• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
MarsPeople

Generic Host Process Win32 Services

31 posts in this topic

Hi all ! I encountered this problem "Generic Host Process Win32 Services". This problem only appears 5~15 mins later once i connect to the internet. I use Spybot and scan through the computer and found myself unfected with a trojan - "CoolWWWSearch.Feat2dll". It has a sub component of "C:\\WINDOWS\winyr32.dll" which i am unable to fix as the screen tells me that the particular file is in use with the memory.

 

On top of that, my task manager doesn't show any username (System, Administrator, Network etc..). I'm unable to play any audio related files too. The screen shows "Bad Directsound driver. Please install proper drivers or select another device in configuration. Error code : 88780078".

I'm using Singnet Broadband via Prolink 8000.

 

Here is the logfile of my HJT :

 

Logfile of HijackThis v1.99.1

Scan saved at 12:40:23 PM, on 6/2/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.np.edu.sg:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {86D4852C-B1D2-EE87-2B2C-572D82340F98} - (no file)

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3C2.EXE /P23 "EPSON Stylus C63 Series" /O5 "LPT1:" /M "Stylus C63"

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted IP range: 206.161.125.149

O16 - DPF: {86BC8440-8693-4076-A144-6BAF942B40B0} - http://mysearch.8848.com/mysearch/MySearch.CAB

O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: draw32 - draw32.dll (file missing)

O20 - Winlogon Notify: iexplore - AO\S\.dll (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {86D4852C-B1D2-EE87-2B2C-572D82340F98} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted IP range: 206.161.125.149

O16 - DPF: {86BC8440-8693-4076-A144-6BAF942B40B0} - http://mysearch.8848.com/mysearch/MySearch.CAB

O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com/update/IESearch.cab

O20 - Winlogon Notify: draw32 - draw32.dll (file missing)

O20 - Winlogon Notify: iexplore - AO\S\.dll (file missing)

 

Click on Fix Checked when finished and exit HijackThis.

 

Restart the computer normally to reset the registry.

 

Download win32delfkil.exe.

Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Post the contents of the logfile c\windelf.txt, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Hi ! I had followed the instructions given. This is the logfile of my "c\windelf.txt"

 

 

WIN32DELFKIL LOGFILE - by Marckie

 

 

version 3.127

Mon 06/11/2007 9:22:28.79

running from: "C:\Documents and Settings\Administrator\Desktop"

 

 

--- File(s) found in Windows directory ---

 

--- File(s) found in system32 folder ---

 

--- Services ---

 

--- Export SharedTaskScheduler key ---

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

 

--- Notify key ---

 

 

--- rebooting the computer ---

 

 

--- File(s) found in Windows directory ---

 

--- File(s) found in system32 folder ---

 

--- Services ---

 

--- Export SharedTaskSchedulerkey ---

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

 

 

 

--- Notify key ---

 

Finished!

 

 

The one below now is the logfile of the new HJT :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:30:03 AM, on 6/11/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\System32\ctfmon.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3C2.EXE /P23 "EPSON Stylus C63 Series" /O5 "LPT1:" /M "Stylus C63"

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Download this file - combofix.exe

 

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

 

"%userprofile%\desktop\combofix.exe"

 

Boot into safe mode by tapping the F8 key just before Windows starts to load.

 

go to start --> run and copy/paste in the following:

 

"%userprofile%\desktop\combofix.exe"

 

When finished, it shall produce a log for you. Save it and post that log in your next reply.

 

Note:

 

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

In your next post, please include

  • new hijackthis log
  • combofix log

 

*use separate posts to ensure the logs don't get cut off!

 

Share this post


Link to post
Share on other sites

ok, i had perform the neccessary instructions already. In my C:\ Drive, i found one combofix-quarantine file. Don't know need to post a not but i just post just in case.

 

Here is my new Hijackthis log file :

 

Logfile of HijackThis v1.99.1

Scan saved at 12:21:38 AM, on 6/12/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\ctfmon.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

This is the log of the ComboFix :

 

ComboFix 07-06-11.3 - C:\Documents and Settings\Administrator\desktop\combofix.exe

"Administrator" - 2007-06-11 23:53:51 - Service Pack 1 NTFS [sAFE MODE]

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\install.log

C:\WINDOWS\rundll32.exe

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\nm

 

 

((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

 

 

2007-06-11 23:53 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-11 09:22 90,112 --a------ C:\WINDOWS\system32\regdacl.exe

2007-06-11 09:22 53,248 --a------ C:\WINDOWS\system32\process.exe

2007-06-11 09:22 4,096 --a------ C:\WINDOWS\system32\reboot.exe

2007-06-11 09:22 279,678 --a------ C:\win32delfkil.exe

2007-06-11 09:22 16,384 --a------ C:\WINDOWS\system32\restart.exe

2007-06-11 09:22 <DIR> d-------- C:\WINDOWS\system32\regdacl

2007-06-11 09:22 <DIR> d-------- C:\_backupD

2007-06-04 01:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic

2007-06-04 01:19 816,264 --a------ C:\WINDOWS\system32\wmvdmod.dll

2007-06-04 01:19 760,968 --a------ C:\WINDOWS\system32\wmsdmod.dll

2007-06-04 01:19 7,680 --a------ C:\WINDOWS\system32\asferror.dll

2007-06-04 01:19 670,208 --a------ C:\WINDOWS\system32\wmadmoe.dll

2007-06-04 01:19 410,248 --a------ C:\WINDOWS\system32\wmadmod.dll

2007-06-04 01:19 358,912 --a------ C:\WINDOWS\system32\msscp.dll

2007-06-04 01:19 27,136 --a------ C:\WINDOWS\system32\wmdmlog.dll

2007-06-04 01:19 245,760 --a------ C:\WINDOWS\system32\mswmdm.dll

2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\qasf.dll

2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll

2007-06-04 01:19 23,552 --a------ C:\WINDOWS\system32\wmdmps.dll

2007-06-04 01:19 201,728 --a------ C:\WINDOWS\system32\mspmsp.dll

2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpui.dll

2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcore.dll

2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcd.dll

2007-06-04 01:19 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll

2007-06-04 01:19 159,232 --a------ C:\WINDOWS\system32\CEWMDM.dll

2007-06-04 01:18 981,504 --a------ C:\WINDOWS\system32\wmnetmgr.dll

2007-06-04 01:18 82,432 --a------ C:\WINDOWS\system32\drmstor.dll

2007-06-04 01:18 81,408 --a------ C:\WINDOWS\system32\logagent.exe

2007-06-04 01:18 678,912 --a------ C:\WINDOWS\system32\drmv2clt.dll

2007-06-04 01:18 6,656 --a------ C:\WINDOWS\system32\laprxy.dll

2007-06-04 01:18 301,712 --a------ C:\WINDOWS\system32\drmclien.dll

2007-06-04 01:18 253,952 --a------ C:\WINDOWS\system32\msnetobj.dll

2007-06-04 01:18 232,960 --a------ C:\WINDOWS\system32\blackbox.dll

2007-06-04 01:06 <DIR> d-------- C:\Program Files\QuickTime Alternative

2007-06-04 00:23 <DIR> d-------- C:\Program Files\3GP Player

2007-06-02 15:12 68,608 --a------ C:\WINDOWS\system32\olecli32.dll

2007-06-02 15:12 275,456 --a------ C:\WINDOWS\system32\rpcss.dll

2007-06-02 15:12 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll

2007-06-02 11:33 <DIR> d-------- C:\Program Files\CCleaner

2007-06-02 09:46 <DIR> d-------- C:\hijackthis

2007-06-02 09:28 <DIR> d-------- C:\Program Files\InterMute

2007-05-30 18:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer

2007-05-30 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2008-08-08 01:49:16 34,297 ----a-r C:\WINDOWS\system32\drivers\StMp3Rec.sys

2007-06-11 16:11:06 -------- d-----w C:\Program Files\Symantec AntiVirus

2007-06-02 01:09:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DataLayer

2004-12-14 03:25:01 0 --sha-w C:\WINDOWS\espot.dll

2004-10-26 15:45:31 385,024 --sh--r C:\WINDOWS\system32\??rvices.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"S3Hotkey"="s3hotkey.exe" [2001-09-13 20:27 C:\WINDOWS\system32\s3hotkey.exe]

"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]

"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]

"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 22:40]

"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []

"AME_CSA"="amecsa.cpl" [2002-03-12 11:42 C:\WINDOWS\system32\AmeCSA.cpl]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]

"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2004-03-12 15:18]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-04-26 08:29]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 20:00]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSN Update"=dllcon.exe

"Microsoft Update Machine"=wininimil.exe

"Microsoft Windows Updater"=service.exe

"Microsoft Java Windows Update"=msssss.exe

"Microsoft Features"=ms32cfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"=1 (0x1)

"NoToolbarCustomize"=0 (0x0)

"NoBandCustomize"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"Btn_Back"=0 (0x0)

"Btn_Forward"=0 (0x0)

"Btn_Stop"=0 (0x0)

"Btn_Refresh"=0 (0x0)

"Btn_Home"=0 (0x0)

"Btn_Search"=0 (0x0)

"Btn_History"=0 (0x0)

"Btn_Favorites"=0 (0x0)

"Btn_Media"=0 (0x0)

"Btn_Folders"=0 (0x0)

"Btn_Fullscreen"=0 (0x0)

"Btn_Tools"=0 (0x0)

"Btn_MailNews"=0 (0x0)

"Btn_Size"=0 (0x0)

"Btn_Print"=0 (0x0)

"Btn_Edit"=0 (0x0)

"Btn_Discussions"=0 (0x0)

"Btn_Cut"=0 (0x0)

"Btn_Copy"=0 (0x0)

"Btn_Paste"=0 (0x0)

"Btn_Encoding"=0 (0x0)

"Btn_PrintPreview"=0 (0x0)

"NoActiveDesktopChanges"=0 (0x0)

"NoFavoritesMenu"=0 (0x0)

"NoSetActiveDesktop"=0 (0x0)

"NoWindowsUpdate"=0 (0x0)

"NoChangeStartMenu"=0 (0x0)

"NoRecentDocsMenu"=0 (0x0)

"NoRecentDocsHistory"=0 (0x0)

"ClearRecentDocsOnExit"=0 (0x0)

"NoLogoff"=0 (0x0)

"NoClose"=0 (0x0)

"NoSetFolders"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"NoTrayContextMenu"=0 (0x0)

"NoFileMenu"=0 (0x0)

"NoViewContextMenu"=0 (0x0)

"EnforceShellExtensionSecurity"=0 (0x0)

"LinkResolveIgnoreLinkInfo"=0 (0x0)

"NoNetConnectDisconnect"=0 (0x0)

"NoDeletePrinter"=0 (0x0)

"NoAddPrinter"=0 (0x0)

"NoPrinterTabs"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACUMon]

"C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]

C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

*Newly Created Service* - ALG

*Newly Created Service* - IPNAT

*Newly Created Service* - SHAREDACCESS

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-12 00:09:38

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

C:\WINDOWS\VPC32.INI:zywxzy 18944 bytes executable

C:\WINDOWS\winyr32.dll:qsxkrm 18944 bytes executable

**************************************************************************

 

Completion time: 2007-06-12 0:15:14 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-12 00:14

 

--- E O F ---

Share this post


Link to post
Share on other sites

This is the quarantine log file which i am talking about.

 

 

2003-06-14 03:22	  722	--a--c---	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2004-01-30 15:14	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\Rundll32.exe.vir
2007-06-12 00:02	  352	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is 71FAE346 300E:FC3F
C:\QOOBOX
\---Quarantine
+---C
|   +---Program Files
|   |	   INSTALL.LOG.vir
|   |	   
|   \---WINDOWS
|		   Rundll32.exe.vir
|		   
\---Registry_backups
		services_nm.reg.cf

Share this post


Link to post
Share on other sites

Download Rustbfix from one of these locations:

 

http://www.uploads.ejvindh.net/rustbfix.exe

 

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

 

...and save it to your desktop.

 

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.

 

Share this post


Link to post
Share on other sites

I ran the RustbFix.exe tool and found out that there is no infections found. There is only 1 log produced, the pelog.txt. Now, i got another problem. Whenever i boot windows, the system shows me this message "Retrival of "THotkey" failed". It has got something to do with my laptop's "function" hotkey. Attached below is my screenshot of the error message.

 

 

touchederrorld0.png

 

 

Here is the log file of "pelog.txt" :

 

 

************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************

Tue 06/12/2007 15:40:47.60

 

No Rustock.b-rootkits found

 

******************************* End of Logfile ********************************

 

 

 

Here is my new HijackThis log file :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 3:42:42 PM, on 6/12/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.np.edu.sg:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\..\{389A9041-4B3F-47AC-B65D-848BC4D921BF}: NameServer = 165.21.100.88 165.21.83.88

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Search google for this string. "error code - 0x00031402" no quotes.

A number of solutions will be available to you.

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Include a fresh HijackThis log for review.

 

Let me know what problem persist.

Share this post


Link to post
Share on other sites

Contents of log for DrWeb.csv :

 

stress.exe;C:\Documents and Settings\Administrator\Desktop\-=RuBBiSH StUffS=-;Joke.Puncher;Incurable.Moved.;

mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;

VPC32.INI:zywxzy;C:\WINDOWS;Trojan.Feat.2;Deleted.;

winyr32.dll;C:\WINDOWS;Trojan.DownLoader.1334;Deleted.;

process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;

restart.exe;C:\WINDOWS\system32;Tool.ShutDown.11;Incurable.Moved.;

 

 

 

New/Fresh HijackThis log :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 3:41:35 AM, on 6/13/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.np.edu.sg:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Your log is clean.

 

 

 

What problem remains?

Share this post


Link to post
Share on other sites

Hi ! The initial problem is still there. I still got the error message "Generic Host Process Win32 Services". The message appears 5~15 mins later once i connect to the internet. The taskbar will changed to windows XP style to the classic style for a while, then change back. I tried to disconnect my internet but is not able to.

Share this post


Link to post
Share on other sites

 

Seach google for this string "Generic Host Process Win32 Services" (With the quotes) you will find many problems and solution.

 

Hope it helps.

 

 

 

Let me see the results of this scan.

 

 

 

Download Dr.Web CureIt to the desktop:

 

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
     
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
     
  • Once the short scan has finished, mark the drives that you want to scan.
     
  • Select all drives. A red dot shows which drives have been chosen.
     
  • Click the green arrow at the right, and the scan will start.
     
  • Click 'Yes to all' if it asks if you want to cure/move the file.
     
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
     
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
     
    move.gif
     
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
     
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
     
  • Save the report to your desktop. The report will be called DrWeb.csv
     
  • Close Dr.Web Cureit.
     
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
     
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

Include a fresh HijackThis log for review.

 

Let me know what problem persist.

 

Share this post


Link to post
Share on other sites

Hi ! I've scanned my system again using Dr.Web CureIt program. There were no any sort of infections found. Therefore i was unable to save the report to .csv format.

 

Here is my log of HijackThis :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 9:43:20 PM, on 6/14/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by MarsPeople

Share this post


Link to post
Share on other sites

I've done another comboFix.exe scan and here is the report. My initial problem is still there. What shall i do ?

 

 

ComboFix 07-06-11.3 - C:\Documents and Settings\Administrator\desktop\combofix.exe

"Administrator" - 2007-06-14 21:23:56 - Service Pack 1 NTFS [sAFE MODE]

 

 

((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))

 

 

2007-06-14 18:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6

2007-06-14 17:49 53,248 --a------ C:\WINDOWS\system32\process.exe

2007-06-14 17:49 16,384 --a------ C:\WINDOWS\system32\restart.exe

2007-06-14 17:49 <DIR> d-------- C:\_backupD

2007-06-14 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\True Sword

2007-06-13 22:37 <DIR> d-------- C:\Program Files\Lavasoft

2007-06-13 22:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-06-13 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-12 23:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb

2007-06-12 14:36 <DIR> d-------- C:\Rustbfix

2007-06-11 23:53 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-11 09:22 90,112 --a------ C:\WINDOWS\system32\regdacl.exe

2007-06-11 09:22 4,096 --a------ C:\WINDOWS\system32\reboot.exe

2007-06-11 09:22 279,678 --a------ C:\win32delfkil.exe

2007-06-11 09:22 <DIR> d-------- C:\WINDOWS\system32\regdacl

2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys

2007-06-04 01:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic

2007-06-04 01:19 816,264 --a------ C:\WINDOWS\system32\wmvdmod.dll

2007-06-04 01:19 760,968 --a------ C:\WINDOWS\system32\wmsdmod.dll

2007-06-04 01:19 7,680 --a------ C:\WINDOWS\system32\asferror.dll

2007-06-04 01:19 670,208 --a------ C:\WINDOWS\system32\wmadmoe.dll

2007-06-04 01:19 410,248 --a------ C:\WINDOWS\system32\wmadmod.dll

2007-06-04 01:19 358,912 --a------ C:\WINDOWS\system32\msscp.dll

2007-06-04 01:19 27,136 --a------ C:\WINDOWS\system32\wmdmlog.dll

2007-06-04 01:19 245,760 --a------ C:\WINDOWS\system32\mswmdm.dll

2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\qasf.dll

2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll

2007-06-04 01:19 23,552 --a------ C:\WINDOWS\system32\wmdmps.dll

2007-06-04 01:19 201,728 --a------ C:\WINDOWS\system32\mspmsp.dll

2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpui.dll

2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcore.dll

2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcd.dll

2007-06-04 01:19 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll

2007-06-04 01:19 159,232 --a------ C:\WINDOWS\system32\CEWMDM.dll

2007-06-04 01:18 981,504 --a------ C:\WINDOWS\system32\wmnetmgr.dll

2007-06-04 01:18 82,432 --a------ C:\WINDOWS\system32\drmstor.dll

2007-06-04 01:18 81,408 --a------ C:\WINDOWS\system32\logagent.exe

2007-06-04 01:18 678,912 --a------ C:\WINDOWS\system32\drmv2clt.dll

2007-06-04 01:18 6,656 --a------ C:\WINDOWS\system32\laprxy.dll

2007-06-04 01:18 301,712 --a------ C:\WINDOWS\system32\drmclien.dll

2007-06-04 01:18 253,952 --a------ C:\WINDOWS\system32\msnetobj.dll

2007-06-04 01:18 232,960 --a------ C:\WINDOWS\system32\blackbox.dll

2007-06-04 01:06 <DIR> d-------- C:\Program Files\QuickTime Alternative

2007-06-02 15:12 68,608 --a------ C:\WINDOWS\system32\olecli32.dll

2007-06-02 15:12 275,456 --a------ C:\WINDOWS\system32\rpcss.dll

2007-06-02 15:12 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll

2007-06-02 11:33 <DIR> d-------- C:\Program Files\CCleaner

2007-06-02 09:46 <DIR> d-------- C:\hijackthis

2007-06-02 09:28 <DIR> d-------- C:\Program Files\InterMute

2007-05-30 18:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer

2007-05-30 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2008-08-08 01:49:16 34,297 ----a-r C:\WINDOWS\system32\drivers\StMp3Rec.sys

2007-06-14 13:20:47 -------- d-----w C:\Program Files\Symantec AntiVirus

2007-06-14 12:26:28 -------- d-----w C:\Program Files\mIRC

2007-06-14 11:12:41 -------- d-----w C:\Program Files\Nokia

2007-06-13 15:04:00 -------- d-----w C:\Program Files\SpeedFan

2007-06-13 14:33:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft

2007-06-12 20:12:58 -------- d-----w C:\Program Files\Messenger

2007-06-02 01:09:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DataLayer

2007-04-13 07:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

2004-12-14 03:25:01 0 --sha-w C:\WINDOWS\espot.dll

2004-10-26 15:45:31 385,024 --sh--r C:\WINDOWS\system32\??rvices.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2004-03-12 15:18]

"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]

"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]

"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []

"S3Hotkey"="s3hotkey.exe" [2001-09-13 20:27 C:\WINDOWS\system32\s3hotkey.exe]

"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-04-26 08:29]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]

"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 22:40]

"AME_CSA"="amecsa.cpl" [2002-03-12 11:42 C:\WINDOWS\system32\AmeCSA.cpl]

"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 20:00]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"MSN Update"=dllcon.exe

"Microsoft Update Machine"=wininimil.exe

"Microsoft Windows Updater"=service.exe

"Microsoft Java Windows Update"=msssss.exe

"Microsoft Features"=ms32cfg.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoMSAppLogo5ChannelNotify"=1 (0x1)

"NoToolbarCustomize"=0 (0x0)

"NoBandCustomize"=0 (0x0)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"Btn_Back"=0 (0x0)

"Btn_Forward"=0 (0x0)

"Btn_Stop"=0 (0x0)

"Btn_Refresh"=0 (0x0)

"Btn_Home"=0 (0x0)

"Btn_Search"=0 (0x0)

"Btn_History"=0 (0x0)

"Btn_Favorites"=0 (0x0)

"Btn_Media"=0 (0x0)

"Btn_Folders"=0 (0x0)

"Btn_Fullscreen"=0 (0x0)

"Btn_Tools"=0 (0x0)

"Btn_MailNews"=0 (0x0)

"Btn_Size"=0 (0x0)

"Btn_Print"=0 (0x0)

"Btn_Edit"=0 (0x0)

"Btn_Discussions"=0 (0x0)

"Btn_Cut"=0 (0x0)

"Btn_Copy"=0 (0x0)

"Btn_Paste"=0 (0x0)

"Btn_Encoding"=0 (0x0)

"Btn_PrintPreview"=0 (0x0)

"NoActiveDesktopChanges"=0 (0x0)

"NoFavoritesMenu"=0 (0x0)

"NoSetActiveDesktop"=0 (0x0)

"NoWindowsUpdate"=0 (0x0)

"NoChangeStartMenu"=0 (0x0)

"NoRecentDocsMenu"=0 (0x0)

"NoRecentDocsHistory"=0 (0x0)

"ClearRecentDocsOnExit"=0 (0x0)

"NoLogoff"=0 (0x0)

"NoClose"=0 (0x0)

"NoSetFolders"=0 (0x0)

"NoSetTaskbar"=0 (0x0)

"NoTrayContextMenu"=0 (0x0)

"NoFileMenu"=0 (0x0)

"NoViewContextMenu"=0 (0x0)

"EnforceShellExtensionSecurity"=0 (0x0)

"LinkResolveIgnoreLinkInfo"=0 (0x0)

"NoNetConnectDisconnect"=0 (0x0)

"NoDeletePrinter"=0 (0x0)

"NoAddPrinter"=0 (0x0)

"NoPrinterTabs"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACUMon]

"C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-14 21:32:21

Windows 5.1.2600 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

 

Completion time: 2007-06-14 21:33:44

C:\ComboFix-quarantined-files.txt ... 2007-06-14 21:33

 

--- E O F ---

Share this post


Link to post
Share on other sites

Man did I get fooled.

 

; Purpose: Remove traces in the registry.

;

; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.

;

; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

 

REGEDIT4

 

[-HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

 

 

; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

 

  • Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.

Locate and delele these files in bold if found.

 

dllcon.exe

wininimil.exe

service.exe

msssss.exe

ms32cfg.exe

 

They may have been deleted but the run key in the registry was still present.

 

Submit a fresh HiJackThis log for review. Let me know what problem remains.

Share this post


Link to post
Share on other sites

I've followed the instructions and merge the file "Fix.reg" into the registry already. But i can't seems to find any of these in my computer :

 

dllcon.exe

wininimil.exe

service.exe

msssss.exe

ms32cfg.exe

 

and hence cannot delete them too. Apparently, the same old problem still exists.

 

 

Here is my fresh HijackThis log :

 

 

Logfile of HijackThis v1.99.1

Scan saved at 1:15:04 AM, on 6/15/2007

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\PROGRA~1\SYMANT~2\VPTray.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\WINDOWS\System32\s3hotkey.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\NotifyPhoneBook.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

O4 - HKLM\..\Run: [s3Hotkey] s3hotkey.exe

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...581/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg

O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg

O17 - HKLM\System\CCS\Services\Tcpip\..\{389A9041-4B3F-47AC-B65D-848BC4D921BF}: NameServer = 165.21.100.88 165.21.83.88

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Share this post


Link to post
Share on other sites

Hi ! After i post the last reply, i went to scan my system with Dr.Web CureIt again. I found out that there are 2 infections. Report of DrWeb.cvs as follow :

 

process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;

restart.exe;C:\WINDOWS\system32;Tool.ShutDown.11;Incurable.Moved.;

 

 

These 2 infections are being found previously in the 1st scan of Dr.Web CureIt. They haven been move to quarantine section but i don't know why they were duplicated again in my "\\system32" folder.

Share this post


Link to post
Share on other sites

Can you boot to Safe mode with internet connection?

 

Do you still get the Service Host error?

Share this post


Link to post
Share on other sites

i chose Safe Mode With Networking at startup. But then i am unable to connect to the internet using my prolink8000 dia up. Hence being unable to connect to the internet in safe mode.

Share this post


Link to post
Share on other sites

I'm starting to believe that your error message is cause by a bad driver at startUp.

 

Download and use this tool to stop programs for loading at startUp. Do not disable Windows Operating systems. Look at all the 3rd party programs being started. Hope it helps.

 

StartUpLite is a lightweight program that can disable or remove all known unnecessary startup entries from your computer and thus quicken the startup procedure of your system.

 

Simply download StartUpLite from http://www.malwarebytes.org/startuplite.php and save it to a convenient location. Double click on StartUpLite.exe. Select all options you would like executed and select continue.

 

More information on the site.

Share this post


Link to post
Share on other sites

Hi ! There isn't any suspicious 3rd party program or startups after i ran the tool, StartUpLite. Could it be caused by my Internet Explorer program itself or modem drivers ?

Edited by MarsPeople

Share this post


Link to post
Share on other sites

Use at your own risk.

Share this post


Link to post
Share on other sites

Hi dreamz0708, i've downloaded the patch and installed already. So far the problem doesn't occur anymore already. Really need to thank u a lot for this. So its just a patch that can solve this stupud problem all along.

 

Nasdaq, i also grealy appreaciated the help u had given me all along. Thanks for all the pointers and such. With your aid, i managed to clear away lots of unknown and hidden spywares from my system. As such, i also need to thank u for that.

Share this post


Link to post
Share on other sites

Glad we could help.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0