worms/trojans - cant remove | UPDATED!! new log

Have you tried the "dedicated"/specialized Symantec Removal tools??

 

 

for esbot:

Instructions: http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.removal.tool.html

removal too:  http://securityresponse.symantec.com/avcenter/FixEsbot.exe

 

 

for zotob:

instructions:  http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html

removal tool:  http://securityresponse.symantec.com/avcenter/FixZotob.exe

 

 

after you use these (per instructions), post another log, and let us know if you notice any differences.

hmm i tried the programs, but they said that i didnt have the worms..  its really confusing me

 

ive got norton in the meanwhile.  some sort of try out that followed with my ASUS motherboard

 

new log:

 

Logfile of HijackThis v1.99.1
Scan saved at 12:53:10, on 18-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Norton AntiVirus\navapsvc.exe
C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmer\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129545872000
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programmer\Norton AntiVirus\navapsvc.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programmer\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programmer\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FLLESF~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programmer\Fælles filer\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Since nothing is showing let's try Sysinternals rootkitrevealer and see if it finds anything.

 

http://www.sysinternals.com/Utilities/RootkitRevealer.html

 

Also silent runners.vbs from

 

http://www.silentrunners.org/Silent%20Runners.vbs

 

and run it per

 

http://www.silentrunners.org/sr_scriptuse.html

 

then post its log too.  It may need to be broken into two separate posts.

 

Also Start, Run, sigverif, OK then press Start when the program comes up.  When it finishes what does it find?

 

Ron

 

rootkit results:

 

http://files.upl.silentwhisper.net/upload8/rootkit.JPG

 

and the silent runners log:

 

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Programmer\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"NAV CfgWiz" = ""C:\Programmer\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Programmer\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}\(Default) = "NAV Helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Kontrolpanel-udvidelse til skærmpanorering"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal-ikon"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\WinRAR\rarext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Landskab.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus" [from CLSID]
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{C4069E3A-68F1-403E-B40E-20066696354B}" = "Norton AntiVirus"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Programmer\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Programmer\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 26 seconds, including 18 seconds for message boxes)

there is also coming a wierd error box where i can send the error report.

 

the error is microsoft windows  and when i click to read the error in details is says: operative systems version and the computers hardware together with the computers ip-adress

 

and the error signature is:

 

BCCode : 1000008e BCP1 : C0000005 BCP2 : 80629D5C BCP3 : F44D78BC

BCP4 : 00000000 OSVer : 5_1_2600 SP : 2_0 Product : 768_1

when i send the report to windwos, it opens a IE windows and say that is  a device driver error

http://oca.microsoft.com/en/response.aspx?SGD=2f398104-4655-4b4f-bfae-0ab0955d285c&SID=10

ps. sorry for the bad translation from my language to english. hope you can understand it :D

- regards Benjamin

Run the rootkitrevealer again and open the first column so I can see the full path that it is complaining about.

 

Also Start, Run, eventvwr.msc, OK then select System and look for red marked events that happen since your last boot.  Doubleclick on the event and copy the text by pressing the bottom of the three buttons then move to a REPLY and edit paste.

 

Repeat for Applications.  If you have trouble doing this in regular mode then boot into Safe Mode with Networking or without Networking (then copy the events to a  notepad file until you can get back on line).

 

Have you installed any new hardware recently?

 

Ron

how do i select the errors that happened since the last boot? i think me previous post is for all the error i could find...

 

i havent installed any new software.. oh i turned my floppy cable so the floppy fisk worked.. but that shouldnt kill my computer?

then i run the rookitrevealer again. but this time i turned of "hide standard NTFS metadatafiles"

 

and it came with this result:

 

http://files.upl.silentwhisper.net/upload4/rootkit2.JPG  (big picture - raw screendump)

 

 

some translation from danish to english(too lazy to correct the really common words):

 

fejl = error

klokkeslæt = time

dato = date

hændelse = event

ikke tilgængelig = not accisable

beskrivelse = description

fejlkode= errorcode

Yderligere oplysninger finder du under Hjælp og support på =

 

other information can be found under help and support on:

____

 

Here is my  eventvwr.msc results:

 

number 1)

 

Hændelsestype: error

Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Date:  19-10-2005
time:  16:49:37
User:  not accisable (think its spelled that way...)
Computer: ECS-BA
descripition:
errorcode 10000050, parameter 1 fff5b308, parameter 2 00000001, parameter 3 bfa5b0df, parameter 4 00000000.

other information can be found under help and support on:

  http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 35    1000005
0020: 30 20 20 50 61 72 61 6d   0  Param
0028: 65 74 65 72 73 20 66 66   eters ff
0030: 66 35 62 33 30 38 2c 20   f5b308,
0038: 30 30 30 30 30 30 30 31   00000001
0040: 2c 20 62 66 61 35 62 30   , bfa5b0
0048: 64 66 2c 20 30 30 30 30   df, 0000
0050: 30 30 30 30               0000   

 

number 2 (this is a warning sign))

 

Hændelsestype: Error
Hændelseskilde: DCOM
Hændelseskategori: none
Hændelses-id: 10010
Date:  19-10-2005
Time:  16:33:58
User:  ECS-BA\XuRyZ
Computer: ECS-BA
Description:
the server {AF24674E-2204-438D-8092-E3424E2399D8} didnt get recognized by DCOM in the desired period of time

other information can be found under help and support on:

http://go.microsoft.com/fwlink/events.asp.

error 4)

Hændelsestype: error

Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Date:  19-10-2005
Time:  15:06:48
Bruger:  not accisable
Computer: ECS-BA
Beskrivelse:
Fejlkode 1000000a, parameter 1 00679efc, parameter 2 00000002, parameter 3 00000001, parameter 4 80521bfb.

other information can be found under help and support on:

http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 30    1000000
0020: 61 20 20 50 61 72 61 6d   a  Param
0028: 65 74 65 72 73 20 30 30   eters 00
0030: 36 37 39 65 66 63 2c 20   679efc,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 31 2c 20 38 30 35 32   01, 8052
0050: 31 62 66 62               1bfb   

Error 5)

 

Hændelsestype: error
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato:  19-10-2005
Klokkeslæt:  15:06:41
Bruger:  not accisable

Computer: ECS-BA
Beskrivelse:
error code 1000000a, parameter 1 002187b8, parameter 2 00000002, parameter 3 00000000, parameter 4 804f9a84.

other information can be found under help and support on

http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 30    1000000
0020: 61 20 20 50 61 72 61 6d   a  Param
0028: 65 74 65 72 73 20 30 30   eters 00
0030: 32 31 38 37 62 38 2c 20   2187b8,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 30 2c 20 38 30 34 66   00, 804f
0050: 39 61 38 34               9a84   

error 6)

 

Hændelsestype: Fejl
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato:  19-10-2005
Klokkeslæt:  14:47:55
Bruger:  Ikke tilgængelig
Computer: ECS-BA
Beskrivelse:
Fejlkode 10000050, parameter 1 ff0ecf88, parameter 2 00000001, parameter 3 bfa5b0df, parameter 4 00000000.

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 35    1000005
0020: 30 20 20 50 61 72 61 6d   0  Param
0028: 65 74 65 72 73 20 66 66   eters ff
0030: 30 65 63 66 38 38 2c 20   0ecf88,
0038: 30 30 30 30 30 30 30 31   00000001
0040: 2c 20 62 66 61 35 62 30   , bfa5b0
0048: 64 66 2c 20 30 30 30 30   df, 0000
0050: 30 30 30 30               0000   

error 7)

Hændelsestype: Fejl
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato:  19-10-2005
Klokkeslæt:  13:46:06
Bruger:  Ikke tilgængelig
Computer: ECS-BA
Beskrivelse:
Fejlkode 100000d1, parameter 1 751c5564, parameter 2 00000002, parameter 3 00000000, parameter 4 f66a8328.

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 64    100000d
0020: 31 20 20 50 61 72 61 6d   1  Param
0028: 65 74 65 72 73 20 37 35   eters 75
0030: 31 63 35 35 36 34 2c 20   1c5564,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 30 2c 20 66 36 36 61   00, f66a
0050: 38 33 32 38               8328   

error 8)

 

Hændelsestype: Fejl
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato:  19-10-2005
Klokkeslæt:  12:28:01
Bruger:  Ikke tilgængelig
Computer: ECS-BA
Beskrivelse:
Fejlkode 1000000a, parameter 1 539a1700, parameter 2 00000002, parameter 3 00000001, parameter 4 805138ec.

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 30    1000000
0020: 61 20 20 50 61 72 61 6d   a  Param
0028: 65 74 65 72 73 20 35 33   eters 53
0030: 39 61 31 37 30 30 2c 20   9a1700,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 31 2c 20 38 30 35 31   01, 8051
0050: 33 38 65 63               38ec   

error 9)

 

Hændelsestype: Fejl
Hændelseskilde: System Error
Hændelseskategori: (102)
Hændelses-id: 1003
Dato:  19-10-2005
Klokkeslæt:  12:03:39
Bruger:  Ikke tilgængelig
Computer: ECS-BA
Beskrivelse:
Fejlkode 10000050, parameter 1 ef0a6000, parameter 2 00000000, parameter 3 8051f4a3, parameter 4 00000000.

Yderligere oplysninger finder du under Hjælp og support på http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 35    1000005
0020: 30 20 20 50 61 72 61 6d   0  Param
0028: 65 74 65 72 73 20 65 66   eters ef
0030: 30 61 36 30 30 30 2c 20   0a6000,
0038: 30 30 30 30 30 30 30 30   00000000
0040: 2c 20 38 30 35 31 66 34   , 8051f4
0048: 61 33 2c 20 30 30 30 30   a3, 0000
0050: 30 30 30 30               0000   

error 10)

 

Probably enough of the events for now.  I am fluent in German and spent six months in Denmark in the 70s so can puzzle out must of the Danish so you don't need to translate the logs.  Looks like a driver problem which could still be your worms plus there is the TCP/IP limit reached warning which indicates something on your PC is trying really hard to contact everyone in the world.  This is another worm sign.

 

The rootkitrevealer output is pretty much useless.  Those are just standard files showing up.  The first time you ran it there was a registry entry where I couldn't read the full path but I don't see that now.

 

The files I see in sigverif are all OK.  So that didn't help.

 

Start, Run, cmd, OK to bring up a cmd window and type:

 

verifier

 

That will cause a program called verifier to run at each boot until you type:

verifier /reset

 

This program inspects your drivers as they load and may give us some information about what is going wrong.

 

Also while in the cmd screen type:

 

 

c:\

dir /ogd \windows\prefetch\ >\junk2.txt

dir /ogd \windows\system32 >> \junk2.txt

dir /ogd \windows\system32\drivers >> \junk2.txt
dir /ogd \windows >>\junk2.txt
dir /ogd \windows\inf >>\junk2.txt

dir /ogd \  >>\junk2.txt
dir /ogd \"program files"  >>\junk2.txt
net start >>\junk2.txt

path >> \junk2.txt

 

(A faster way is to copy the text and paste it into notepad then save the file to your desktop as "junk.bat"  (You need the quotation marks) then double click on the file)

 

This will create a fair sized text file located at C:\junk2.txt

Send the file to me as an attachment at rkinner AT att DOT net with Subject:  DELL XuRyZ

 

That will let me see what files are on your PC in certain critical folders.  You don't want to try posting it in the forum.  Way too big for that.

 

If you are on a fast link (or are very patient) you can download mwav and install it:

http://www.spywareinfo.dk/download/mwav.exe 

 Download the Killbox.
http://www.downloads.subratam.org/KillBox.exe
http://www.bleepingcomputer.com/files/spyware/KillBox.zip
Save it to the desktop

 reboot into Safe Mode (F8) and run the escan(mwav) program.  Select DRIVE and SCAN ALL FILES then Clean Scan or Scan Clean (I forget the button label)

 

and let it run for a few hours - maybe overnight.  It will eventually create a log file.  It will remove anything it finds that it considers a virus or try to.  Adware it just flags in the log.  You have to go through the log for entries like:
Fri Jul 29 10:25:26 2005 => File C:\WINDOWS\System32\06wu29rd.exe tagged as not-a-virus:AdWare.F1Organizer.g. No Action Taken.

(hint use Wordpad's  Edit, Find to  search for: Action Taken)

then use killbox to clean the adware manually. Double-click Killbox.exe to run it.
Select "Delete on Reboot".
Place the full path  in the "Full Path of File to Delete" box in Killbox:
example:  C:\WINDOWS\System32\06wu29rd.exe
Press the red button, agree you want to delete the file but do not let it reboot yet.  Repeat for every not-a-virus entry then let it reboot after the last one.

 

You can also send me the log file but please use my gmail account:

 

rkinner AT gmail DOT com

 

Ron

 

 

 

EDIT. nevermind i got it solved

 

ill try it tomorrow. bed time for me now ;) looking foward to the results.. i hvae send you a mail? why cant you just type it in normally? frightend of spammers? ill think i have typed it in correctly

rkinner att net??

The funny email address is for anti spam purposes but the forum management prefers that we do not put in real email links.  I'm not worried about spammers so much since the address is 10 years old and is already known to every spammer in the world but I try and set a good example.

 

I got your email OK.  The prefetch folder shows the recent presence of several nasty items but they do not show up in the folders. 

 

WUPDMGR.EXE

WINUPDATES.EXE

EXHHL.EXE

 

Let's try dllcompare and see if it has better luck:

 

http://forums.subratam.org/index.php?showtopic=1725

 

Also there has been a rash of stealth infections recently.  Apparently you have to boot into Safe Mode then run msconfig to see it:

 

http://www.dcr.net/~w-clayton/Crapware%20Generalized%20Solutions/Solutions.htm

 

Ron

here is the dll compare log

 

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

2.802 items found:  2.800 files, 2 directories.
Total of file sizes:  603.766.584 bytes    575,79 M

Administrator Account =  True

--------------------End log---------------------

 

i dont like the O^E says  "There were no files found :)"

 

kinda like some of the worms that infect word, excel and other programs.

 

but i dont know. im not the expert. ill try the other winik removal

 

okay. when i rebooted now there came a blue screen where the error mesg was: IRQL_NOT_LESS_OR_EQUAL stop: 0x000000a 0x00D3b814, 0x000000FF, 0x00000000, 0x8054184c

 

and then i tried to start again, and then there came this error message (blue screen)

 

NV4_disp.dll adress BFA6930D base at BF9D3000 datestamp 42F00BCD