Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

svshost.exe - taking over my computer?

(New)
(!)

Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
08-Oct-2007, 06:41 AM #1
svshost.exe - taking over my computer?
While online tonight, a window popped up briefly enough for me to read WINNT and 32, then my internet connection lit up even though I wasn’t pushing any buttons. I checked my task manager, and it said an application n1 was running, and a process svshost.exe was very active. I immediately unplugged my internet connection and n1 disappeared, though svshost.exe continued. At this point I realized that my firewall (Kerio Free, which doesn’t always startup automatically) wasn’t on, so I turned it on. I went back online, and the same thing happened again: WINNT window flashed briefly, application n1 appeared in task manager, along with another application, something-something-browse, and in processes svshost continued to run, along with aff.exe and rvv.exe. I unplugged my internet connection and all but svshost went away.

I ran a scan of the entire WINNT folder with AVG Free, then scanned with both AdAware and Spybot, though both have not been updated in some time (I didn’t want to go back online, since I don’t know what risks I’m taking with this bug - I'm using a different computer right now). AdAware found one item, which I don’t remember, but it was a tracking cookie. Spybot found a bunch more tracking cookies (WebTrends live, BFast, DoubleClick, HitBox, HitsLink, MediaPlex, Statcounter, Tradedoubler, and Zedo) and the following I’ve never seen before during a scan:
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify
Microsoft.WindowsSecurityCenter.AntiVirusOverride
Microsoft.WindowsSecurityCenter.FirewallDisabled
Microsoft.WindowsSecurityCenter.FirewallDisabledNotify
Microsoft.WindowsSecurityCenter.FirewallOverride
Microsoft.WindowsSecurityCenter.SP2Update
Microsoft.WindowsSecurityCenter.UpdateDisableNotify
Microsoft.WindowsSecurityCenter_disabled

Spybot says it fixed these problems, but the task manager indicates that svshost is still running, though seems to be using a little less CPU than before, while my firewall is using up most of the rest.

I was going to do a scan with the AVG AS (formerly Ewido) and Kaspersky online scanners, but since this bug seems to be very active the moment I'm online, I wonder if I need to stay offline and figure out how to remove it manually?

I tried to search for svshost on my computer to see if I could tell when it was created, but Windows Explorer told me the file couldn't be accessed offline, and asked whether I wanted to connect (I clicked on "stay offline"). I tried some other searches and there were a lot of things it didn't find even though I was looking at the file right in front of me. Every once in a while it opened up a notepad, but mostly it either ignored my query, or told me that whatever I was looking for (including complete gibberish) couldn't be accessed offline.

I poked around a bit manually to see if I could find any files that have been modified lately without my knowledge, and found that the drivers file in WINNT/system32 was modified around the time of the second attack tonight, though I see no evidence in the folder itself. Also in system32, a file called "i", which has a Windows logo, was created just before the attack.

I looked up svshost on the internet, and it appears to be a virus, though there are the usual warnings about being careful when messing with the operating system, since some bugs use the names of necessary programs. So I'm wonder if this is definitely a bug, or is there a possibility that this is normal? I found only mention of it as a bug, no explanation of how it might be useful. I tried to end the process in my task manager, but it told me "Unable to Terminate Process - The operation could not be completed. Access is denied" and the screen went black for a moment.

I've looked through this and other forums, but I'm simply not computer literate enough to make sense out of what little I was able to find about this process. I have an added limitation because my computer is very low on memory, only 128 MB RAM (and will never be more than 256, since that's all my laptop can take, though at the moment I can't afford to even upgrade to that, as I live way below the poverty line), so downloading a lot of programs isn't an option for me anymore. I can only download very very small programs.

I've noticed that on almost all the support forums I've visited people are posting HijackThis logs. I'm sorry, but I don't know what that is, and whether or not this is something I'm equipped to provide. Could someone please help me with this? I'm largely housebound due to disability and rely quite heavily on this equally disabled little machine for day to day functioning.

Thanx so much.


P.S. I'm on a laptop running Windows 2000 Pro, with 128 MB RAM, with Sunbelt/Kerio free firewall, AVG Free, AdAware, Spybot S&D, using Firefox with Adblock and SiteAdvisor.

Last edited by Ice4; 08-Oct-2007 at 06:58 AM..
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
08-Oct-2007, 08:32 AM #2
go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu.
Click on the entry in start menu to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
09-Oct-2007, 04:06 AM #3
Thanks for the easily understandable instructions. Much appreciated. Here’s the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:08 AM, on 10/9/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svshost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\My Downloads\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/235c8830...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124268309540
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Storage Accounts Manager - Unknown owner - C:\WINNT\system32\svshost.exe

--
End of file - 4269 bytes

FYI:
While I downloaded HijackThis, svshost went back in motion, same window opened, the two applications n1 and browse started running. I stopped task on both applications and they didn’t come back until I logged on again to send this and the same thing happened again. I had to re-log in later because this forum wasn't up and running, and when it happened again, browse ran again, but this time the other application was just called 1.

Thanx for helping me.
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Oct-2007, 04:44 AM #4
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
[list][*] Open the extracted SDFix folder and double click RunThis.bat to start the script. [*] Type Y to begin the cleanup process.[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. [*] Press any Key and it will restart the PC. [*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
09-Oct-2007, 06:22 AM #5
Wow. That was fascinating. Everything's running much smoother.

Here's the SDFix Report:


SDFix: Version 1.107

Run by ICE4 on Tue 10/09/2007 at 2:45a

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\dmgr.exe - Deleted
C:\WINNT\regedit.com - Deleted
C:\WINNT\system32\i - Deleted
C:\WINNT\system32\svshost.exe - Deleted
C:\WINNT\system32\TFTP1380 - Deleted
C:\WINNT\system32\TFTP672 - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 24 Sep 2007 95,232 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0001.tmp"
Thu 14 Sep 2006 54,272 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0003.tmp"
Wed 20 Dec 2006 61,952 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0034.tmp"
Wed 26 Jul 2006 50,176 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0039.tmp"
Thu 7 Jun 2007 83,968 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0042.tmp"
Sun 14 Jan 2007 65,024 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0119.tmp"
Fri 22 Dec 2006 466,944 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0236.tmp"
Fri 22 Dec 2006 388,096 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0284.tmp"
Thu 5 Oct 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0328.tmp"
Mon 14 May 2007 73,728 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0588.tmp"
Thu 5 Oct 2006 62,464 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0653.tmp"
Thu 23 Aug 2007 86,528 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0679.tmp"
Thu 5 Oct 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0724.tmp"
Mon 7 Nov 2005 79,360 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0787.tmp"
Thu 5 Oct 2006 64,512 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0797.tmp"
Wed 13 Dec 2006 963,072 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL0998.tmp"
Mon 7 Nov 2005 78,848 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1084.tmp"
Mon 24 Sep 2007 94,720 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1301.tmp"
Thu 17 May 2007 9,874,432 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1335.tmp"
Wed 6 Jun 2007 86,528 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1579.tmp"
Thu 23 Aug 2007 87,040 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1682.tmp"
Thu 7 Jun 2007 83,968 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1684.tmp"
Mon 28 May 2007 79,872 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1709.tmp"
Mon 7 Nov 2005 6,951,936 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL1832.tmp"
Fri 22 Dec 2006 359,936 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2105.tmp"
Thu 14 Sep 2006 54,784 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2193.tmp"
Thu 23 Aug 2007 88,064 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2202.tmp"
Fri 22 Dec 2006 872,448 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2428.tmp"
Fri 22 Dec 2006 429,568 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2437.tmp"
Fri 28 Oct 2005 163,840 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2684.tmp"
Thu 7 Jun 2007 86,528 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2758.tmp"
Sun 4 Mar 2007 70,656 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2796.tmp"
Thu 5 Oct 2006 63,488 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL2903.tmp"
Thu 5 Oct 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3036.tmp"
Thu 3 Nov 2005 6,982,656 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3076.tmp"
Mon 7 Nov 2005 79,360 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3228.tmp"
Thu 21 Dec 2006 62,976 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3229.tmp"
Fri 22 Dec 2006 359,424 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3313.tmp"
Sat 13 Jan 2007 62,464 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3519.tmp"
Thu 5 Oct 2006 61,952 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3607.tmp"
Wed 6 Jun 2007 488,960 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3635.tmp"
Sun 11 Feb 2007 64,512 A..H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3685.tmp"
Mon 24 Sep 2007 92,672 ...H. --- "C:\Documents and Settings\XYZ\My Documents\~WRL3783.tmp"
Fri 6 Oct 2006 40,448 A..H. --- "C:\Documents and Settings\XYZ\My Documents\MCS\~WRL2947.tmp"
Fri 16 Dec 2005 54,784 A..H. --- "C:\Documents and Settings\XYZ\My Documents\MCS\~WRL3802.tmp"
Thu 15 May 2003 43,008 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 30 Jul 2005 19,968 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0003.tmp"
Wed 26 Jul 2006 51,712 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0004.tmp"
Fri 22 Dec 2006 972,288 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0011.tmp"
Sun 30 Oct 2005 2,870,784 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0040.tmp"
Sun 11 Dec 2005 711,168 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0055.tmp"
Sat 11 Mar 2006 1,503,744 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0080.tmp"
Sun 2 Apr 2006 51,712 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0119.tmp"
Sun 11 Dec 2005 314,368 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0130.tmp"
Fri 22 Dec 2006 817,152 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0137.tmp"
Fri 7 Sep 2007 2,712,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0144.tmp"
Thu 5 Oct 2006 63,488 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0164.tmp"
Fri 7 Sep 2007 5,272,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0188.tmp"
Sun 29 Apr 2007 27,136 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0208.tmp"
Sun 30 Oct 2005 8,193,536 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0264.tmp"
Tue 18 Jan 2005 573,440 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0291.tmp"
Fri 22 Dec 2006 971,264 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0331.tmp"
Thu 21 Dec 2006 61,440 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0423.tmp"
Sat 30 Jul 2005 22,528 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0437.tmp"
Mon 19 Dec 2005 17,742,848 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0452.tmp"
Thu 6 Apr 2006 24,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0560.tmp"
Thu 23 Aug 2007 173,568 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0651.tmp"
Fri 22 Dec 2006 760,832 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0727.tmp"
Sun 30 Oct 2005 523,776 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0800.tmp"
Fri 14 Jul 2006 409,600 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0857.tmp"
Thu 23 Aug 2007 88,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL0891.tmp"
Sun 2 Apr 2006 44,032 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1106.tmp"
Sun 2 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1108.tmp"
Fri 22 Dec 2006 970,752 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1120.tmp"
Fri 27 Jul 2007 329,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1184.tmp"
Fri 22 Dec 2006 969,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1204.tmp"
Fri 22 Dec 2006 969,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1206.tmp"
Wed 12 Oct 2005 58,880 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1212.tmp"
Sun 2 Apr 2006 73,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1213.tmp"
Thu 14 Jun 2007 803,840 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1234.tmp"
Fri 22 Dec 2006 970,752 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1246.tmp"
Fri 6 Oct 2006 35,328 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1249.tmp"
Thu 23 Aug 2007 88,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1295.tmp"
Thu 14 Jun 2007 163,840 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1310.tmp"
Wed 26 Jul 2006 19,456 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1356.tmp"
Wed 12 Oct 2005 41,984 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1361.tmp"
Sun 11 Dec 2005 616,960 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1373.tmp"
Sun 29 Apr 2007 71,168 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1390.tmp"
Sun 2 Apr 2006 45,568 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1394.tmp"
Sun 2 Apr 2006 36,864 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1510.tmp"
Mon 14 May 2007 74,240 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1517.tmp"
Fri 22 Dec 2006 64,000 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1566.tmp"
Sun 2 Apr 2006 28,160 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1598.tmp"
Mon 7 Nov 2005 6,928,384 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1693.tmp"
Sat 30 Jul 2005 22,016 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1733.tmp"
Fri 7 Sep 2007 4,632,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1739.tmp"
Fri 22 Dec 2006 372,736 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1796.tmp"
Fri 22 Dec 2006 63,488 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1843.tmp"
Fri 7 Sep 2007 2,712,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL1928.tmp"
Sat 11 Mar 2006 1,173,504 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2042.tmp"
Thu 6 Apr 2006 23,040 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2071.tmp"
Sun 2 Apr 2006 50,176 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2081.tmp"
Sun 30 Oct 2005 1,133,056 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2100.tmp"
Sun 11 Dec 2005 369,664 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2117.tmp"
Fri 7 Sep 2007 37,376 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2136.tmp"
Sun 2 Apr 2006 29,696 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2359.tmp"
Thu 5 Oct 2006 35,328 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2413.tmp"
Sun 11 Dec 2005 611,840 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2500.tmp"
Thu 23 Aug 2007 724,480 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2517.tmp"
Fri 22 Dec 2006 388,608 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2518.tmp"
Wed 12 Oct 2005 45,056 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2589.tmp"
Wed 12 Oct 2005 43,520 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2604.tmp"
Sat 30 Jul 2005 21,504 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2663.tmp"
Mon 19 Dec 2005 19,456 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2674.tmp"
Fri 22 Dec 2006 962,048 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2734.tmp"
Sun 29 Apr 2007 1,196,032 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2755.tmp"
Sun 2 Apr 2006 27,136 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2761.tmp"
Fri 22 Dec 2006 975,872 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2772.tmp"
Wed 26 Jul 2006 1,566,208 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2835.tmp"
Wed 12 Oct 2005 54,784 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL2885.tmp"
Sun 30 Oct 2005 524,288 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3070.tmp"
Fri 27 Jul 2007 329,728 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3125.tmp"
Wed 19 Jan 2005 587,776 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3207.tmp"
Fri 13 Apr 2007 408,064 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3276.tmp"
Sun 11 Dec 2005 710,656 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3440.tmp"
Wed 12 Oct 2005 72,704 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3445.tmp"
Sun 30 Oct 2005 8,193,536 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3475.tmp"
Fri 22 Dec 2006 963,584 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3502.tmp"
Thu 23 Aug 2007 56,832 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3710.tmp"
Thu 14 Jun 2007 432,128 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3741.tmp"
Fri 6 Oct 2006 166,400 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3815.tmp"
Sun 30 Oct 2005 705,024 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL3834.tmp"
Wed 12 Oct 2005 44,032 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL4010.tmp"
Sun 30 Oct 2005 6,708,224 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL4040.tmp"
Sun 30 Oct 2005 6,707,712 ...H. --- "C:\Documents and Settings\XYZ\Application Data\Microsoft\Word\~WRL4059.tmp"
Tue 15 May 2007 47,616 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL0074.tmp"
Tue 15 May 2007 44,544 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL0314.tmp"
Wed 26 Jul 2006 1,073,152 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL2009.tmp"
Tue 15 May 2007 43,520 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL2097.tmp"
Tue 15 May 2007 45,568 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OTHER ISSUES\~WRL4085.tmp"
Thu 12 Apr 2007 407,552 ...H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WAR\~WRL0089.tmp"
Wed 12 Oct 2005 56,320 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0236.tmp"
Wed 12 Oct 2005 73,728 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0363.tmp"
Wed 12 Oct 2005 74,752 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0652.tmp"
Wed 12 Oct 2005 55,296 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL0692.tmp"
Sun 2 Apr 2006 46,080 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL1282.tmp"
Wed 12 Oct 2005 71,680 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL1826.tmp"
Wed 12 Oct 2005 55,296 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL2351.tmp"
Sun 2 Apr 2006 65,536 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\WEBSITE\~WRL2619.tmp"
Fri 27 Jul 2007 1,184,768 ...H. --- "C:\Documents and Settings\XYZ\My Documents\Robin\Misc for Robin\~WRL2760.tmp"
Thu 6 Sep 2007 10,845,696 ...H. --- "C:\Documents and Settings\XYZ\My Documents\Robin\Robin's Garden\~WRL3597.tmp"
Thu 13 Jul 2006 276,480 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\2006 - Documents\~WRL1633.tmp"
Thu 13 Jul 2006 279,552 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\2006 - Documents\~WRL1944.tmp"
Thu 13 Jul 2006 119,296 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\2006 - Documents\~WRL3835.tmp"
Thu 31 Mar 2005 323,072 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\CITY\~WRL1239.tmp"
Sun 27 Mar 2005 597,504 A..H. --- "C:\Documents and Settings\XYZ\My Documents\EBPA\OAKLAND HILLS WPAD\GROUPS\~WRL3904.tmp"




Finished!



HijackThis Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:16 AM, on 10/9/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\QuickTime\qttask.exe
C:\My Downloads\Picasa\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\My Downloads\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/235c8830...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124268309540
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E3EC632F-B653-4D58-B57C-AD381ECECB0C}: NameServer = 216.126.136.250 216.126.128.40
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Storage Accounts Manager - Unknown owner - C:\WINNT\system32\svshost.exe (file missing)

--
End of file - 4402 bytes


Everything looks normal now... Is it fixed?

SDFix said to run CatchMe next. There's an icon on my desktop called catchme. Do I do anything with it?
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
10-Oct-2007, 02:49 PM #6
double click the catchme icon & post back the log it makes also

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click Non-Microsoft
    • In the Win32 Services group click Non-Microsoft
    • In the Driver Services group click Non-Microsoft
    • In the Registry group click ALL
    • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
    • In the File String Search group select ALL
    in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
Use the Reply button and attach the notepad file here . I will review it when it comes in.
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
11-Oct-2007, 05:32 PM #7
please do as I asked in my last post & attach the report

this forum software mangles some entries in these logs when pasted so we cannot use it to do a fix if we find anything
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
11-Oct-2007, 05:34 PM #8
Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
11-Oct-2007, 06:35 PM #9
Oh, sorry. I didn't register that you wanted me to attach it rather than paste it. I haven't done that before here, so hopefully both of the files you asked for previously are attached now...

I'll run the rootkit thing next...
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.

Last edited by Ice4; 12-Oct-2007 at 01:52 AM..
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
11-Oct-2007, 07:02 PM #10
I don't see whether or not the attachment is actually attached. I'm assuming it's only visible to you? I deleted the mangled pasted posts, since it takes forever to load this page with them, and with the attachment they should now be duplicates. It is also a bit much personal information to have pasted in a public forum for my taste. Hope that was okay.

Here's the rootchk log


********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
Thu 10/11/2007 15:47:53.21

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-11 15:47:56
Windows 5.0.2195
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
12-Oct-2007, 01:49 AM #11
My AVG just found something related to what we're doing. I'm going to try to attach a screen shot, but am not sure I'm doing it right. In the manage attachments window it lists file under current attachments, but I see no evidence of it arriving on your end.

In case it isn't attached, the test result says:

Object: C:\WINNT\System32\drivers\etc\hosts
Result: Change
Status: Changed

Object: C:\SDFix\backups\backups.zip:\backups\svshost.exe
Result: Trojan horse IRC\BackDoor.SdBot3.TPR
Status: Infected, Embedded object, Deleted

Object: C:\SDFix\backups\backups.zip
Status: Moved to Vault, Archive

In the virus vault it says:

Virus name: Trojan horse IRC/BackDoor.SdBot3.TPR
Path: C:\SDFix\backups\backups.zip
Date of detection: 10/11/2007 9:54:21PM
Filename: backups.zip

There are also previous entries, in case these are related (looks like some are versions of each other?):

Virus name: Virus identified Worm/Nachi.A
Path: C:\WINNT\system32\wins\DLLHOST.EXE
Date of detection: 6/26/2007 10:29:26PM
Filename: DLLHOST.EXE

Trojan horse IRC\BackDoor.SdBot2.KYE
Path: C:\WINNT\system32\setup_08136.exe
Date of detection 7/2/2007 11:37:43PM
Filename: setup_08136.exe

Trojan horse IRC/BackDoor.SdBot3.CPT
Path: C:\WINNT\system32\scricon.exe
Date of detection: 7/10/2007 4:09:10AM
Filename: scricon.exe
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
12-Oct-2007, 01:56 AM #12
OK. I got it now. Apparently I have to leave that attachment window open until I'm done posting... Duh. Sorry about that. I have now noticeably attached the logs you asked for in post #9.
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
14-Oct-2007, 03:46 PM #13
You can safely ignore the AVG findings, It ahs either dealt with them or has alerted on sdfix resettting the hosts file

WinPFind3 Fix -


Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code:
[Win32 Services - Non-Microsoft Only]
YY -> (Storage Accounts Manager) Storage Accounts Manager [Win32_Own | Auto | Stopped] -> %System32%\svshost.exe
[Registry - All]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> ShellBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
YN -> shell -> shell protocol not assigned
The fix should only take a very short time and then you may be asked if you want to reboot. Choose Yes. reboot manually if it doesn't prompt

when it reboots


Post the following back here:

the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
Ice4's Avatar
Ice4 Ice4 is offline
Computer Specs
Member with 131 posts.
THREAD STARTER
 
Join Date: Oct 2007
Experience: Beginner
15-Oct-2007, 01:07 AM #14
Here's the new log:

[Win32 Services - Non-Microsoft Only]
Service Storage Accounts Manager stopped successfully.
Service Storage Accounts Manager deleted successfully.
File C:\WINNT\SYSTEM32\svshost.exe not found.
[Registry - All]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{5854FAC4-5BF0-47DD-B5A9-A5EA8CFF3CF4} deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\\shell updated successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\\shell updated successfully.
< End of log >
Created on 10/14/2007 21:16:15

No problems doing what you told me to. It didn't prompt me to reboot, but I did.

After I rebooted, I noticed the rootchk icon on my desktop looked different. Before, it was an elaborate symbol, after, it was one of the little generic application boxes.

Then, while I pasted this, AVG detected a threat, which it says it healed:
Virus Name: Trojan horse Downloader.Zlob
Path: C:\Documents and Settings\XYZ\Desktop\rootchk.exe

After that the rootchk icon was gone altogether.

Things have been running much smoother since I did that stuff in Safe Mode. I saw something flash on my screen once since then. Too fast to see what it was. No applications showed up in my Task Manager. I thought it could have been a pop-up, blocked by my adblock. And a couple of times my desktop went black for a moment, but I was overwhelming the system with a picture-heavy document, so figured that could have caused it, though it doesn't usually when I have such a document open.

My Kerio firewall doesn't always start at startup, which I think might be a problem with their free version. It did start when I rebooted after this fix, but there's no way to tell yet if it will continue to act as before, or if it also got fixed.

Could you give me some idea about preventing getting infected like this again? It looked to me like much of what's infected me this year was either the same type of virus repeatedly, or they were part of the same infection...? If I keep getting the same infection, is there any way to tell if it's something specific I'm doing that makes that happen?

Also, could you tell me if it's safe to empty the AVG vault, or if it's better not to?

Thanx so much for all your help.
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,148 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
15-Oct-2007, 05:39 AM #15
Empty AVG vault as you have no ned torestore them

Please download ATF Cleaner by Atribune
This program is designed for XP and Windows 2000 only ( it should now run on 98/ME & Vista)

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Then:
If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Then:
If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

This will remove all files from the items that are checked so if you have some cookies you'd like to save. please move them to a different directory first.

Turn off system restore by following instructions here
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑