Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 13 of 13 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
tis is e result frm HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 1:50:08 PM, on 6/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uljcevkewkhbj.com/RNjuhfVMgAIozTcM7/1jNbnr4ieUXiKK6xhiF53St8_CokqIloHJ7o0Z3xAB9zdg.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {F5998C05-A41A-4DA8-1CA5-5ECF0003AF32} - C:\WINNT\system32\inscdm\wdtqvigtgn.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Sygate Personal Port] crss.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [super] super.exe
O4 - HKLM\..\RunServices: [Sygate Personal Port] crss.exe
O4 - HKLM\..\RunServices: [super] super.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O15 - Trusted Zone: http://www.anakmelayu.com
O15 - Trusted Zone: http://www.friendster.com
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.worldwinner.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: chgre - Unknown owner - \\219.74.233.67\admin$\nvsvc.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WIn32S Java DLL (java dllsx) - Unknown owner - C:\WINNT\system32\kavsvx.exe" -service (file missing)
O23 - Service: kjznlom - Unknown owner - \\219.74.232.70\admin$\winjava.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft TaskManager Dll Starter (Microsoft TaskManager Dll) - Unknown owner - C:\WINNT\system32\mstskmngr32.exe" -service (file missing)
O23 - Service: mxsce - Unknown owner - \\219.74.110.171\admin$\nvsvc.exe" -service (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\libsysmgr.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
O23 - Service: winspd32dll (winspd32.exe) - Unknown owner - C:\WINNT\system32\winspd32.exe" -service (file missing)
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
* Run ActiveScan online virus scan here

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #4 ·
ok tis is e result frm ActiveScan:

ive already deleted everything except for svhost1,svhost4,svhostx (couldnt find e files at e specific directory). & C:\WINNT\system32\inscdm\wdtqvigtgn.dll (everytime i tried to delete, it said cannot access. file maybe in use.

Incident Status Location

Adware:Adware/Novo No disinfected C:\WINNT\system32\inscdm\wdtqvigtgn.dll
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/DownloadWare No disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\41M7GLI3\1[1].txt
Possible Virus. No disinfected C:\WINNT\svhost1.exe
Possible Virus. No disinfected C:\WINNT\svhost4.exe
Possible Virus. No disinfected C:\WINNT\svhostx.exe
Virus:Trj/Qhost.AA Disinfected C:\WINNT\system32\drivers\etc\hosts
Adware:Adware/Novo No disinfected C:\WINNT\system32\inscdm\wdtqvigtgn.dll
Possible Virus. No disinfected C:\WINNT\system32\svhostx.exe
Virus:W32/Gaobot.FXS.worm Disinfected C:\WINNT\system32\winspd32.exe
Adware:Adware/nCase No disinfected C:\WINNT\Temp\clientax.dll
Spyware:Spyware/SurfSideKick No disinfected C:\WINNT\Temp\i13A.tmp
Adware:Adware/DownloadWare No disinfected C:\WINNT\Temp\nst14A.EXE
Adware:Adware/nCase No disinfected C:\WINNT\Temp\res14B.tmp
Adware:Adware/nCase No disinfected C:\WINNT\Temp\res1E0.tmp
Adware:Adware/Weirdontheweb No disinfected C:\WINNT\weirdontheweb_topc.exe
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #5 ·
and tis is e result frm HijackThis aft i did e ActiveScan:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:05 AM, on 6/14/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uljcevkewkhbj.com/RNjuhfVMgAIozTcM7/1jNbnr4ieUXiKK6xhiF53St8_CokqIloHJ7o0Z3xAB9zdg.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00EE124B-2950-1C0C-4DA5-E0BD88DBE732} - C:\WINNT\system32\inscdm\wdtqvigtgn.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Sygate Personal Port] crss.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [super] super.exe
O4 - HKLM\..\Run: [winspd32dll] winspd32.exe
O4 - HKLM\..\RunServices: [Sygate Personal Port] crss.exe
O4 - HKLM\..\RunServices: [super] super.exe
O4 - HKLM\..\RunServices: [winspd32dll] winspd32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O15 - Trusted Zone: http://www.anakmelayu.com
O15 - Trusted Zone: http://www.friendster.com
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.worldwinner.com
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D87E72C-CFD9-438D-8473-622F5947A396}: NameServer = 165.21.83.88 165.21.100.88
O23 - Service: chgre - Unknown owner - \\219.74.233.67\admin$\nvsvc.exe" -service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WIn32S Java DLL (java dllsx) - Unknown owner - C:\WINNT\system32\kavsvx.exe" -service (file missing)
O23 - Service: kjznlom - Unknown owner - \\219.74.232.70\admin$\winjava.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft TaskManager Dll Starter (Microsoft TaskManager Dll) - Unknown owner - C:\WINNT\system32\mstskmngr32.exe" -service (file missing)
O23 - Service: mxsce - Unknown owner - \\219.74.110.171\admin$\nvsvc.exe" -service (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\libsysmgr.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
O23 - Service: winspd32dll (winspd32.exe) - Unknown owner - C:\WINNT\system32\winspd32.exe" -service (file missing)
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
Download AdAware SE 1.06 from http://www.lavasoft.com and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uljcevkewkhbj.com/RNjuhf...0Z3xAB9zdg.html

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00EE124B-2950-1C0C-4DA5-E0BD88DBE732} - C:\WINNT\system32\inscdm\wdtqvigtgn.dll

O4 - HKLM\..\Run: [Sygate Personal Port] crss.exe

O4 - HKLM\..\Run: [super] super.exe
O4 - HKLM\..\Run: [winspd32dll] winspd32.exe
O4 - HKLM\..\RunServices: [Sygate Personal Port] crss.exe
O4 - HKLM\..\RunServices: [super] super.exe
O4 - HKLM\..\RunServices: [winspd32dll] winspd32.exe

O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe

O15 - Trusted Zone: http://www.anakmelayu.com
O15 - Trusted Zone: http://www.friendster.com
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.myspace.com
O15 - Trusted Zone: http://www.pandasoftware.com
O15 - Trusted Zone: http://www.worldwinner.com

O23 - Service: chgre - Unknown owner - \\219.74.233.67\admin$\nvsvc.exe" -service (file missing)

O23 - Service: WIn32S Java DLL (java dllsx) - Unknown owner - C:\WINNT\system32\kavsvx.exe" -service (file missing)
O23 - Service: kjznlom - Unknown owner - \\219.74.232.70\admin$\winjava.exe" -service (file missing)

O23 - Service: Microsoft TaskManager Dll Starter (Microsoft TaskManager Dll) - Unknown owner - C:\WINNT\system32\mstskmngr32.exe" -service (file missing)
O23 - Service: mxsce - Unknown owner - \\219.74.110.171\admin$\nvsvc.exe" -service (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\libsysmgr.exe (file missing)
O23 - Service: winspd32dll (winspd32.exe) - Unknown owner - C:\WINNT\system32\winspd32.exe" -service (file missing)

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit we might ask you to submit those files for further examination a bit later on ]

C:\WINNT\system32\inscdm\wdtqvigtgn.dll
C:\WINNT\svhost1.exe
C:\WINNT\svhost4.exe
C:\WINNT\svhostx.exe
C:\WINNT\system32\inscdm\wdtqvigtgn.dll
C:\WINNT\system32\svhostx.exe
C:\WINNT\Temp\clientax.dll
C:\WINNT\Temp\i13A.tmp
C:\WINNT\Temp\nst14A.EXE
C:\WINNT\Temp\res14B.tmp
C:\WINNT\Temp\res1E0.tmp
C:\WINNT\weirdontheweb_topc.exe
C:\WINNT\system32\winspd32.exe
C:\WINNT\system32\libsysmgr.exe
C:\WINNT\system32\mstskmngr32.exe
C:\WINNT\system32\kavsvx.exe
C:\WINNT\system32\super.exe
C:\WINNT\system32\crss.exe

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

delete these folders

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R50 13.06.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

Reboot &

Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds

First press file and check for updates and then run it

Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

Run an online antivirus check from at least one and preferably 2 of the following sites

http://www.kaspersky.com/beta?product=161744315 ( with this one as it's abeta product, they ask for a name & email, just put any email in and any name and company it isn't checked on and they have just used the standard beta page as a doorway to it )
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/onlineviruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

reboot again and post a fresh log and tell us how it is
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #7 ·
thx derek, ive done e steps u asked me to. but aft i ran HijackThis again, some files are stil ard.

such as e crss.exe, super.exe, etc. even when i tried to delete it thru regedit it keeps coming back.. when i tried to end e process for crss.exe it said this is critical system process. Task manager cannot end this process.

also ther's a system2.exe file on my c drive. should i worry abt tat at all? and wat abt this folder called TryMedia?

anyway heres e log:

Logfile of HijackThis v1.99.1
Scan saved at 9:04:53 AM, on 6/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [super] super.exe
O4 - HKLM\..\Run: [Sygate Personal Port] crss.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Sygate Personal Port] crss.exe
O4 - HKLM\..\RunServices: [super] super.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WIn32S Java DLL (java dllsx) - Unknown owner - C:\WINNT\system32\kavsvx.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft TaskManager Dll Starter (Microsoft TaskManager Dll) - Unknown owner - C:\WINNT\system32\mstskmngr32.exe" -service (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\libsysmgr.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
O23 - Service: winspd32dll (winspd32.exe) - Unknown owner - C:\WINNT\system32\winspd32.exe" -service (file missing)
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
I have just noticed you have adwatch running and that prevents registry changes

Please disable AdWatch, as it may hinder the removal of some entries.
To disable AdWatch:

right-click the AW icon in the sys tray and select "Unload Ad-Watch" and when you have finished cleaning open adaware and click on the adwatch button

then try the fix in HJT again and when you re enable adwatch make sure it is NOT set to automatic so it wil alert rather than blocking changes, then allow the changes we have just made

BE VERY careful as the system process that task manager won't let you stop is CSRSS I have said to delete CRSS watch the spelling, taht is why I always say use killbox and paste in the entries so there is no possibility of mistakes
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
I don't know what the super2.exe file is but suspect it's probbaly bad so uplaod it to me so I can check it please

lease go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #10 ·
hi derek,

did wat u told me to. tis time managed to get rid e necessary stuff but 1: C:\WINNT\system32\winspd32.exe" -service (file missing)

heres e log: thx!

Logfile of HijackThis v1.99.1
Scan saved at 3:30:09 PM, on 6/15/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fol.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D87E72C-CFD9-438D-8473-622F5947A396}: NameServer = 165.21.83.88 165.21.100.88
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: WIn32S Java DLL (java dllsx) - Unknown owner - C:\WINNT\system32\kavsvx.exe" -service (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Microsoft TaskManager Dll Starter (Microsoft TaskManager Dll) - Unknown owner - C:\WINNT\system32\mstskmngr32.exe" -service (file missing)
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINNT\system32\libsysmgr.exe (file missing)
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
O23 - Service: winspd32dll (winspd32.exe) - Unknown owner - C:\WINNT\system32\winspd32.exe" -service (file missing)
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
You have a few left over services

now go to start/run and type services.msc press OK
when the screen opens scroll down to WIn32S Java DLL right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok

repeat for each of these

Microsoft TaskManager Dll Starter
NT login service (ntlogin32)
winspd32dll

then open HJT & press config/misc tools and select delete an NT service

paste this into the box & press OK
java dllsx

repeat for these
Microsoft TaskManager Dll
ntlogin32
winspd32.exe

Then reboot & post fresh log please
 

·
Retired Moderator Retired Malware Specialist
Joined
·
56,449 Posts
The system2.exe was an empty file, so it either didn't upload properly or has already been disinfected or is a dummy set by the pests to confuse us

can you find it in system32, right click it and see what size it says on your computer please.

if it say 0 bytes then delete it

if it says any other size please try and upload it agin to spykiller
 
1 - 13 of 13 Posts
Status
Not open for further replies.
Top