1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Comment.htt and Runcomment.htt virus removal help

Discussion in 'Virus & Other Malware Removal' started by peterkonyak, Oct 29, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. peterkonyak

    peterkonyak Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    18
    Dear frens...I've been posting here long time back and forgot my username and password so I registered again.

    Anyway, it's great to be back to this great community...

    Lets get started.

    Am using winxp pro on a pentium 4 machine at office. My problem is that AVG (updated daily) detects two virus which are "comment.htt" and "runcomment.htt" but fails to remove them even in safemode (it says error while healing). While my computer at home which was infected by comment.htt was removed easily few months back, however the office situation is different. All computers are being infected by a host of virus which I've cleaned using AVG but these two comment.htt and runcomment.htt remains. Kindly suggest.

    Second problem is that I noticed jus today that my hidden files and folders cannot be displayed even after going to and checking Tools>Folder option>View>show hidden files n folders. When I go back to it, the "do not show hidden files" seemed to be always checked. Any suggestion on that. Below is my hijackthis log too.

    Oh one last problem, there seems to be a browser hijack also...sometimes it takes me away to other sites that are not respective of the links I click.

    All help is always appreciated and thanks in advance.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:58:49 AM, on 10/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\heap41a\svchost.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\heap41a\svchost.exe
    C:\Program Files\Huawei\MT882\dslagent.exe
    C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\HiJackThis_v2.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    F2 - REG:system.ini: Shell=
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: (no name) - {426D7678-410A-41F0-98FA-3685392BCDBc} - C:\WINDOWS\system32\bqdmmrak.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [stats1] C:\WINDOWS\System32\stats1.exe
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
    O4 - HKLM\..\Run: [msvcc25] svcchost.exe
    O4 - HKLM\..\Run: [johnj3155] C:\WINDOWS\system32\srvcc.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
    O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c
    O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [apap1] C:\WINDOWS\System32\apap1.exe
    O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe
    O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
    O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
    O4 - HKLM\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\wbem\scrcons32.exe
    O4 - HKCU\..\Run: [sysmss] C:\WINDOWS\system32\sysems.exe
    O4 - HKCU\..\Run: [sysems] C:\WINDOWS\system32\syslem.exe
    O4 - HKCU\..\RunServices: [WMI Standard Event Consumer - Scripting] C:\WINDOWS\System32\wbem\scrcons32.exe
    O4 - HKLM\..\Policies\Explorer\Run: [status] present
    O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F9D5A18-546E-44B9-B347-3CC8E485C407}: NameServer = 218.248.240.208 218.248.240.135
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer = 192.168.1.1
    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_l2f.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 7518 bytes
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    • Open the c:\SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the script.
    • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • Your system will take longer that normal to restart as the fixtool will be running and removing files.
    • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
    • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
     
  3. peterkonyak

    peterkonyak Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    18
    Thanks cybertech

    I ran SDFix on safe mode as you have said and here is the results of the repot log and also a new hijackthis log.


    SDFix: Version 1.113

    Run by Administrator on Fri 11/02/2007 at 10:24 AM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...

    Service asc3550p - Deleted after Reboot

    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\SYSTEM32\TSKMGR.EXE - Deleted
    C:\WINDOWS\SYSTEM32\DLOAD.EXE - Deleted
    C:\WINDOWS\SYSTEM32\TEST.EXE - Deleted
    C:\WINDOWS\SYSTEM32\TASKMG~1.EXE - Deleted
    C:\WINDOWS\SYSTEM32\UPDATE~2.EXE - Deleted
    C:\WINDOWS\SYSTEM32\UPDATE~3.EXE - Deleted
    C:\WINDOWS\system32\helpsys.exe - Deleted
    C:\WINDOWS\system32\mdmd.exe - Deleted
    C:\WINDOWS\system32\srvc.exe - Deleted
    C:\WINDOWS\system32\ssc.exe - Deleted
    C:\WINDOWS\system32\TFTP2540 - Deleted
    C:\WINDOWS\system32\tskmgr.exe - Deleted
    C:\WINDOWS\update.exe - Deleted



    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-02 10:31:54
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\WINDOWS\\System32\\wbem\\wbemstest.exe"="C:\\WINDOWS\\System32\\wbem\\wbemstest.exe:*:Enabled:Server Runtime Process"
    "C:\\WINDOWS\\System32\\wbem\\scrcons32.exe"="C:\\WINDOWS\\System32\\wbem\\scrcons32.exe:*:Enabled:WMI Standard Event Consumer - Scripting"
    "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
    "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\\Program Files\\Huawei\\MT882\\DSLAGENT.EXE"="C:\\Program Files\\Huawei\\MT882\\DSLAGENT.EXE:*:Enabled:dslagent"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Sun 4 Jan 2004 462,050 A.SHR --- "C:\heap41a\offspring\MicrosoftPowerPoint.exe"
    Tue 30 Oct 2007 23,040 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL3147.tmp"
    Tue 30 Oct 2007 23,040 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2832.tmp"
    Mon 4 Jun 2007 28,160 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL0002.tmp"
    Thu 4 Jan 2007 19,968 ...H. --- "C:\Documents and Settings\Administrator\My Documents\~WRL2522.tmp"
    Tue 28 Aug 2007 19,968 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3806.tmp"
    Tue 28 Aug 2007 20,480 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL3633.tmp"
    Tue 28 Aug 2007 20,992 ...H. --- "C:\Documents and Settings\Administrator\Desktop\~WRL1375.tmp"
    Thu 2 Jun 2005 39,424 A..H. --- "C:\Documents and Settings\Administrator\Desktop\HN COMPANY FOLDER\COMPANY PROFILE\~WRL0001.tmp"
    Sat 25 Aug 2007 45,056 ...H. --- "C:\Documents and Settings\Administrator\Desktop\HN COMPANY FOLDER\L&T CASE\~WRL0252.tmp"

    Finished!


    Hijackthis log

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:44:20 AM, on 11/2/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Huawei\MT882\dslagent.exe
    C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Hijackthis\HiJackThis_v2.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: (no name) - {426D7678-410A-41F0-98FA-3685392BCDBc} - C:\WINDOWS\system32\bqdmmrak.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [stats1] C:\WINDOWS\System32\stats1.exe
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
    O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [apap1] C:\WINDOWS\System32\apap1.exe
    O4 - HKCU\..\Run: [sysems] C:\WINDOWS\system32\syslem.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer = 192.168.1.1
    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_l2f.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 7173 bytes


    The "show hidden files and folders" option still gets automatically checked back to "do not show hidden files and folders." Other than that I think it looks fine. I am still yet to run my AVG, ad-aware and Spybot on this comp. Sorry for the late reply cause my internet connection was out for the last few days.

    Let me know what else I should do...Thanks once again
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  5. peterkonyak

    peterkonyak Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    18
    Ok thanks again man, I'm in India and so my reply may seem very late...neways my hidden folder trouble has gone away. Thank you very much....as per your instructions here are the ComboFix report and hijackthis report respectively,

    ComboFix 07-11-01.1** - Administrator 2007-11-03 10:36:53.1 - FAT32x86
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free
    C:\Documents and Settings\Administrator\Application Data\DriveCleaner Free\Logs\update.log
    C:\Documents and Settings\Administrator\Application Data\SystemDoctor Free
    C:\Documents and Settings\Administrator\Application Data\SystemDoctor Free\Logs\update.log
    C:\Documents and Settings\Administrator\err.log
    C:\Documents and Settings\Administrator\ResErrors.log
    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\All Users\Application Data\SystemDoctor Free
    C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\ActivationCode
    C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\HOURS
    C:\Documents and Settings\All Users\Application Data\SystemDoctor Free\Data\ProductCode
    C:\Program Files\Common Files\companion wizard
    C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
    C:\Program Files\Common Files\SystemDoctor
    C:\Program Files\Common Files\SystemDoctor\err.log
    C:\WINDOWS\keyboard1.dat
    C:\WINDOWS\system32\stera.log

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_ASC3550U
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_NETWORK_MONITOR
    -------\nm


    ((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
    .

    2007-11-03 10:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 10:23 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-10-30 10:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-10-29 12:12 <DIR> d-------- C:\Program Files\Lavasoft
    2007-10-29 12:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-29 12:11 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-29 10:56 1,308,216 --a------ C:\HiJackThis_v2.exe
    2007-10-23 09:12 <DIR> d--hs---- C:\heap41a
    2007-10-06 15:32 <DIR> d--h----- C:\Hijackthis
    2007-10-06 11:58 <DIR> d-------- C:\WINDOWS\system32\LogFiles

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-09-17 12:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-09-17 12:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
    2007-09-17 12:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-09-17 12:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
    2007-09-17 11:42 --------- d-----w C:\Program Files\SpywareBlaster
    2007-09-11 08:25 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Nokia
    2007-08-27 11:58 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2006-07-13 10:20 16,752 ----a-w C:\Documents and Settings\CMD\Application Data\GDIPFONTCACHEV1.DAT
    2006-05-05 11:26 16,752 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
    2006-05-05 10:19 284 ----a-w C:\Documents and Settings\Administrator\Application Data\ViewerApp.dat
    2007-08-01 09:37:40 86,896 --sh--w C:\WINDOWS\system32\ospcont.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426D7678-410A-41F0-98FA-3685392BCDBc}]
    2007-07-09 11:32 124948 --a------ C:\WINDOWS\system32\bqdmmrak.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "stats1"="C:\WINDOWS\System32\stats1.exe" []
    "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-01-14 04:41]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 06:01]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 05:57]
    "DSLAGENTEXE"="C:\Program Files\Huawei\MT882\dslagent.exe" [2003-10-31 15:26]
    "DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-23 17:00]
    "SoundMan"="SOUNDMAN.EXE" [2003-08-15 13:04 C:\WINDOWS\SOUNDMAN.EXE]
    "apap1"="C:\WINDOWS\System32\apap1.exe" []

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "sysems"="C:\WINDOWS\system32\syslem.exe" []

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
    "Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\WINDOWS\System32\win_l2f.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 nwprovau
    "WMI Standard Event Consumer - Scripting"= C:\WINDOWS\System32\wbem\scrcons32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^.protected]
    path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\.protected
    backup=C:\WINDOWS\pss\.protectedStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
    backup=C:\WINDOWS\pss\.protectedCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
    backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CMD^Start Menu^Programs^Startup^VirtualExpander.lnk]
    path=C:\Documents and Settings\CMD\Start Menu\Programs\Startup\VirtualExpander.lnk
    backup=C:\WINDOWS\pss\VirtualExpander.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CMD^Start Menu^Programs^Startup^winchat.lnk]
    path=C:\Documents and Settings\CMD\Start Menu\Programs\Startup\winchat.lnk
    backup=C:\WINDOWS\pss\winchat.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
    "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
    "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcl11]
    C:\WINDOWS\System32\clcl11.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc]
    C:\WINDOWS\dc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc2k5]
    C:\WINDOWS\SVIQ.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
    C:\\dfndrff_12.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
    rundll32.exe "C:\WINDOWS\system32\nbnhslug.dll",setvm

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fun]
    C:\WINDOWS\system\Fun.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
    "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\johnj315]
    C:\WINDOWS\system32\srvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
    C:\\kybrdff_12.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    C:\WINDOWS\inf\Other.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\melg34]
    C:\WINDOWS\system32\mdmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\melg3445]
    C:\WINDOWS\system32\mdmdd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
    rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mysvcig38]
    mysvcc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
    C:\\nwnmff_12.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pck1]
    C:\WINDOWS\system32\pck1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
    C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
    C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RavTimeXP]
    C:\WINDOWS\FONTS\BYY.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    C:\WINDOWS\system32\config\Win.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
    "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sck12]
    C:\WINDOWS\system32\helpsys.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sck121]
    C:\WINDOWS\system32\helpsyss.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sixer5]
    C:\WINDOWS\system32\ssc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sixer566]
    C:\WINDOWS\system32\sscc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedOptimizer]
    C:\PROGRA~1\SPEEDO~1\SPO.EXE -s

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\staeck12]
    C:\Documents and Settings\Administrator\2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\staeck122]
    C:\Documents and Settings\Administrator\2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sygate Personall Firewall]
    Sygate32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysms]
    C:\Documents and Settings\Administrator\1.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
    %systemroot%\system32\dumprep 0 -u

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMI Standard Event Consumer - Scripting]
    C:\WINDOWS\System32\wbem\scrcons32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

    R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys
    R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys
    R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys
    S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys
    S3 FXDRV;FXDRV;\??\E:\Fxdrv.sys
    S3 MTD80X;Realtek RTL8139D PCI Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\MTD80X.SYS

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe -a

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6176e3f2-2b84-11dc-ab6a-000fa38f4a3e}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a31297e7-2a55-11dc-ab64-000fa38f4a3e}]
    \Shell\Auto\command - F:\MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d920e750-8119-11dc-acf9-000cf1c75d3a}]
    \Shell\Auto\command - MicrosoftPowerPoint.exe
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 10:42:56
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-03 10:44:44 - machine was rebooted
    .
    --- E O F ---

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 10:47:47 AM, on 11/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Huawei\MT882\dslagent.exe
    C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Hijackthis\HiJackThis_v2.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: (no name) - {426D7678-410A-41F0-98FA-3685392BCDBc} - C:\WINDOWS\system32\bqdmmrak.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [stats1] C:\WINDOWS\System32\stats1.exe
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Huawei\MT882\dslagent.exe
    O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [apap1] C:\WINDOWS\System32\apap1.exe
    O4 - HKCU\..\Run: [sysems] C:\WINDOWS\system32\syslem.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2F9D5A18-546E-44B9-B347-3CC8E485C407}: NameServer = 218.248.240.208 218.248.240.135
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer = 192.168.1.1
    O20 - AppInit_DLLs: C:\WINDOWS\System32\win_l2f.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 6605 bytes

    Let me know how it turns out. Thank you very much sir for you help. The PC is now normal again. Any further doubts and queries I should check for, let me know!
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    It may seem normal but the machine is very infected!


    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\System32\stats1.exe
      C:\WINDOWS\system32\bqdmmrak.dll
      C:\WINDOWS\System32\apap1.exe
      C:\WINDOWS\system32\syslem.exe
      C:\WINDOWS\System32\win_l2f.dll
      C:\WINDOWS\System32\wbem\scrcons32.exe


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



    Please download (save) SmitfraudFix (by S!Ri) to your desktop. SmitfraudFix runs under W2K, XP only.

    Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
    to a new folder called SmitfraudFix.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  7. peterkonyak

    peterkonyak Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    18
    Ths is the rapport from smithfraudfix

    SmitFraudFix v2.248

    Scan done at 9:45:14.12, Mon 11/05/2007
    Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Huawei\MT882\dslagent.exe
    C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\System32\\win_l2f.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: WAN (PPP/SLIP) Interface
    DNS Server Search Order: 218.248.240.208
    DNS Server Search Order: 218.248.240.135

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{2F9D5A18-546E-44B9-B347-3CC8E485C407}: NameServer=218.248.240.208 218.248.240.135
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{2F9D5A18-546E-44B9-B347-3CC8E485C407}: NameServer=218.248.240.208 218.248.240.135
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{2F9D5A18-546E-44B9-B347-3CC8E485C407}: NameServer=218.248.240.208 218.248.240.135
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer=192.168.1.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{B7ED60B7-FCD3-4A45-82D2-739C578169A5}: NameServer=192.168.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/645102

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice