Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

watch your drag

55 Posts

2628

March 7th, 2008 21:00

Drastically slowed internet/computer found Virus/Malware HELP

-Looks like I have some type of virus/malware that I am unable to remove

-My computer has slowed dramatically as well as internet

-I am not able to open control panel/my computer files 90% of the time

-Upon startup it states "Important- Potential Errors Found"

-Opening internet often results in over 50 popups as well as notices to download certain malware removers and sometimes downloads are automatic and I have to shutdown

-I do not have anti-virus as it has expired and was removed a while back, I have ran ad-aware and found "win32.trojandownloader.zlob" I remove 4 files and every time I scan it is there again, please help..

 

Here is the HJT log

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:45 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [hovymib] C:\Program Files\MSN\hovymib77798.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BMe77c23fd] Rundll32.exe "C:\WINDOWS\system32\cjgihcbd.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Jonathan\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Jonathan\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7835 bytes

 

 

markamus

435 Posts

March 7th, 2008 22:00

Hi watch your drag,

Welcome to DCF.

1. Download this file - combofix.exe and save it to your Desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

watch your drag

55 Posts

March 8th, 2008 04:00

hey markamus, thanks for the quick reply!

 

i believe that in the combofix log it states that no hidden malware was found, however when I shut off the computer a "ending program" box appears with "ShellconHiddenWindow" as the title, don't know if that is relevant, but thought it may help.. look forward to your reply Markamus...

 

here is the log:

 

ComboFix 08-03-07.4 - Jason 2008-03-07 22:05:01.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.210 [GMT -8:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jonathan\My Documents\ECURIT~1
C:\Documents and Settings\Jonathan\My Documents\ECURIT~1\?ecurity\
C:\Documents and Settings\Jonathan\My Documents\ECURIT~1\dexplore.exe
C:\Program Files\curity~1
C:\Program Files\curity~1\c?rss.exe
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Program Files\xInsIDE
C:\Program Files\xInsIDE\xInsIDE.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\BMe77c23fd.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aakeoyge.dll
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bwagwhqo.dll
C:\WINDOWS\system32\bxwuwdny.ini
C:\WINDOWS\system32\cjgihcbd.dll
C:\WINDOWS\system32\crglaoel.dll
C:\WINDOWS\system32\eauqjcjr.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fmwjxeno.dll
C:\WINDOWS\system32\gebxwvw.dll
C:\WINDOWS\system32\hjjphejm.dll
C:\WINDOWS\system32\ltrmguxo.dll
C:\WINDOWS\system32\mvshydk.dll
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\qehepxtk.dll
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qrutv.ini2
C:\WINDOWS\system32\qulponmv.ini
C:\WINDOWS\system32\spvlbpjx.dll
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ststv.ini2
C:\WINDOWS\system32\tdwegiek.dll
C:\WINDOWS\system32\vmnopluq.dll
C:\WINDOWS\system32\vnkgygvq.dll
C:\WINDOWS\system32\vturq.dll
C:\WINDOWS\system32\wgywcnou.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\yndwuwxb.dll
C:\WINDOWS\system32\ytslevrl.dll

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_NETWORK_MONITOR


(((((((((((((((((((((((((   Files Created from 2008-02-08 to 2008-03-08  )))))))))))))))))))))))))))))))
.

2008-03-07 15:22 . 2008-03-07 15:22 

 d-------- C:\Program Files\Trend Micro
2008-03-06 00:37 . 2008-03-07 00:39 6,400,038 ---hs---- C:\WINDOWS\system32\tstlylve.ini
2008-03-05 00:33 . 2008-03-06 00:34 4,365,118 ---hs---- C:\WINDOWS\system32\kskohfyh.ini
2008-03-03 16:56 . 2008-03-05 00:28 2,334,423 ---hs---- C:\WINDOWS\system32\qresvcfj.ini
2008-02-29 10:23 . 2008-03-07 22:04 31,612 ---hs---- C:\WINDOWS\system32\hjjphejm.dllbox
2008-02-29 10:15 . 2008-02-29 10:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-29 09:00 . 2008-02-29 10:15   d-------- C:\VundoFix Backups
2008-02-28 19:04 . 2008-02-28 19:04   d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 19:04 . 2008-02-28 19:35   d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 17:55 . 2008-02-28 17:55   d-------- C:\Program Files\Lavasoft
2008-02-28 17:55 . 2008-02-28 17:55   d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 17:53 . 2008-02-28 17:53   d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 17:06 . 2008-02-28 17:06   d-------- C:\Documents and Settings\Jason\Application Data\Uniblue
2008-02-28 07:34 . 2008-02-28 07:34   d-------- C:\Documents and Settings\Guest\Application Data\DivX
2008-02-28 04:35 . 2008-02-28 19:39   d--hs---- C:\WINDOWS\SmFzb24
2008-02-28 04:24 . 2008-02-28 04:24   d-------- C:\WINDOWS\uziq
2008-02-28 04:24 . 2008-02-28 18:58   d-------- C:\Program Files\Common Files\uziq
2008-02-27 04:08 . 2008-02-27 02:08 50,176 --------- C:\WINDOWS\b153.exe_old
2008-02-25 07:00 . 2008-02-25 05:00 81,920 --------- C:\WINDOWS\b154.exe_old
2008-02-20 09:02 . 2008-02-20 07:02 101,376 --------- C:\WINDOWS\b152.exe_old

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 09:46 --------- d-----w C:\Program Files\Warcraft III
2008-02-29 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-29 04:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-29 01:33 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-29 01:23 --------- d-----w C:\Documents and Settings\Jason\Application Data\Lavasoft
2008-02-29 01:02 --------- d-----w C:\Documents and Settings\Jason\Application Data\DivX
2008-02-22 03:10 --------- d-----w C:\Program Files\Bodog Poker
2008-02-04 22:41 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-02-02 03:06 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Corel
2008-01-28 07:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-02-04 12:20 44,240 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2005-07-30 00:24 472 --sha-r C:\WINDOWS\SmFzb24\mAIWvZb.vbs
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7663FD3-7A48-4BA5-A1DA-62A2229A174A}]
   C:\WINDOWS\system32\vtsts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E167D4D0-3263-4D1C-98F2-7F09184D7AE5}]
   C:\WINDOWS\system32\vturo.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 13:46 135168]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 17:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-01 13:09 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-04 13:18 185896]
"hovymib"="C:\Program Files\MSN\hovymib77798.exe" [ ]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=

S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 22:18:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
.
**************************************************************************
.
Completion time: 2008-03-07 22:22:09 - machine was rebooted
ComboFix-quarantined-files.txt  2008-03-08 06:22:06
.
2008-02-13 11:02:36 --- E O F --- 

markamus

435 Posts

March 8th, 2008 05:00

Hi watch your drag,

Delete bad services
Please copy (Ctrl+C) and paste (Ctrl+V) the following bolded blue text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc MSControlService
sc MSControlService
exit

Double click FixServices.bat. A window will open and close. This is normal.
----------------------------------------------------------------------------------------------

Open Notepad again and copy/paste the bolded blue text into the window:

File::
C:\WINDOWS\system32\tstlylve.ini
C:\WINDOWS\system32\kskohfyh.ini
C:\WINDOWS\system32\qresvcfj.ini
C:\WINDOWS\system32\hjjphejm.dllbox
C:\WINDOWS\b153.exe_old
C:\WINDOWS\b154.exe_old
C:\WINDOWS\b152.exe_old
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vturo.dll


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7663FD3-7A48-4BA5-A1DA-62A2229A174A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E167D4D0-3263-4D1C-98F2-7F09184D7AE5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hovymib"=-

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next reply, please include the following:
  • The new Combofix log
  • A fresh HijackThis log
  • A description of how the PC is running

watch your drag

55 Posts

March 8th, 2008 20:00

hi there markamus,

 

per the instructions for creating the FixServices notepad file, after I save it as all files on my desktop under FixServices.bat name, I double click it and it does open a window but does not close automatically, it asks:

 

"would you like to see help for the QUERY and QUERYEX commands y/n?"


I would like to know about this before I continue, thanks again for your help

markamus

435 Posts

March 8th, 2008 20:00

Hi watch your drag,

My apologies. It seems as though the forum software stripped out part of that fix and I just now noticed it.

Repeat those steps, posting the following into Notepad:

@echo off
sc stop MSControlService
sc delete MSControlService
exit

 Then continue with the rest of the fix.

watch your drag

55 Posts

March 8th, 2008 21:00

Hey Markamus,

 

Thanks again for the help!, here are the logs..

 

ComboFix Log

 

ComboFix 08-03-07.4 - Jason 2008-03-08 15:00:10.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.245 [GMT -8:00]
Running from: C:\Documents and Settings\Jason\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jason\Desktop\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\b152.exe_old
C:\WINDOWS\b153.exe_old
C:\WINDOWS\b154.exe_old
C:\WINDOWS\system32\hjjphejm.dllbox
C:\WINDOWS\system32\kskohfyh.ini
C:\WINDOWS\system32\qresvcfj.ini
C:\WINDOWS\system32\tstlylve.ini
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vturo.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\b152.exe_old
C:\WINDOWS\b153.exe_old
C:\WINDOWS\b154.exe_old
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UGDC_0001_N122M2802NetInstaller.exe
C:\WINDOWS\system32\hjjphejm.dllbox
C:\WINDOWS\system32\kskohfyh.ini
C:\WINDOWS\system32\qresvcfj.ini
C:\WINDOWS\system32\tstlylve.ini

.
(((((((((((((((((((((((((   Files Created from 2008-02-08 to 2008-03-08  )))))))))))))))))))))))))))))))
.

2008-03-07 15:22 . 2008-03-07 15:22 

 d-------- C:\Program Files\Trend Micro
2008-02-29 10:15 . 2008-02-29 10:15 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-29 09:00 . 2008-02-29 10:15   d-------- C:\VundoFix Backups
2008-02-28 19:04 . 2008-02-28 19:04   d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 19:04 . 2008-02-28 19:35   d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 17:55 . 2008-02-28 17:55   d-------- C:\Program Files\Lavasoft
2008-02-28 17:55 . 2008-02-28 17:55   d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 17:53 . 2008-02-28 17:53   d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 17:06 . 2008-02-28 17:06   d-------- C:\Documents and Settings\Jason\Application Data\Uniblue
2008-02-28 07:34 . 2008-02-28 07:34   d-------- C:\Documents and Settings\Guest\Application Data\DivX
2008-02-28 04:35 . 2008-02-28 19:39   d--hs---- C:\WINDOWS\SmFzb24
2008-02-28 04:24 . 2008-02-28 04:24   d-------- C:\WINDOWS\uziq
2008-02-28 04:24 . 2008-02-28 18:58   d-------- C:\Program Files\Common Files\uziq

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-08 10:54 --------- d-----w C:\Program Files\Warcraft III
2008-02-29 17:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2008-02-29 04:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 04:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-29 01:33 --------- d-----w C:\Program Files\Viewpoint
2008-02-29 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-29 01:23 --------- d-----w C:\Documents and Settings\Jason\Application Data\Lavasoft
2008-02-29 01:02 --------- d-----w C:\Documents and Settings\Jason\Application Data\DivX
2008-02-22 03:10 --------- d-----w C:\Program Files\Bodog Poker
2008-02-12 05:12 4,704 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-04 22:41 --------- d-----w C:\Documents and Settings\Jason\Application Data\AdobeUM
2008-02-02 03:06 --------- d-----w C:\Documents and Settings\Jonathan\Application Data\Corel
2008-01-28 07:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-02-04 12:20 44,240 ----a-w C:\Documents and Settings\Jonathan\Application Data\GDIPFONTCACHEV1.DAT
2005-07-30 00:24 472 --sha-r C:\WINDOWS\SmFzb24\mAIWvZb.vbs
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-06-07 12:53 61440]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09 460784]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 13:46 135168]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 15:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 22:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 19:05 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 14:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-05 23:05 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 08:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 08:44 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 17:20 8192]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-08-31 09:06 106496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-01 13:09 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-04 13:18 185896]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 16:16 1121792]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 09:59:36 806912]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\ijji\\ENGLISH\\u_sf\\soldierfront.exe"=
"C:\\ijji\\ENGLISH\\u_gbound.exe"=


*Newly Created Service* - GTNDIS5
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-08 15:03:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-08 15:04:19
ComboFix-quarantined-files.txt  2008-03-08 23:04:17
ComboFix2.txt  2008-03-08 06:22:10
.
2008-02-13 11:02:36 --- E O F --- 

 

HijackThis Log

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:50 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Jonathan\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\Jonathan\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\Program Files\PartyGaming\PartyBingo\RunBingo.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 8086 bytes

 

Now the computer is running MUCH better, much quicker than before and it seems I am rid of those pesky popups.. I'm going to do an adaware scan and see if it finds anything..


Also, if I am finished here with the fixes I'd like to know what you recommend as far as antivirus software goes.. I am currently not running anything as my MCafee expired quite some time ago, I appreciate your help and feedback.

watch your drag

55 Posts

March 8th, 2008 21:00

Markamus,

 

I have fixed those "trusted zone" files through HJT as I never saved those personally. As for the file you asked me to scan through the site... "C:\WINDOWS\SmFzb24\mAIWvZb.vbs"

 

I am not able to locate it for some reason?

markamus

435 Posts

March 8th, 2008 21:00

Hi watch your drag,

If you did not knowingly put these in your trusted zone, have HijackThis fix them:

O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
---------------------------------------------------------------------

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\WINDOWS\SmFzb24\mAIWvZb.vbs
* Click Open
* Please let me know the results.

watch your drag

55 Posts

March 8th, 2008 23:00

also, when I shutdown the computer, this window still pops up "Ending Program- ShellIconHiddenWindow"

 

is this something I should be worried about?

 

*edit n/m, i think it went away after i deleted musicmatch jukebox :smileyhappy:

Message Edited by watch your drag on 03-08-2008 05:52 PM

watch your drag

55 Posts

March 9th, 2008 00:00

About to follow your instructions in just a minute here, however I just ran adaware Fullsystem scan and found 22 new critical objects.. including a virus that it hasn't found before.. here are some of the objects found..

 

win32.trojandownloader.adload

virtumonde

win32.trojandownloader.small

win32.trojanclicker

markamus

435 Posts

March 9th, 2008 00:00

Regarding not being able to find the file, try this and see if you can locate it.

Show your hidden files
To enable the viewing of Hidden files follow these steps:

  2. Close all programs so that you are at your desktop.
  3. Double-click on the My Computer icon (or click Start, then select My Computer)
  4. Select the Tools menu and click Folder Options.
  5. After the new window appears select the View tab.
  6. Put a checkmark in the checkbox labeled Display the contents of system folders.
  7. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  8. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  9. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  10. Press the Apply button and then the OK button and shutdown My Computer.
  11. Now your computer is configured to show all hidden files. You will reverse this process when your system is clean.
    ----------------------------------------------------------------------------------------------



Now try to upload the file and let me know how it goes.

watch your drag

55 Posts

March 9th, 2008 00:00

Markamus, here are the results from the scan for that file:

 

 

A-Squared  Found nothing
AntiVir    Found ADSPY/Isearch 
ArcaVir    Found nothing
Avast     Found VBS:Malware-gen 
AVG Antivirus    Found nothing
BitDefender    Found Adware.Isearch.D 
ClamAV    Found nothing
CPsecure    Found nothing
Dr.Web    Found nothing
F-Prot Antivirus   Found nothing
F-Secure Anti-Virus   Found nothing
Fortinet    Found Adware/Isearch 
Ikarus    Found AdWare.Isearch 
Kaspersky Anti-Virus   Found nothing
NOD32    Found nothing
Norman Virus Control   Found VBS/CommAd.A 
Panda Antivirus  Found nothing
Rising Antivirus  Found nothing
Sophos Antivirus   Found nothing
VirusBuster    Found nothing
VBA32    Found nothing

watch your drag

55 Posts

March 9th, 2008 01:00

many of the flagged files were located in System Volume Information, I've deleted them with Adaware, but will scan again to see if they are still present.. also, I've tried to look into that folder but access is denied. The Ewido Malware scan logfile/HJT log will follow shortly.. The download is taking quite some time..

 

*edit

 

looks like the scan is going to take longer than expected, will post details in a couple of hours, thanks for your help Markamus :robothappy:

Message Edited by watch your drag on 03-08-2008 07:40 PM

markamus

435 Posts

March 9th, 2008 01:00

Hi watch your drag,

Where were the files located that the system scan was flagging?

Using Windows Explorer
  • (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following folder

C:\WINDOWS\ SmFzb24
----------------------------------------------------------------------------------------------



Please perform an Ewido Online Malware Scan
  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.

In your next reply, please include the following:
  • The Ewido online scan log
  • A fresh Hijackthis log
  • A description of how the PC is running

markamus

435 Posts

March 9th, 2008 01:00

No problem, take your time.

Anything found in System Volume Information poses no threat. If you can, find out the exact location of the files being flagged and I will check them just to be sure.


Was this post helpful?

View All

No Events found!

Top