14 replies to this topic

[wgf743]

...got infected with the following. Info is saved output from ADAwareSE Personal. AdAware fails in removal attempts. System is WindowsXP (WinNT 5.01.2600) Could you please recommend a removal utility? Thanks. There is an old version of HiJack This on the infected machine. I can download a new version onto this system and transfer it to the infected machine and run it if you need a log. I don't want to get on the Internet from the infected machine. Vendor:Win32.Backdoor.Agent Category:Unknown Object Type:RegValue Size:4 Bytes Location:.DEFAULT\software\microsoft\windows\currentversion\explorer "{f710fa10-2031-3106-8872-93a2b5c5c620}" Last Activity:11-20-2007 Risk Level:Low TAC index:10 Comment:"{f710fa10-2031-3106-8872-93a2b5c5c620}" Description:Win32.Backdoor.Agent is a virus that can open up backdoors on a compromised computer. Vendor:Win32.Backdoor.Agent Category:Unknown Object Type:RegValue Size:4 Bytes Location:S-1-5-18\software\microsoft\windows\currentversion\explorer "{f710fa10-2031-3106-8872-93a2b5c5c620}" Last Activity:11-20-2007 Risk Level:Low TAC index:10 Comment:"{f710fa10-2031-3106-8872-93a2b5c5c620}" Description:Win32.Backdoor.Agent is a virus that can open up backdoors on a compromised computer. Vendor:Win32.TrojanDownloader.Agent Category:Unknown Object Type:RegValue Size:4 Bytes Location:.DEFAULT\\software\microsoft\windows\currentversion\explorer "{f710fa10-2031-3106-8872-93a2b5c5c620}" Last Activity:11-20-2007 Risk Level:Low TAC index:10 Comment:"{f710fa10-2031-3106-8872-93a2b5c5c620}" Description:Trojan downloader. Vendor:Win32.TrojanDownloader.Agent Category:Unknown Object Type:RegValue Size:4 Bytes Location:S-1-5-18\\software\microsoft\windows\currentversion\explorer "{f710fa10-2031-3106-8872-93a2b5c5c620}" Last Activity:11-20-2007 Risk Level:Low TAC index:10 Comment:"{f710fa10-2031-3106-8872-93a2b5c5c620}" Description:Trojan downloader. Vendor:Win32.Backdoor.Agent Category:Unknown Object Type:File Size:97 Bytes Location:C:\WINDOWS\System32\wsnpoem\audio.dll Last Activity:11-20-2007 7:00:00 AM Risk Level:Low TAC index:10 Comment: Description:Win32.Backdoor.Agent is a virus that can open up backdoors on a compromised computer. Vendor:Win32.Backdoor.Agent Category:Unknown Object Type:File Size:0 Bytes Location:C:\WINDOWS\System32\wsnpoem\video.dll Last Activity:11-20-2007 7:00:00 AM Risk Level:Low TAC index:10 Comment: Description:Win32.Backdoor.Agent is a virus that can open up backdoors on a compromised computer. Vendor:Win32.TrojanDownloader.Agent Category:Unknown Object Type:Regkey Size:0 Bytes Location:system\currentcontrolset\enum\root\legacy_runtime\ Last Activity:11-20-2007 Risk Level:Low TAC index:10 Comment: Description:Trojan downloader. Vendor:Win32.TrojanDownloader.Agent Category:Unknown Object Type:RegValue Size:24 Bytes Location:software\microsoft\windows nt\currentversion\network "uid" Last Activity:11-20-2007 Risk Level:Low TAC index:10 Comment: Description:Trojan downloader. -- End --

[ken545]

wgf743,

Welcome,

Delete the older version of HJT and do this.

Download
Trendmicros Hijackthis to your desktop, double click it to install, follow the prompts
and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

• Open HJT Scan and Save a Log File, it will open in Notepad
• Go to Format and make sure Wordwrap is Unchecked
• Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the
  Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[wgf743]

11/30/07 Update on recent purge attempts:

11/20/07 re-ran Webroot Spyware. It found threat, re-booted to clean. it did NOT
delete the WSNPOEM directory and files - did it manually.

System really sluggish afterwards. Did not see anything unusual in Task Manager
Processes list. I keep a printed reference from when no apps are running
except spy checks.

IExplorer keeps closing with "Error has occurred need to close" but I am able
to access ATT webmail and other sites from the dropdown address list while in ATT.
Have NOT "sent any error logs" to Microsoft.

11/29/07 Re-ran SpySweeper. It found some "Trojan..." cookies and quarantined them.
System still sluggish.

11/30/07 This morning came in to find computer at black screen, unresponsive. Did
a reboot OK. Got a message "fixed a serious error." Did NOT send error log to Microsoft.
"Slow down" seems to be fixed.

Have not tried Internet access, so don't know if IExplorer still has problems.

Did a HiJackThis run, log below.

Following the log is a list of files that "looked suspicious" that showed up in
windows\systemn32 at the time the computer looked as if it was being attacked
(SpySweeper put up messages). I have moved these files from windows\system32 to a
3.5 diskette. In the HiJack log it reports that _svchost.exe is missing (second
item 23). I have this on the diskette backup - should it be re-instated? How about
the others?

Version of Trend Micro on the system is two years old. Trend update says I need
Service Pack 2 for it to run.

SpySweeper is recent, definitions updated 11/29/07.

Thanks for your help.

--------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:24 AM, on 11/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\quic2002\QWDLLS.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\hijack\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: C:\WINDOWS\System32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - (no file)
O2 - BHO: Her - {C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-18\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\quic2002\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\quic2002\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161106391872
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{982E2EB5-67EB-4A5A-BB76-F41743841AAF}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C0094D-1B88-4B68-9A54-0754B62BF413}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3B15CD2-FEFF-41BD-BC7B-C935F56CD6EF}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{B23FEE28-602D-48E7-9DE1-F2F39CC1CBD4}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC560AD9-2BE6-4FB7-9A9F-6386ED10E168}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.137
O17 - HKLM\System\CS2\Services\Tcpip\..\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.137
O17 - HKLM\System\CS3\Services\Tcpip\..\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.137
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - (no file)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 5135 bytes

Volume in drive A has no label.
Volume Serial Number is 0000-0000

Directory of a:\

11/20/2007 02:48 PM 169,984 udmyh.dll
11/20/2007 02:47 PM 212,992 update243.exe
11/20/2007 02:47 PM 570 sft.res
11/20/2007 02:47 PM 3 lt.res
11/20/2007 02:46 PM 20,992 update241.exe
11/20/2007 02:45 PM 27,136 ramtmb.dll
11/20/2007 02:45 PM 10,000 d4ghggf4g.dll
11/20/2007 02:44 PM 20,992 update224.exe
11/20/2007 02:43 PM 10 kr_done1
?????? 11/20/2007 02:39 PM 6,144 _svchost.exe
11/20/2007 04:33 PM 2,184 wpa.dbl
11/20/2007 02:55 PM 29 rtqypgah.tmp
11/20/2007 02:50 PM 1 RunOnce.tmp
11/20/2007 02:50 PM 40 RunOnce.t__
11/20/2007 02:50 PM 58,368 update266.exe
11/20/2007 02:49 PM 137,728 update247.exe
16 File(s) 667,173 bytes
0 Dir(s) 786,944 bytes free

------ End 11/30/07 update ------

[ken545]

Hello,

You have got a host of issues on this computer, one of the reasons is that your Operating System is EXTREMELY out of date and letting a lot of this bad stuff in. Don't do it yet but you need to do a windows update. If you have tried before to update and you can't or it won't let you then its possible that you have a illegal copy of windows and if so you are just going to keep getting infected.

Most of those files you have on a disk are bad.
_svchost.exe <-- Virus
svchost.exe <-- Legit, windows won't run without it, so do not delete anything until instructed to.


The main issue you are having amongst other things is that your infected with the Wareout Trojan, so lets do a few things.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\System32\ntos.exe,

O2 - BHO: C:\WINDOWS\System32\d4ghggf4g.dll - {B5AF0562-94F3-42BD-F434-2604812C297D} - (no file)
O2 - BHO: Her - {C4DE5B15-4FFE-4c02-8CB3-CAD24A33562B} - (no file)

O4 - HKUS\S-1-5-18\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe (User 'Default user')

O17 - HKLM\System\CCS\Services\Tcpip\..\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{982E2EB5-67EB-4A5A-BB76-F41743841AAF}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C0094D-1B88-4B68-9A54-0754B62BF413}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{A3B15CD2-FEFF-41BD-BC7B-C935F56CD6EF}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{B23FEE28-602D-48E7-9DE1-F2F39CC1CBD4}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC560AD9-2BE6-4FB7-9A9F-6386ED10E168}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.137
O17 - HKLM\System\CS2\Services\Tcpip\..\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.137
O17 - HKLM\System\CS3\Services\Tcpip\..\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}: NameServer = 85.255.115.94,85.255.112.137
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.94 85.255.112.137

O22 - SharedTaskScheduler: JGhjddf9dtj - {B5AF0562-94F3-42BD-F434-2604812C297D} - (no file)

O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\System32\_svchost.exe (file missing)



Please download OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  

  C:\Program Files\WinAble
  C:\WINDOWS\System32\ntos.exe
  C:\WINDOWS\System32\d4ghggf4g.dll
  C:\WINDOWS\System32\_svchost.exe

• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
FixWareout Subratam
FixWareout Lonny

• Save it to your desktop and run it.
• Click Next, then Install,
• Then make sure "Run fixit" is checked and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer; please do so.
• Your system may take longer than usual to load; this is normal.
• At the end of the fix, you may need to restart your computer again.

Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.



Now lets check some settings on your system. For (2000/XP) Only)

• Go to Start > control panel.
• If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
• Then right click on your default connection, usually local area connection for cable and dsl.
• Left click on properties.
• Click the Networking tab.
• Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
• Press OK twice to get out of the properties screen and reboot if it asks.
  That option might not be available on some systems

• Next Go start> Run type cmd and hit OK
• Type in ipconfig /flushdns then hit enter
  (that space between g and / is needed)
• Type exit hit enter

I need to see the OtMoveIt log, the Wareout Report and a new HJT log please

[wgf743]

Thanks so much for your feedback and procedures. I have done the following on the
infected computer:

1. Ran HiJackThis/System Scan only, checked items you indicated and did Fix Checked.
Said "yes" to a reboot.

2. Ran OTMoveIt

From your posting, pasted the following into OTMoveIt[/b]
C:\Program Files\WinAble
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\d4ghggf4g.dll
C:\WINDOWS\System32\_svchost.exe


---------- After running OTMoveIt, Results window

had a "cannot create _ot........log file message

File/Folder C:\Program Files\WinAble not found.
File/Folder C:\WINDOWS\System32\ntos.exe not found.
File/Folder C:\WINDOWS\System32\d4ghggf4g.dll not found.
File/Folder C:\WINDOWS\System32\_svchost.exe not found.

Created on 12/03/2007 10:27:22

---------- End OTMoveIt results

Please refer to the Post # 3 Nov 30 2007 6:33 PM. Three of the four files in the "move"
list are among those in the "looked suspicious" list that I removed from windows\system32
and put onto a 3.5 diskette, so they were not in the windows\system32 directory at
the time OTMoveIt was run.

WinAble was not in the "removed to diskette" list.

I will assume that the others in the diskette list are possible threats and will not
re-instate them to windows\system32 unless you spot names in that list that
should be there.

3. Ran FixWareOut, got the following screen message:

FixWareOut.exe restart message
12/03/07, 10:35AM

"Finished!
"If you have internet connection problems find and left click the registry file dnsbak.reg
located in the FixWareOut folder on the root of the drive windows is installed.
(normally c:\ and if you did be sure to mention it to your helper."

4. Since I have been having troubles with the Internet connection (it has been shutting
down unexpectedly "error has occurred..."), I ran DNSBAK.REG.

"Next: a text will open. Please post the contents for your forum helper
Click OK to continue."

---------- FIXWAREOUT LOG, REPORT.TXT ----------

Username "Administrator" - 12/03/2007 10:33:28 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdrhq.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{09BF38E5-71EE-4A1D-987C-0D5B06CECF09}
"DhcpNameServer"="85.255.115.94,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{982E2EB5-67EB-4A5A-BB76-F41743841AAF}
"DhcpNameServer"="85.255.115.94,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A0C0094D-1B88-4B68-9A54-0754B62BF413}
"DhcpNameServer"="85.255.115.94,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{B23FEE28-602D-48E7-9DE1-F2F39CC1CBD4}
"DhcpNameServer"="85.255.115.94,85.255.112.137" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DC560AD9-2BE6-4FB7-9A9F-6386ED10E168}
"DhcpNameServer"="85.255.115.94,85.255.112.137" <Value cleared.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\TEMP\kdrhq.ren 75810 08/23/2001

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\pccguide.exe\""
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Antivirus\\PCClient.exe\""
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Antivirus\\TMOAgent.exe\" /run"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_9 -reboot 1"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

---------- END FIXWAREOUT LOG ----------

5. Looked at Internet Protocol(TCP/IP). Already selected were:
Obtain an IP address automatically
Obtain DNS server address automatically

6. Ran IPCONFIG /flushdns

7. Ran HiJackThis again, log follows:

---------- HIJACKTHIS LOG ----------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:28 AM, on 12/3/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\quic2002\QWDLLS.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\hijack\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\quic2002\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\quic2002\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161106391872
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 2921 bytes

---------- END HIJACKTHIS LOG ----------


----- End posting -----

[ken545]

Your log looks fine but I am concerned that those files that OtMoveIt did not remove may be still present.


Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[wgf743]

12/04/07 activities & reports

1. Ran ComboFix - report files are below.
When ComboFix rebooted the computer WebRoot SpySweeper asked me for
its product key. Keyed it in, seems to be functioning OK.

Can any files created by ComboFix, especially ones in
c:\qoobox and below
ultimately be deleted?

2. Ran HiJackThis, report file below.


ComboFix-quarantined-files.txt
2007-11-20 14:39 17408 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\~tmp1174.exe.vir
2007-11-20 14:54 23742 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\config\SYSTEM~1\APPLIC~1\Microsoft\25319.dat.vir
2007-12-04 11:04 736 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_RUNTIME.reg.dat

--------------------------------

Log file from ComboFix

ComboFix 07-12-02.7 - Administrator 2007-12-04 11:03:10.1 - FAT32x86
Running from: C:\cf\combofix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\~tmp1174.exe
C:\Program Files\Temporary
C:\WINDOWS\system32\config\system~1\Applic~1\Microsoft\25319.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME


((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-04 10:08 . 2007-12-04 10:08 <DIR> d-a------ C:\cf
2007-12-03 09:51 . 2007-12-03 09:51 <DIR> d-------- C:\fixware
2007-12-03 09:50 . 2007-12-03 09:50 <DIR> d-------- C:\otmove
2007-11-20 22:17 . 2007-11-20 22:17 29 --a------ C:\WINDOWS\system32\defruoip.tmp
2007-11-20 20:44 . 2007-12-04 11:08 2,184 --a------ C:\WINDOWS\system32\wpa.dbl
2007-11-20 14:39 . 2007-11-20 14:40 11,264 --a------ C:\WINDOWS\system\wecsnd32.dll
2007-11-20 14:39 . 2007-11-20 14:39 6,144 --a------ C:\Documents and Settings\Administrator\ie_update3r.exe
2007-11-12 09:17 . 2007-11-12 09:17 141 --a------ C:\NSMTEST.BAT
2007-11-11 16:05 . 2007-11-11 16:06 143 --a------ C:\NSMTEST.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 14:54 139 ----a-w C:\NSM.BAT
2007-10-20 17:05 --------- d-----w C:\Program Files\Citrix
2007-10-03 18:46 139 ----a-w C:\NSM_E.BAT
2007-09-10 17:19 158 ----a-w C:\nsm10.bat
2005-01-26 11:10 3,547 --sha-w C:\WINDOWS\bjcxk.dat
2004-12-26 07:43 70,144 --sha-w C:\WINDOWS\cugxf.dll
2005-01-01 00:17 70,144 --sha-w C:\WINDOWS\system32\awuqp.dll
2004-12-27 20:57 70,144 --sha-w C:\WINDOWS\system32\stlxe.dll
2005-02-01 03:05 7,471 --sha-w C:\WINDOWS\system32\xrijl.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 21:35]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Antivirus\pccguide.exe" [2004-02-16 22:51]
"PCClient.exe"="C:\Program Files\Trend Micro\Antivirus\PCClient.exe" [2004-02-16 22:51]
"TM Outbreak Agent"="C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" [2004-02-16 22:50]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:16]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]
Quicken Startup.lnk - C:\quic2002\QWDLLS.EXE [2004-11-17 08:30:48]
Billminder.lnk - C:\quic2002\BILLMIND.EXE [2004-11-17 08:30:23]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\WINDOWS\System32\wmfhotfix.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-07-08 09:25 1397760 --------- C:\Program Files\Ahead\InCD\InCD.exe

R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\System32\Drivers\SSFS041A.SYS
R3 neo20xx;neo20xx;C:\WINDOWS\System32\DRIVERS\neo20xx.sys
R3 SPI;Sony Programmable I/O Control Device;C:\WINDOWS\System32\DRIVERS\SonyPI.sys
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\System32\DRIVERS\ADM8511.SYS
S4 Microsoft Inet Service;Microsoft Inet Service;C:\WINDOWS\System32\_svchost.exe -A

.
Contents of the 'Scheduled Tasks' folder
"2007-12-01 09:00:02 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe&/ScheduleSweep=wrSpySweeperTrialSweep
"2007-12-01 10:00:02 C:\WINDOWS\Tasks\wrSpySweeper_FA584012640E49EA82E3CAAE8423A1A1.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe=/ScheduleSweep=wrSpySweeper_FA584012640E49EA82E3CAAE8423A1A1
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.ex
- A:\,D:
"2007-12-03 09:00:02 C:\WINDOWS\Tasks\wrSpySweeper_4EA35A71447E46E98823393EA94301B7.job"
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 11:10:27
Windows 5.1.2600 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-04 11:12:04 - machine was rebooted
.
--- E O F ---

End Log file from ComboFix

--------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:35 AM, on 12/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\quic2002\QWDLLS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\hijack\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\quic2002\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\quic2002\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161106391872
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3011 bytes

----- End HiJackThis log -----

---- End post -----

[ken545]

You have some files that combofix picked up that I need to look into,

This will remove all that comfix found


* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the
system/hidden files and resets System Restore again.


If Super Anti Spyware comes up clean than you will be good to go.

Please download SuperAntiSpyware
Install the program

• Run SuperAntiSpyware and click: Check for updates
• Once the update is finished, on the main screen, click: Scan your computer
• Check: Perform Complete Scan
• Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

• Click: Preferences
• Click the Statistics/Logs tab
• Under Scanner Logs, double-click SuperAntiSpyware Scan Log

It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

[wgf743]

12/05/07 activities and reports

1. Downloaded SuperAntiSpyware. Had to use the computer we've been working on (a Sony laptop).
(Previous downloads and posts have been done on an old Win95 desktop machine over 26K modem.
Actually did a SuperAntiSpyware download on that machine (painful) then did a diskette-net procedure
using old Slice/Splice utility (more pain) onto the laptop. SuperAntiSpyware was not amused - said the
file was corrupt - didn't like being cut up and put together again, looks like...) So, used the laptop and
got a good copy OK.

******************************************************************
I thought IExplorer was doing OK on the laptop, but
during attempt to post this reply there, IExplorer shut down again - had to go to the old
desktop computer. Might have another topic?
Re-ran SuperAntiSpyware after IExplore shutdown - no finds.
******************************************************************

2. Ran combofix /U

3. Started SuperAntiSpyware, got updates. Did scan, log is below. It dredged out more than a dozen
additional items, including a svchost baddie.

4. Ran HiJackThis, log is below.

--------- SUPERAntiSpyware Scan Log ------------
http://www.superantispyware.com

Generated 12/05/2007 at 11:44 AM

Application Version : 3.9.1008

Core Rules Database Version : 3355
Trace Rules Database Version: 1354

Scan type : Complete Scan
Total Scan Time : 01:37:03

Memory items scanned : 353
Memory threats detected : 0
Registry items scanned : 4227
Registry threats detected : 13
File items scanned : 16556
File threats detected : 2

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}
HKLM\Software\Classes\CLSID\{C15E8A09-A419-0B02-2618-8EBE6AA23677}
HKCR\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}
HKCR\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}\Data
HKCR\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}\Data\MD
HKCR\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}\Data\MD#Data3
HKCR\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}\InprocServer32
HKCR\CLSID\{2341B6B9-E486-B1AF-52DC-D05B8550CE4F}\InprocServer32#ThreadingModel
HKCR\CLSID\{C15E8A09-A419-0B02-2618-8EBE6AA23677}
HKCR\CLSID\{C15E8A09-A419-0B02-2618-8EBE6AA23677}\Data

Parasite.CoolWebSearch Variant
HKLM\Software\Classes\CLSID\{9E36483D-36A3-2FD6-E6B5-7E47C21A009F}
HKCR\CLSID\{9E36483D-36A3-2FD6-E6B5-7E47C21A009F}
HKCR\CLSID\{9E36483D-36A3-2FD6-E6B5-7E47C21A009F}\Data

Trojan.CoolWebSearch Variant
C:\WINDOWS\N_YNCYDO.LOG

Trojan.Downloader-SVCHost/Fake
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\IE_UPDATE3R.EXE

---------End SUPERAntiSpyware Scan Log ------------

--------- Logfile of Trend Micro HijackThis v2.0.2 ----------
Scan saved at 12:09:51 PM, on 12/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\supranti\SUPERAntiSpyware.exe
C:\quic2002\QWDLLS.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\hijack\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\supranti\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\quic2002\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\quic2002\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161106391872
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O20 - Winlogon Notify: !SASWinLogon - C:\supranti\SASWINLO.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3119 bytes

--------- End Logfile of Trend Micro HijackThis v2.0.2 ----------

End post.

[ken545]

Lets make sure these are gone.

Please download OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  

  C:\WINDOWS\system32\defruoip.tmp
  C:\WINDOWS\system\wecsnd32.dll
  C:\Documents and Settings\Administrator\ie_update3r.exe

• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Download the Stand Alone Version of CWShredder to your desktop.

• Open CWShredder
• Check for Updates
• Close out the program. <-- Dont run it yet
  
  Boot your computer into Safemode
  
  • Go to Start> Shut Off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
  • This will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to SAFEMODE
  • Then press the Enter on your Keyboard
  Tutorial if you need it How to boot into Safemode
  
  
  Open CWShredder
  
• Double-click on CWShredder.exe.
• Click Fix and click OK at the prompt.
• CWShredder will scan and clean your system of CWS files.
• Click Next and then Exit .

Please download ATF Cleaner by Atribune to your desktop.

• This program is for XP and Windows 2000 only
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Post the OtMoveIt log and a new HJT log , let me know if CWShredder found anything and also let me know how your system is behaving now

Edited by ken545, 05 December 2007 - 05:30 PM.

[wgf743]

... 12/07/07 back at it...

12/06/07 activities & reports

1. Ran OTMoveIt, log is below.

2. Started up in Safemode, ran CWShredder, didn't find anything in its list.

3. Also in Safemode, ran ATF-Cleaner.
Selected all except History. Is this what's shown in the drop-down list when I click
on the down arrow to the right of IExplore address slot at the top? I really don't
want to lose this list. If I do have to have ATF-Cleaner purge this list, is there a
way I can save it, to a text file or something from which I can copy/paste into the
address slot?

12/07/07
4. Ran HiJackThis, log is below.

5. Plugged in the Internet connection, checked ATT mail and yahoo mail OK (were
never problems), went to a couple of newspaper sites OK, no premature shutdown
of IExplore yet. Needs more testing.

System is zippy enough. Webroot SpySweeper and an old version of Trend Real-Time Agent
are going in the background, so those reduce the "zippiness". But better no zip than
zapped.

6. Got updates from Webroot SpySweeper, ran SpySweeper, quarantined the following:
2o7.net cookie
adrevolver cookie
xiti cookie
It has done these before, among others.


---------- OTMoveIt log ----------
C:\WINDOWS\system32\defruoip.tmp moved successfully.
LoadLibrary failed for C:\WINDOWS\system\wecsnd32.dll
C:\WINDOWS\system\wecsnd32.dll NOT unregistered.
C:\WINDOWS\system\wecsnd32.dll moved successfully.
File/Folder C:\Documents and Settings\Administrator\ie_update3r.exe not found.

Created on 12/06/2007 15:16:58
---------- End OTMoveIt log ----------

---------- HiJackThis log ----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:32 PM, on 12/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\Antivirus\pccguide.exe
C:\Program Files\Trend Micro\Antivirus\PCClient.exe
C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\quic2002\QWDLLS.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\hijack\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\supranti\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\quic2002\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = C:\quic2002\BILLMIND.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1161106391872
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www.gotomeet...ets/g2mdlax.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll
O20 - Winlogon Notify: !SASWinLogon - C:\supranti\SASWINLO.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3055 bytes

---------- End HiJackThis log ----------

----- End post -----

[ken545]

Your log looks fine

You need to open IE and go to Tools> Windows Updates and download and install all critical updates including Service Pack 2 and beyond.

Or...
You can download it directly from here, or you can even order the CD free from Microsoft
http://www.microsoft...p2/default.mspx
http://support.micro...pr=windowsxpsp2 <-- Contact a support person, they offer free support for installing SP2

• How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• TonyKlein CastleCops
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Take care,
Ken

[wgf743]

12/10/07 ********************************* While trying to post what's below from the laptop, IExplore shut down again. Doing post from old desktop. Error signature, from "Report error to Microsoft...?" AppName: iexplore.exe AppVer: 6.0.2600.0 ModName: mshtml.dll ModVer: 6.0.2745.2800 Offset: 0006582c I also saved a 27K file appcompat.txt that has technical details. Looks as if I need to start a new topic. Should I submit to the Browsers, Internet and email forum? Should I include the error signature (above)? the appcompat.txt file? Thanks ********************************* Great to read that things look OK! Thanks so much for grinding through all the logs and guiding me through the process. I'll consider the topic "Resolved." Plan is to: 1. Check out the Tutorial forSystem Restore 2. correct my licensing issues for XP so that I can upgrade to SP2; 3. with SP2 installed I can then upgrade the Trend Micro that's been running on the system but has been outdated for over a year; 4. Keep Webroot SpySweeper updated and running in the background; 5. run SuperAntiSpyware (weekly?) maybe buy the professional version. Also it's time to get out the checkbook and support you guys at WTT. Best regards. ----- End post -----

[ken545]

You can try posting in one of these forums for windows issues, good luck.

Windows Tech Support Forums

• Windows Support <-- Our own forum
• PcPitStop <-- You can take your system in for a checkup here.
• Bleeping Computer <--Good XP Forum
• Windows Helpnet <-- Excellent XP Forum
• Hardwareguys <-- Another good one

Ken

[ken545]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.