Posted 03 April 2007 - 12:49 PM

Hello

Do you know the locations of those infections?

UNITE & ASAP member since 2006

#15 SimonJacques

New Member

Authentic Member
18 posts

Posted 04 April 2007 - 05:18 AM

They seems to come up in different locations. The ones I can tell you right now are; C. windows systems 32 ssms.exe for backdoor sd.bot C Windows help . internat.exe for trojan dropper C Windows Debug DCpromo log I have others in quanrantine from earlier too

Body Background

skin color theme