1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Windows 2000-Cannot get a couple of things out of HJT Log-keeps coming back

Discussion in 'Virus & Other Malware Removal' started by xfile47, Nov 11, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    WINDOWS 2000 PRO
    norton antivirus
    Had the things I talk about below in the log
    Used Spybot--clean
    spysweeper-clean
    adware-clean
    cwshredder-clean
    deleted all temps, cookies, and history,
    Ran full norton scan it came up with nothing.
    I looked in the event viewer under apps and saw that a bunch of errors were there I clicked on the events and it said norton had found a bunch of trojans and viruses but did not delete or quarentine them just left them.

    I disabled norton antivirus and installed AVG Antivirus and AVG Antispyware
    Ran a full scan (after updateing the programs) and AVG caught 15 virus and trojans and antispyware AVG caught the QHOST.mg trojan and cleaned it. to make sure I ran the Qhost fix from norton and it was clean.
    the viruses and trojans that were caught were
    Virus--Rejoice45.exe--Win32\PEMASK.A
    Trojan Horse-atmQQ.exe--PSW.Generic5.RWU
    Trojan Horse-1.exe--Generic8.MUH
    Trojan Horse-Down(0).exe--Generic8.MUH
    vIRUS--1.EXE--wIN32\PEPatch
    Virus--sasa.exe--Win32\PEPatch
    Trojan Horse--wnlftftf.dll--PSW.Generic5.TZT
    Trojan Horse BackdoorDELF.aag--3800hk.dll
    Trojan Horse-3Svchs0t.exe--PSW.Generic5.RWT
    Virus--Down(1).exe--W32\PEMASK.A
    Trojan Horse--Rpcs.dll--PSW.Generic5.PHM
    Trojan Horse--1.exe--Generic8.OAQ
    Trojan Horse--Who.exe--Generic8.0AQ
    Virus--rejoice45.exe--Win32\PEMASK.A
    QHOST.mg

    Someone else tried to clean the 0svchs0t.exe and did part of it but not all. when I searched for the 0svchs0t.exe and found it I deleted it and then found the h2.dll and h3.dll and h5.dll then search for the autorun.inf file and it brought up two of them one was spelled with small and big letters I looked in it through notebook and it had what trend micro said it would the
    open=sos.exe
    shell\open=(some wierd stuff)
    shell\open\command=sos.exe
    shell\open\Default=1
    shell\explore=(a bunch more wierd stuff)
    shell\explore\Command=sos.exe
    trend micro said to delete it so I did

    ran autoruns.exe and found four that I didn't think was right so I took the check out ot the box, they were
    3800hk,
    RemDcomsvc and had a bunch of wierd stuff next to it symbols etc
    tersvc and wierd stuff with it two
    tmsscv1 had wierd stuff to where is says what it is so I unchecked those four

    I search for every one of the trojan and virus files names in safemode after I deleted them all and none were found
    after I unchecked the tersvc (I think it was that one) that is when the Svchost box that was popping up everytime I started the computer quit popping up. The computer seems to be running well now but am bugged by not being able to get those two I speak about out of the HJT Log. both say file missing but when I try to fix them in normal or safe mode they always come back. Can someone help me with that or anything else I might have missed?? Cwshredder also came up clean
    I put on IE-Spyad
    Script Defender
    and stopped windows messenger





    Can someone take a quick look at this log and maybe tell me why somethings keep coming back. THE
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing
    I found the file and deleted it and did what trendmicro said to do deleted the dlls they said and found the autorun.inf file they described and deleted that etc. I cannot get this out of the log and only one other thing wrong is everytime I start the computer a box comes up it is a Svchost box and says 2007-11-10 is not a valid date I can't get rid of that which I think is
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)

    I just need to get those out, I found 15 different trojans and viruses that norton was missing and AVG Caught. I believe the computer is clean now except for getting this log clean. Will someone take a look and let me know if those two have to come out and if so how to get them to stay out. Thanks




    Logfile of HijackThis v1.99.1
    Scan saved at 9:40:15 PM, on 11/10/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\program files\internet explorer\IEXPLORE.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\eRoom 7\ERClient7.exe
    C:\Documents and Settings\user\Desktop\SpyWareTools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [StartSecurDoc] "C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} - https://www.fts.newyorklife.com/ftWebUpdate/installs/ftwebupdate.cab
    O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newyorklife.com/formslibrary/Package/FTWebUtils.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Transaction Coordinator - Unknown owner - C:\WINNT\system32\dllhosts.exe
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)
     
  2. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    I got the popup Svchost box to stop by stopping it with autoruns and I did a search and deleted the 0svchs0t.exe and deleted the h2 dll and h3 dll and h5 dll and looked in the autorun.inf file there was an extra one and it had what trendmicro said it would for the 0svchs0t.exe so I deleted it like it said, I believe everything is fixed however I still cannot get the

    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)

    OUT OF THE HJT LOG--Can't anyone tell me why it won't stay out once I fix it to stay out. IF ANYONE KNOWS PLEASE TELL ME, ITS ALL THAT IS LEFT TO DO.
     
  3. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Download Combofix and save it to your desktop.

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  4. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    OIK, I will run it now and get back to you asap. Thanks
     
  5. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Here is the combo log and below it is the new hjt log

    ComboFix 07-11-08.3 - user 11/11/2007 17:54:41.1 - NTFSx86
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.201 [GMT -6:00]
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\a.bat
    C:\Autorun.inf
    C:\Documents and Settings\user\err.log

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_FOPF


    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-11 18:01 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4c4.dat
    2007-11-11 17:54 51,200 --a------ C:\WINNT\NirCmd.exe
    2007-11-11 15:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Avg7
    2007-11-11 14:49 21,312 --a------ C:\WINNT\choice.exe
    2007-11-11 14:46 <DIR> d-------- C:\ie-spyad
    2007-11-11 14:45 <DIR> d-------- C:\Program Files\AnalogX
    2007-11-11 13:57 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
    2007-11-10 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-10 12:14 602,128 --a--c--- C:\WINNT\system32\dllcache\winacpci.sys
    2007-11-10 12:14 107,792 --a--c--- C:\WINNT\system32\dllcache\xlog.exe
    2007-11-10 12:14 41,552 --a--c--- C:\WINNT\system32\dllcache\weitekp9.dll
    2007-11-10 12:14 35,088 --a--c--- C:\WINNT\system32\dllcache\wlandrv2.sys
    2007-11-10 12:14 30,960 --a--c--- C:\WINNT\system32\dllcache\weitekp9.sys
    2007-11-10 12:14 24,848 --a--c--- C:\WINNT\system32\dllcache\wvlan48.sys
    2007-11-10 12:14 17,168 --a--c--- C:\WINNT\system32\dllcache\xem336n5.sys
    2007-11-10 12:14 8,016 --a--c--- C:\WINNT\system32\dllcache\wmiacpi.sys
    2007-11-09 02:00 0 --a------ C:\WINNT\system32\SBRC.dat
    2007-11-09 02:00 0 --a------ C:\WINNT\system32\SBFC.dat
    2007-11-02 09:22 94,208 --a------ C:\WINNT\system32\vispe64.dll
    2007-11-02 09:22 70 --a------ C:\WINNT\system32\visAddst32.dat
    2007-11-01 15:58 14,848 --a------ C:\WINNT\system32\drivers\sskbfd.sys
    2007-11-01 15:00 1,684 --a------ C:\WINNT\system32\tmp.reg
    2007-11-01 14:08 <DIR> d-------- C:\WINNT\pss
    2007-11-01 14:06 144,896 --a------ C:\WINNT\system32\msconfig.exe
    2007-11-01 14:03 <DIR> d-------- C:\Tec
    2007-11-01 13:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
    2007-11-01 13:49 51,200 --a------ C:\WINNT\system32\dumphive.exe
    2007-11-01 13:32 630,784 --a------ C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe
    2007-10-31 16:51 0 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
    2007-10-31 16:06 <DIR> d-------- C:\Program Files\Security Task Manager
    2007-10-31 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
    2007-10-31 15:57 175,616 --a------ C:\WINNT\system32\strings.exe
    2007-10-31 15:57 126,976 --a------ C:\WINNT\system32\zip.exe
    2007-10-31 15:57 90,112 --a------ C:\WINNT\system32\RegDACL.exe
    2007-10-31 15:57 53,248 --a------ C:\WINNT\system32\Process.exe
    2007-10-31 15:57 39,184 --a------ C:\WINNT\system32\Ntrights.exe
    2007-10-31 15:57 24,576 --a------ C:\WINNT\system32\Reboot.exe
    2007-10-31 15:57 11,254 --a------ C:\WINNT\system32\locate.com
    2007-10-31 06:41 1,047 --a------ C:\WINNT\run.vbs
    2007-10-30 10:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-30 10:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-28 14:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\New York Life
    2007-10-28 14:18 17 --a------ C:\WINNT\system32\drivers\nwlnkcr.sys
    2007-10-24 11:42 1,044 --a------ C:\WINNT\home.vbs
    2007-10-24 00:14 37 --a------ C:\bat.bat
    2007-10-15 22:48 302,080 --------- C:\WINNT\system32\dllhosts.exe
    2007-10-15 22:48 302,080 -r-h----- C:\dllhosts.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 23:56 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-11-11 21:21 --------- d-----w C:\Documents and Settings\user\Application Data\wsInspector
    2007-11-11 21:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-10 23:38 --------- d-----w C:\Program Files\Yahoo!
    2007-11-01 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-01 22:47 --------- d-----w C:\Program Files\Antenna
    2007-10-30 16:41 --------- d-----w C:\Program Files\Lavasoft
    2007-10-30 16:41 --------- d-----w C:\Documents and Settings\user\Application Data\Lavasoft
    2007-10-07 03:17 28,672 ----a-w C:\MSD0S.com
    2007-09-25 18:05 --------- d-----w C:\Documents and Settings\user\Application Data\eRoom
    2007-09-20 16:21 --------- d-----w C:\Program Files\Google
    2007-09-17 21:06 8,478 ----a-w C:\Program Files\hlpsrv.exe
    2007-09-17 16:01 --------- d-----w C:\Program Files\INAC
    2007-08-29 23:35 61,480 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
    2007-03-12 19:04 630,784 ----a-w C:\Documents and Settings\user\GoToAssist_chat2way__317_en.exe
    2006-08-11 15:06 0 ----a-w C:\Documents and Settings\user\loaded.exe
    2006-03-31 18:53 60,864 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2006-03-17 00:50 271 ---h--w C:\Program Files\desktop.ini
    2006-03-17 00:50 21,952 ---h--w C:\Program Files\folder.htt
    2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06-03-24 19:14 ]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06-06-15 03:40 ]
    "StartSecurDoc"="C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe" [06-06-01 11:55 ]
    "Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="ctfmon.exe" [01-02-20 15:09 C:\WINNT\system32\CTFMON.EXE]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"=ctfmon.exe

    C:\Documents and Settings\user\Start Menu\Programs\Startup\
    Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2007-01-02 16:47:14]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetFolders"=0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "StartMenuLogOff"=1 (0x1)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll


    R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    tersvc tersvc
    RemDcomSvc RemDcomSvc
    tmsscvl tmsscvl

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    3800hk

    *Newly Created Service* - IPNAT
    *Newly Created Service* - RASAUTO
    *Newly Created Service* - SHAREDACCESS
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 18:01:49
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 18:03:38 - machine was rebooted
    .
    --- E O F ---





    Logfile of HijackThis v1.99.1
    Scan saved at 6:11:22 PM, on 11/11/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\program files\internet explorer\IEXPLORE.EXE
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\eRoom 7\ERClient7.exe
    C:\Documents and Settings\user\Desktop\SpyWareTools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [StartSecurDoc] "C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O16 - DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} - https://www.fts.newyorklife.com/ftWebUpdate/installs/ftwebupdate.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newyorklife.com/formslibrary/Package/FTWebUtils.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Transaction Coordinator - Unknown owner - C:\WINNT\system32\dllhosts.exe
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please to do a scan on this files with VirusTotal Here
    C:\WINNT\system32\dllhosts.exe
    C:\WINNT\choice.exe
    C:\dllhosts.exe


    Copy and paste each result in Notepad and post the logs from VirusTotal. Thanks.

    Note: You may need to unhide hidden files and folders.
    Configure Windows XP to show hide hidden files:
    Click Start. Open My Computer.
    Select the Tools menu and click Folder Options. Select the View Tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.
     
  7. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    First File--C:\WINNT\System32\dllhosts.exe

    File dllhosts.exe received on 11.12.2007 01:37:34 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 17/32 (53.13%)
    Loading server information...
    Your file is queued in position: 4.
    Estimated start time is between 49 and 70 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2007.11.10.0 2007.11.09 -
    AntiVir 7.6.0.34 2007.11.11 TR/Delphi.Downloader.Gen
    Authentium 4.93.8 2007.11.10 -
    Avast 4.7.1074.0 2007.11.11 Win32:Virtualizer
    AVG 7.5.0.503 2007.11.11 -
    BitDefender 7.2 2007.11.12 -
    CAT-QuickHeal 9.00 2007.11.10 -
    ClamAV 0.91.2 2007.11.11 Trojan.Crypted-3
    DrWeb 4.44.0.09170 2007.11.11 DLOADER.Trojan
    eSafe 7.0.15.0 2007.11.08 suspicious Trojan/Worm
    eTrust-Vet 31.2.5284 2007.11.09 -
    Ewido 4.0 2007.11.11 -
    FileAdvisor 1 2007.11.12 -
    Fortinet 3.11.0.0 2007.10.19 -
    F-Prot 4.4.2.54 2007.11.10 W32/Hupigon.C.gen!Eldorado
    F-Secure 6.70.13030.0 2007.11.11 Packed.Win32.Klone.af
    Ikarus T3.1.1.12 2007.11.11 Backdoor.Win32.Agent.ahj
    Kaspersky 7.0.0.125 2007.11.12 Packed.Win32.Klone.af
    McAfee 5160 2007.11.09 New Malware.em
    Microsoft 1.3007 2007.11.12 VirTool:Win32/Obfuscator.A
    NOD32v2 2652 2007.11.11 probably a variant of Win32/Genetik
    Norman 5.80.02 2007.11.09 Hupigon.gen162
    Panda 9.0.0.4 2007.11.11 Suspicious file
    Prevx1 V2 2007.11.12 -
    Rising 20.17.62.00 2007.11.11 -
    Sophos 4.23.0 2007.11.11 Mal/EncPk-AE
    Sunbelt 2.2.907.0 2007.11.09 -
    Symantec 10 2007.11.12 -
    TheHacker 6.2.9.123 2007.11.10 -
    VBA32 3.12.2.4 2007.11.11 suspected of Trojan-Spy.xBank.10
    VirusBuster 4.3.26:9 2007.11.11 -
    Webwasher-Gateway 6.0.1 2007.11.12 Trojan.Delphi.Downloader.Gen
    Additional information
    File size: 302080 bytes
    MD5: 1417a16342a716f34acee7aa5ea2bb7a
    SHA1: e7a6c4a4ca60015296dd7dbe2afd7436db9c88d0
    packers: Klone.AF


    ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.






    File choice.exe received on 11.12.2007 01:47:16 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 1/32 (3.13%)
    Loading server information...
    Your file is queued in position: 2.
    Estimated start time is between 41 and 58 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2007.11.10.0 2007.11.09 -
    AntiVir 7.6.0.34 2007.11.11 -
    Authentium 4.93.8 2007.11.10 -
    Avast 4.7.1074.0 2007.11.11 -
    AVG 7.5.0.503 2007.11.11 -
    BitDefender 7.2 2007.11.12 -
    CAT-QuickHeal 9.00 2007.11.10 -
    ClamAV 0.91.2 2007.11.11 -
    DrWeb 4.44.0.09170 2007.11.11 -
    eSafe 7.0.15.0 2007.11.08 suspicious Trojan/Worm
    eTrust-Vet 31.2.5284 2007.11.09 -
    Ewido 4.0 2007.11.11 -
    FileAdvisor 1 2007.11.12 -
    Fortinet 3.11.0.0 2007.10.19 -
    F-Prot 4.4.2.54 2007.11.10 -
    F-Secure 6.70.13030.0 2007.11.11 -
    Ikarus T3.1.1.12 2007.11.12 -
    Kaspersky 7.0.0.125 2007.11.12 -
    McAfee 5160 2007.11.09 -
    Microsoft 1.3007 2007.11.12 -
    NOD32v2 2652 2007.11.11 -
    Norman 5.80.02 2007.11.09 -
    Panda 9.0.0.4 2007.11.11 -
    Prevx1 V2 2007.11.12 -
    Rising 20.17.62.00 2007.11.11 -
    Sophos 4.23.0 2007.11.11 -
    Sunbelt 2.2.907.0 2007.11.09 -
    Symantec 10 2007.11.12 -
    TheHacker 6.2.9.123 2007.11.10 -
    VBA32 3.12.2.4 2007.11.11 -
    VirusBuster 4.3.26:9 2007.11.11 -
    Webwasher-Gateway 6.0.1 2007.11.12 -
    Additional information
    File size: 21312 bytes
    MD5: 2e5832d56dcc6dc7ecb1cbe9ea350b9b
    SHA1: 0dfad92a2f9305ed8d46e374bf0bf36a554a9900
    packers: UPX
    packers: UPX
    packers: UPX




    File dllhosts.exe received on 11.12.2007 01:52:49 (CET)
    Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


    Result: 18/32 (56.25%)
    Loading server information...
    Your file is queued in position: 4.
    Estimated start time is between 49 and 70 seconds.
    Do not close the window until scan is complete.
    The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
    If you are waiting for more than five minutes you have to resend your file.
    Your file is being scanned by VirusTotal in this moment,
    results will be shown as they're generated.
    Compact Print results
    Your file has expired or does not exists.
    Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

    You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
    Email:


    Antivirus Version Last Update Result
    AhnLab-V3 2007.11.10.0 2007.11.09 -
    AntiVir 7.6.0.34 2007.11.11 TR/Delphi.Downloader.Gen
    Authentium 4.93.8 2007.11.10 -
    Avast 4.7.1074.0 2007.11.11 Win32:Virtualizer
    AVG 7.5.0.503 2007.11.11 -
    BitDefender 7.2 2007.11.12 -
    CAT-QuickHeal 9.00 2007.11.10 -
    ClamAV 0.91.2 2007.11.11 Trojan.Crypted-3
    DrWeb 4.44.0.09170 2007.11.11 DLOADER.Trojan
    eSafe 7.0.15.0 2007.11.08 suspicious Trojan/Worm
    eTrust-Vet 31.2.5284 2007.11.09 -
    Ewido 4.0 2007.11.11 -
    FileAdvisor 1 2007.11.12 -
    Fortinet 3.11.0.0 2007.10.19 -
    F-Prot 4.4.2.54 2007.11.10 W32/Hupigon.C.gen!Eldorado
    F-Secure 6.70.13030.0 2007.11.11 Packed.Win32.Klone.af
    Ikarus T3.1.1.12 2007.11.12 Backdoor.Win32.Agent.ahj
    Kaspersky 7.0.0.125 2007.11.12 Packed.Win32.Klone.af
    McAfee 5160 2007.11.09 New Malware.em
    Microsoft 1.3007 2007.11.12 VirTool:Win32/Obfuscator.A
    NOD32v2 2652 2007.11.11 probably a variant of Win32/Genetik
    Norman 5.80.02 2007.11.09 Hupigon.gen162
    Panda 9.0.0.4 2007.11.11 Suspicious file
    Prevx1 V2 2007.11.12 TROJAN.KLONE.AF
    Rising 20.17.62.00 2007.11.11 -
    Sophos 4.23.0 2007.11.11 Mal/EncPk-AE
    Sunbelt 2.2.907.0 2007.11.09 -
    Symantec 10 2007.11.12 -
    TheHacker 6.2.9.123 2007.11.10 -
    VBA32 3.12.2.4 2007.11.11 suspected of Trojan-Spy.xBank.10
    VirusBuster 4.3.26:9 2007.11.11 -
    Webwasher-Gateway 6.0.1 2007.11.12 Trojan.Delphi.Downloader.Gen
    Additional information
    File size: 302080 bytes
    MD5: 1417a16342a716f34acee7aa5ea2bb7a
    SHA1: e7a6c4a4ca60015296dd7dbe2afd7436db9c88d0
    packers: Klone.AF
    Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=163EA4740096F5C89C4204E6D1245D0049848F64
     
  8. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    SjPritch25
    doesn't look good does it? I don't know anything about it but it sure showed alot of viruses and trojans, are you still going to help me with it?
     
  9. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this computer only!!!!


    ==================================

    Double-Click on Hijackthis.exe, Click on Scan your system only and Check the following items.
    O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
    O23 - Service: Transaction Coordinator - Unknown owner - C:\WINNT\system32\dllhosts.exe
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)


    ===============================


    Download and scan with Sysclean Package.
    1. Create a new folder on drive "C:\" ("C:\New Folder") and rename it Sysclean.
    2. Place the sysclean.com inside that folder.
    3. Then download the latest Virus Pattern Files (lptXXX.zip).
    4. Extract the lptXXX.zip pattern file into the same folder you created for sysclean.com.
    5. Close all open applications and DISABLE your current anti-virus software. Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them first. DO NOT perform a scan yet.
    Reboot your computer in "SAFE MODE" using the F8 . To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
    7. Open the Sysclean folder and double-click on sysclean.com to run.
    8. It will take some time to complete. Be patient and let it clean whatever it finds.
    9. Exit when done, reboot normally and re-enable your anti-virus program.

    Note: This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations resulting in Access is denied log entries.
     

    Attached Files:

  10. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Here is the combo fix with the CFScript in it and then the system clean I will wait for your instructions. Those file in the HJT Log that I checked and fixed before doing this were still there when I looked before doing this.

    ComboFix 07-11-08.3 - user 11/11/2007 17:54:41.1 - NTFSx86
    Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.201 [GMT -6:00]
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\a.bat
    C:\Autorun.inf
    C:\Documents and Settings\user\err.log

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_FOPF


    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-11 18:01 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_4c4.dat
    2007-11-11 17:54 51,200 --a------ C:\WINNT\NirCmd.exe
    2007-11-11 15:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\Avg7
    2007-11-11 14:49 21,312 --a------ C:\WINNT\choice.exe
    2007-11-11 14:46 <DIR> d-------- C:\ie-spyad
    2007-11-11 14:45 <DIR> d-------- C:\Program Files\AnalogX
    2007-11-11 13:57 <DIR> d-------- C:\Documents and Settings\user\.housecall6.6
    2007-11-10 17:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2007-11-10 12:14 602,128 --a--c--- C:\WINNT\system32\dllcache\winacpci.sys
    2007-11-10 12:14 107,792 --a--c--- C:\WINNT\system32\dllcache\xlog.exe
    2007-11-10 12:14 41,552 --a--c--- C:\WINNT\system32\dllcache\weitekp9.dll
    2007-11-10 12:14 35,088 --a--c--- C:\WINNT\system32\dllcache\wlandrv2.sys
    2007-11-10 12:14 30,960 --a--c--- C:\WINNT\system32\dllcache\weitekp9.sys
    2007-11-10 12:14 24,848 --a--c--- C:\WINNT\system32\dllcache\wvlan48.sys
    2007-11-10 12:14 17,168 --a--c--- C:\WINNT\system32\dllcache\xem336n5.sys
    2007-11-10 12:14 8,016 --a--c--- C:\WINNT\system32\dllcache\wmiacpi.sys
    2007-11-09 02:00 0 --a------ C:\WINNT\system32\SBRC.dat
    2007-11-09 02:00 0 --a------ C:\WINNT\system32\SBFC.dat
    2007-11-02 09:22 94,208 --a------ C:\WINNT\system32\vispe64.dll
    2007-11-02 09:22 70 --a------ C:\WINNT\system32\visAddst32.dat
    2007-11-01 15:58 14,848 --a------ C:\WINNT\system32\drivers\sskbfd.sys
    2007-11-01 15:00 1,684 --a------ C:\WINNT\system32\tmp.reg
    2007-11-01 14:08 <DIR> d-------- C:\WINNT\pss
    2007-11-01 14:06 144,896 --a------ C:\WINNT\system32\msconfig.exe
    2007-11-01 14:03 <DIR> d-------- C:\Tec
    2007-11-01 13:49 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
    2007-11-01 13:49 51,200 --a------ C:\WINNT\system32\dumphive.exe
    2007-11-01 13:32 630,784 --a------ C:\Documents and Settings\Administrator\GoToAssist_chat2way__317_en.exe
    2007-10-31 16:51 0 --a------ C:\Documents and Settings\Administrator\GoToAssistDownloadHelper.exe
    2007-10-31 16:06 <DIR> d-------- C:\Program Files\Security Task Manager
    2007-10-31 16:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
    2007-10-31 15:57 175,616 --a------ C:\WINNT\system32\strings.exe
    2007-10-31 15:57 126,976 --a------ C:\WINNT\system32\zip.exe
    2007-10-31 15:57 90,112 --a------ C:\WINNT\system32\RegDACL.exe
    2007-10-31 15:57 53,248 --a------ C:\WINNT\system32\Process.exe
    2007-10-31 15:57 39,184 --a------ C:\WINNT\system32\Ntrights.exe
    2007-10-31 15:57 24,576 --a------ C:\WINNT\system32\Reboot.exe
    2007-10-31 15:57 11,254 --a------ C:\WINNT\system32\locate.com
    2007-10-31 06:41 1,047 --a------ C:\WINNT\run.vbs
    2007-10-30 10:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-30 10:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-28 14:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\New York Life
    2007-10-28 14:18 17 --a------ C:\WINNT\system32\drivers\nwlnkcr.sys
    2007-10-24 11:42 1,044 --a------ C:\WINNT\home.vbs
    2007-10-24 00:14 37 --a------ C:\bat.bat
    2007-10-15 22:48 302,080 --------- C:\WINNT\system32\dllhosts.exe
    2007-10-15 22:48 302,080 -r-h----- C:\dllhosts.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-11 23:56 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-11-11 21:21 --------- d-----w C:\Documents and Settings\user\Application Data\wsInspector
    2007-11-11 21:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-11-10 23:38 --------- d-----w C:\Program Files\Yahoo!
    2007-11-01 22:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-11-01 22:47 --------- d-----w C:\Program Files\Antenna
    2007-10-30 16:41 --------- d-----w C:\Program Files\Lavasoft
    2007-10-30 16:41 --------- d-----w C:\Documents and Settings\user\Application Data\Lavasoft
    2007-10-07 03:17 28,672 ----a-w C:\MSD0S.com
    2007-09-25 18:05 --------- d-----w C:\Documents and Settings\user\Application Data\eRoom
    2007-09-20 16:21 --------- d-----w C:\Program Files\Google
    2007-09-17 21:06 8,478 ----a-w C:\Program Files\hlpsrv.exe
    2007-09-17 16:01 --------- d-----w C:\Program Files\INAC
    2007-08-29 23:35 61,480 ----a-w C:\Documents and Settings\user\GoToAssistDownloadHelper.exe
    2007-03-12 19:04 630,784 ----a-w C:\Documents and Settings\user\GoToAssist_chat2way__317_en.exe
    2006-08-11 15:06 0 ----a-w C:\Documents and Settings\user\loaded.exe
    2006-03-31 18:53 60,864 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
    2006-03-17 00:50 271 ---h--w C:\Program Files\desktop.ini
    2006-03-17 00:50 21,952 ---h--w C:\Program Files\folder.htt
    2000-07-26 17:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06-03-24 19:14 ]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06-06-15 03:40 ]
    "StartSecurDoc"="C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe" [06-06-01 11:55 ]
    "Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="ctfmon.exe" [01-02-20 15:09 C:\WINNT\system32\CTFMON.EXE]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"=ctfmon.exe

    C:\Documents and Settings\user\Start Menu\Programs\Startup\
    Monitor My eRooms (V7).lnk - C:\Program Files\eRoom 7\ERClient7.exe [2007-01-02 16:47:14]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 03:01:04]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetFolders"=0 (0x0)

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "StartMenuLogOff"=1 (0x1)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll


    R3 ati2mtaa;ati2mtaa;C:\WINNT\system32\DRIVERS\ati2mtaa.sys

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    tersvc tersvc
    RemDcomSvc RemDcomSvc
    tmsscvl tmsscvl

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    3800hk

    *Newly Created Service* - IPNAT
    *Newly Created Service* - RASAUTO
    *Newly Created Service* - SHAREDACCESS
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 18:01:49
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 18:03:38 - machine was rebooted
    .
    --- E O F ---






    /--------------------------------------------------------------\
    | Trend Micro System Cleaner |
    | Copyright 2006, Trend Micro, Inc. |
    | http://www.antivirus.com |
    \--------------------------------------------------------------/


    2007-11-11, 22:27:43, Auto-clean mode specified.
    2007-11-11, 22:27:43, Running scanner "C:\Sysclean\TSC.BIN"...
    2007-11-11, 22:28:07, Scanner "C:\Sysclean\TSC.BIN" has finished running.
    2007-11-11, 22:28:07, TSC Log:

    2007-11-11, 22:28:58, An error was detected on "C:\System Volume Information\*.*": Access is denied.
    2007-11-11, 23:07:55, Files Detected:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 11/11/2007 22:29:11
    VSAPI Engine Version : 8.000-1001
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 822 (257759 Patterns) (2007/11/11) (482202)
    Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

    C:\Program Files\Common Files\Microsoft Shared\MSInfo\_dllhosts.exe [BKDR_HUPIGON.EVG]
    C:\qoobox\Quarantine\C\dllhosts.exe.vir [BKDR_HUPIGON.EVG]
    C:\qoobox\Quarantine\C\WINNT\system32\dllhosts.exe.vir [BKDR_HUPIGON.EVG]
    C:\WINNT\system32\eventrep.dll [TROJ_AGENT.YCY]
    35167 files have been read.
    35167 files have been checked.
    32072 files have been scanned.
    117172 files have been scanned. (including files in archived)
    4 files containing viruses.
    Found 4 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 11/11/2007 23:07:55
    ---------*---------*---------*---------*---------*---------*---------*---------*
    2007-11-11, 23:07:55, Files Clean:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 11/11/2007 22:29:11
    VSAPI Engine Version : 8.000-1001
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 822 (257759 Patterns) (2007/11/11) (482202)
    Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

    Success Clean [BKDR_HUPIGON.EVG]( 1) from C:\Program Files\Common Files\Microsoft Shared\MSInfo\_dllhosts.exe
    Success Clean [BKDR_HUPIGON.EVG]( 1) from C:\qoobox\Quarantine\C\dllhosts.exe.vir
    Success Clean [BKDR_HUPIGON.EVG]( 1) from C:\qoobox\Quarantine\C\WINNT\system32\dllhosts.exe.vir
    35167 files have been read.
    35167 files have been checked.
    32072 files have been scanned.
    117172 files have been scanned. (including files in archived)
    4 files containing viruses.
    Found 4 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 11/11/2007 23:07:55 38 minutes 35 seconds (2314.52 seconds) has elapsed.

    ---------*---------*---------*---------*---------*---------*---------*---------*
    2007-11-11, 23:07:55, Clean Fail:
    Copyright (c) 1990 - 2004 Trend Micro Inc.
    Report Date : 11/11/2007 22:29:11
    VSAPI Engine Version : 8.000-1001
    VSCANTM Version : 1.1-1001
    Virus Pattern Version : 822 (257759 Patterns) (2007/11/11) (482202)
    Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

    35167 files have been read.
    35167 files have been checked.
    32072 files have been scanned.
    117172 files have been scanned. (including files in archived)
    4 files containing viruses.
    Found 4 viruses totally.
    Maybe 0 viruses totally.
    Stop At : 11/11/2007 23:07:55 38 minutes 35 seconds (2314.52 seconds) has elapsed.

    ---------*---------*---------*---------*---------*---------*---------*---------*
    2007-11-11, 23:07:55, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.
     
  11. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please post a fresh Hijackthis log. Thanks
     
  12. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Here is the fresh log

    Logfile of HijackThis v1.99.1
    Scan saved at 7:37:44 AM, on 11/12/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\eRoom 7\ERClient7.exe
    C:\Documents and Settings\user\Desktop\SpyWareTools\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netins.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [StartSecurDoc] "C:\Program Files\WinMagic\SecureDoc-NT\SDPin.exe"
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O16 - DPF: {123FE8C9-0BDC-4946-A854-DDBA7398CF64} - https://www.fts.newyorklife.com/ftWebUpdate/installs/ftwebupdate.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {5EF90065-A2C4-4C6D-993E-40EE010EBA3D} (FTWebUtils.Redirecter) - https://www.fts.newyorklife.com/formslibrary/Package/FTWebUtils.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)
     
  13. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    Can anyone pick up where SjPritch25 left off?
     
  14. xfile47

    xfile47 Thread Starter

    Joined:
    Jun 21, 2004
    Messages:
    2,142
    No, its running great I have ie-spyad now and script defender and spywareblasterand adware working on windows defender. Thank you much, I will close this thread and thanks again. you have no idea how good I feel about getting this done.
     
  15. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Did you check these items in Hijackthis???

    O23 - Service: Events Log (Event) - Unknown owner - C:\WINNT\system32\drivers\csrss.exe (file missing)
    O23 - Service: Network Provisioning Services (Windowsclients) - Unknown owner - C:\WINDOWS\system32\config\SVCHOST.EXE (file missing)
    O23 - Service: Windows Accounts Driver (WindowsRemote2) - Unknown owner - C:\WINNT\system32\0svchs0t.exe (file missing)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/650574

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice