Jump to content


Photo

Generic Host Process Win32 Services


  • This topic is locked This topic is locked
30 replies to this topic

#1 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 02 June 2007 - 12:04 AM

Hi all ! I encountered this problem "Generic Host Process Win32 Services". This problem only appears 5~15 mins later once i connect to the internet. I use Spybot and scan through the computer and found myself unfected with a trojan - "CoolWWWSearch.Feat2dll". It has a sub component of "C:\\WINDOWS\winyr32.dll" which i am unable to fix as the screen tells me that the particular file is in use with the memory.

On top of that, my task manager doesn't show any username (System, Administrator, Network etc..). I'm unable to play any audio related files too. The screen shows "Bad Directsound driver. Please install proper drivers or select another device in configuration. Error code : 88780078".
I'm using Singnet Broadband via Prolink 8000.

Here is the logfile of my HJT :

Logfile of HijackThis v1.99.1
Scan saved at 12:40:23 PM, on 6/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.np.edu.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {86D4852C-B1D2-EE87-2B2C-572D82340F98} - (no file)
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3C2.EXE /P23 "EPSON Stylus C63 Series" /O5 "LPT1:" /M "Stylus C63"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {86BC8440-8693-4076-A144-6BAF942B40B0} - http://mysearch.8848...ch/MySearch.CAB
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O20 - Winlogon Notify: iexplore - AO\S\.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 04 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 09 June 2007 - 01:40 PM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {86D4852C-B1D2-EE87-2B2C-572D82340F98} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {86BC8440-8693-4076-A144-6BAF942B40B0} - http://mysearch.8848...ch/MySearch.CAB
O16 - DPF: {BC207F7D-3E63-4ACA-99B5-FB5F8428200C} - http://bar.baidu.com...te/IESearch.cab
O20 - Winlogon Notify: draw32 - draw32.dll (file missing)
O20 - Winlogon Notify: iexplore - AO\S\.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally to reset the registry.

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c\windelf.txt, along with a new HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 10 June 2007 - 08:34 PM

Hi ! I had followed the instructions given. This is the logfile of my "c\windelf.txt"


WIN32DELFKIL LOGFILE - by Marckie


version 3.127
Mon 06/11/2007 9:22:28.79
running from: "C:\Documents and Settings\Administrator\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Services ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!


The one below now is the logfile of the new HJT :


Logfile of HijackThis v1.99.1
Scan saved at 9:30:03 AM, on 6/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3C2.EXE /P23 "EPSON Stylus C63 Series" /O5 "LPT1:" /M "Stylus C63"
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 11 June 2007 - 07:22 AM

Download this file - combofix.exe

and save it to your desktop (Important). Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe"

Boot into safe mode by tapping the F8 key just before Windows starts to load.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe"

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

In your next post, please include
  • new hijackthis log
  • combofix log


*use separate posts to ensure the logs don't get cut off!


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 11 June 2007 - 11:25 AM

ok, i had perform the neccessary instructions already. In my C:\ Drive, i found one combofix-quarantine file. Don't know need to post a not but i just post just in case.

Here is my new Hijackthis log file :

Logfile of HijackThis v1.99.1
Scan saved at 12:21:38 AM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#7 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 11 June 2007 - 11:26 AM

This is the log of the ComboFix :

ComboFix 07-06-11.3 - C:\Documents and Settings\Administrator\desktop\combofix.exe
"Administrator" - 2007-06-11 23:53:51 - Service Pack 1 NTFS [SAFE MODE]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\install.log
C:\WINDOWS\rundll32.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))


2007-06-11 23:53 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 09:22 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-06-11 09:22 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-06-11 09:22 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-06-11 09:22 279,678 --a------ C:\win32delfkil.exe
2007-06-11 09:22 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-06-11 09:22 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-06-11 09:22 <DIR> d-------- C:\_backupD
2007-06-04 01:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
2007-06-04 01:19 816,264 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-06-04 01:19 760,968 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-06-04 01:19 7,680 --a------ C:\WINDOWS\system32\asferror.dll
2007-06-04 01:19 670,208 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-06-04 01:19 410,248 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-06-04 01:19 358,912 --a------ C:\WINDOWS\system32\msscp.dll
2007-06-04 01:19 27,136 --a------ C:\WINDOWS\system32\wmdmlog.dll
2007-06-04 01:19 245,760 --a------ C:\WINDOWS\system32\mswmdm.dll
2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\qasf.dll
2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2007-06-04 01:19 23,552 --a------ C:\WINDOWS\system32\wmdmps.dll
2007-06-04 01:19 201,728 --a------ C:\WINDOWS\system32\mspmsp.dll
2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpui.dll
2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcore.dll
2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcd.dll
2007-06-04 01:19 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll
2007-06-04 01:19 159,232 --a------ C:\WINDOWS\system32\CEWMDM.dll
2007-06-04 01:18 981,504 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2007-06-04 01:18 82,432 --a------ C:\WINDOWS\system32\drmstor.dll
2007-06-04 01:18 81,408 --a------ C:\WINDOWS\system32\logagent.exe
2007-06-04 01:18 678,912 --a------ C:\WINDOWS\system32\drmv2clt.dll
2007-06-04 01:18 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2007-06-04 01:18 301,712 --a------ C:\WINDOWS\system32\drmclien.dll
2007-06-04 01:18 253,952 --a------ C:\WINDOWS\system32\msnetobj.dll
2007-06-04 01:18 232,960 --a------ C:\WINDOWS\system32\blackbox.dll
2007-06-04 01:06 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-06-04 00:23 <DIR> d-------- C:\Program Files\3GP Player
2007-06-02 15:12 68,608 --a------ C:\WINDOWS\system32\olecli32.dll
2007-06-02 15:12 275,456 --a------ C:\WINDOWS\system32\rpcss.dll
2007-06-02 15:12 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2007-06-02 11:33 <DIR> d-------- C:\Program Files\CCleaner
2007-06-02 09:46 <DIR> d-------- C:\hijackthis
2007-06-02 09:28 <DIR> d-------- C:\Program Files\InterMute
2007-05-30 18:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-05-30 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-08-08 01:49:16 34,297 ----a-r C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-06-11 16:11:06 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-02 01:09:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DataLayer
2004-12-14 03:25:01 0 --sha-w C:\WINDOWS\espot.dll
2004-10-26 15:45:31 385,024 --sh--r C:\WINDOWS\system32\??rvices.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3Hotkey"="s3hotkey.exe" [2001-09-13 20:27 C:\WINDOWS\system32\s3hotkey.exe]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 22:40]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"AME_CSA"="amecsa.cpl" [2002-03-12 11:42 C:\WINDOWS\system32\AmeCSA.cpl]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2004-03-12 15:18]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-04-26 08:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 20:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSN Update"=dllcon.exe
"Microsoft Update Machine"=wininimil.exe
"Microsoft Windows Updater"=service.exe
"Microsoft Java Windows Update"=msssss.exe
"Microsoft Features"=ms32cfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACUMon]
"C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia Tray Application]
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-12 00:09:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\VPC32.INI:zywxzy 18944 bytes executable
C:\WINDOWS\winyr32.dll:qsxkrm 18944 bytes executable
**************************************************************************

Completion time: 2007-06-12 0:15:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-12 00:14

--- E O F ---

#8 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 11 June 2007 - 11:28 AM

This is the quarantine log file which i am talking about.


2003-06-14 03:22	  722	--a--c---	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir
2004-01-30 15:14	  0	--a------	C:\Qoobox\Quarantine\C\WINDOWS\Rundll32.exe.vir
2007-06-12 00:02	  352	--a------	C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf


Folder PATH listing
Volume serial number is 71FAE346 300E:FC3F
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Program Files
	|   |	   INSTALL.LOG.vir
	|   |	   
	|   \---WINDOWS
	|		   Rundll32.exe.vir
	|		   
	\---Registry_backups
			services_nm.reg.cf
			


#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 11 June 2007 - 03:29 PM

Download Rustbfix from one of these locations:

http://www.uploads.ejvindh.net/rustbfix.exe

http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe

...and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log.


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 12 June 2007 - 02:59 AM

I ran the RustbFix.exe tool and found out that there is no infections found. There is only 1 log produced, the pelog.txt. Now, i got another problem. Whenever i boot windows, the system shows me this message "Retrival of "THotkey" failed". It has got something to do with my laptop's "function" hotkey. Attached below is my screenshot of the error message.


Posted Image


Here is the log file of "pelog.txt" :


************************* Rustock.b-fix v. 1.01 -- By ejvindh *************************
Tue 06/12/2007 15:40:47.60

No Rustock.b-rootkits found

******************************* End of Logfile ********************************



Here is my new HijackThis log file :


Logfile of HijackThis v1.99.1
Scan saved at 3:42:42 PM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.np.edu.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{389A9041-4B3F-47AC-B65D-848BC4D921BF}: NameServer = 165.21.100.88 165.21.83.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 12 June 2007 - 08:18 AM

Search google for this string. "error code - 0x00031402" no quotes.
A number of solutions will be available to you.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Include a fresh HijackThis log for review.

Let me know what problem persist.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 12 June 2007 - 02:45 PM

Contents of log for DrWeb.csv :

stress.exe;C:\Documents and Settings\Administrator\Desktop\-=RuBBiSH StUffS=-;Joke.Puncher;Incurable.Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Moved.;
VPC32.INI:zywxzy;C:\WINDOWS;Trojan.Feat.2;Deleted.;
winyr32.dll;C:\WINDOWS;Trojan.DownLoader.1334;Deleted.;
process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\WINDOWS\system32;Tool.ShutDown.11;Incurable.Moved.;



New/Fresh HijackThis log :


Logfile of HijackThis v1.99.1
Scan saved at 3:41:35 AM, on 6/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.np.edu.sg:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 13 June 2007 - 06:32 AM

Your log is clean.



What problem remains?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 13 June 2007 - 08:45 AM

Hi ! The initial problem is still there. I still got the error message "Generic Host Process Win32 Services". The message appears 5~15 mins later once i connect to the internet. The taskbar will changed to windows XP style to the classic style for a while, then change back. I tried to disconnect my internet but is not able to.

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 13 June 2007 - 10:48 AM



Seach google for this string "Generic Host Process Win32 Services" (With the quotes) you will find many problems and solution.

Hope it helps.



Let me see the results of this scan.



Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Include a fresh HijackThis log for review.

Let me know what problem persist.


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 14 June 2007 - 08:47 AM

Hi ! I've scanned my system again using Dr.Web CureIt program. There were no any sort of infections found. Therefore i was unable to save the report to .csv format.

Here is my log of HijackThis :


Logfile of HijackThis v1.99.1
Scan saved at 9:43:20 PM, on 6/14/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by MarsPeople, 14 June 2007 - 08:48 AM.


#17 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 14 June 2007 - 08:51 AM

I've done another comboFix.exe scan and here is the report. My initial problem is still there. What shall i do ?


ComboFix 07-06-11.3 - C:\Documents and Settings\Administrator\desktop\combofix.exe
"Administrator" - 2007-06-14 21:23:56 - Service Pack 1 NTFS [SAFE MODE]


((((((((((((((((((((((((( Files Created from 2007-05-14 to 2007-06-14 )))))))))))))))))))))))))))))))


2007-06-14 18:17 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-06-14 17:49 53,248 --a------ C:\WINDOWS\system32\process.exe
2007-06-14 17:49 16,384 --a------ C:\WINDOWS\system32\restart.exe
2007-06-14 17:49 <DIR> d-------- C:\_backupD
2007-06-14 11:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\True Sword
2007-06-13 22:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-13 22:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-13 22:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-12 23:01 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-06-12 14:36 <DIR> d-------- C:\Rustbfix
2007-06-11 23:53 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 09:22 90,112 --a------ C:\WINDOWS\system32\regdacl.exe
2007-06-11 09:22 4,096 --a------ C:\WINDOWS\system32\reboot.exe
2007-06-11 09:22 279,678 --a------ C:\win32delfkil.exe
2007-06-11 09:22 <DIR> d-------- C:\WINDOWS\system32\regdacl
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 01:24 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic
2007-06-04 01:19 816,264 --a------ C:\WINDOWS\system32\wmvdmod.dll
2007-06-04 01:19 760,968 --a------ C:\WINDOWS\system32\wmsdmod.dll
2007-06-04 01:19 7,680 --a------ C:\WINDOWS\system32\asferror.dll
2007-06-04 01:19 670,208 --a------ C:\WINDOWS\system32\wmadmoe.dll
2007-06-04 01:19 410,248 --a------ C:\WINDOWS\system32\wmadmod.dll
2007-06-04 01:19 358,912 --a------ C:\WINDOWS\system32\msscp.dll
2007-06-04 01:19 27,136 --a------ C:\WINDOWS\system32\wmdmlog.dll
2007-06-04 01:19 245,760 --a------ C:\WINDOWS\system32\mswmdm.dll
2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\qasf.dll
2007-06-04 01:19 241,664 --a------ C:\WINDOWS\system32\mpg4dmod.dll
2007-06-04 01:19 23,552 --a------ C:\WINDOWS\system32\wmdmps.dll
2007-06-04 01:19 201,728 --a------ C:\WINDOWS\system32\mspmsp.dll
2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpui.dll
2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcore.dll
2007-06-04 01:19 20,480 --a------ C:\WINDOWS\system32\wmpcd.dll
2007-06-04 01:19 2,940,928 --a------ C:\WINDOWS\system32\wmploc.dll
2007-06-04 01:19 159,232 --a------ C:\WINDOWS\system32\CEWMDM.dll
2007-06-04 01:18 981,504 --a------ C:\WINDOWS\system32\wmnetmgr.dll
2007-06-04 01:18 82,432 --a------ C:\WINDOWS\system32\drmstor.dll
2007-06-04 01:18 81,408 --a------ C:\WINDOWS\system32\logagent.exe
2007-06-04 01:18 678,912 --a------ C:\WINDOWS\system32\drmv2clt.dll
2007-06-04 01:18 6,656 --a------ C:\WINDOWS\system32\laprxy.dll
2007-06-04 01:18 301,712 --a------ C:\WINDOWS\system32\drmclien.dll
2007-06-04 01:18 253,952 --a------ C:\WINDOWS\system32\msnetobj.dll
2007-06-04 01:18 232,960 --a------ C:\WINDOWS\system32\blackbox.dll
2007-06-04 01:06 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-06-02 15:12 68,608 --a------ C:\WINDOWS\system32\olecli32.dll
2007-06-02 15:12 275,456 --a------ C:\WINDOWS\system32\rpcss.dll
2007-06-02 15:12 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2007-06-02 11:33 <DIR> d-------- C:\Program Files\CCleaner
2007-06-02 09:46 <DIR> d-------- C:\hijackthis
2007-06-02 09:28 <DIR> d-------- C:\Program Files\InterMute
2007-05-30 18:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Apple Computer
2007-05-30 17:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-08-08 01:49:16 34,297 ----a-r C:\WINDOWS\system32\drivers\StMp3Rec.sys
2007-06-14 13:20:47 -------- d-----w C:\Program Files\Symantec AntiVirus
2007-06-14 12:26:28 -------- d-----w C:\Program Files\mIRC
2007-06-14 11:12:41 -------- d-----w C:\Program Files\Nokia
2007-06-13 15:04:00 -------- d-----w C:\Program Files\SpeedFan
2007-06-13 14:33:29 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-06-12 20:12:58 -------- d-----w C:\Program Files\Messenger
2007-06-02 01:09:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\DataLayer
2007-04-13 07:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe
2004-12-14 03:25:01 0 --sha-w C:\WINDOWS\espot.dll
2004-10-26 15:45:31 385,024 --sh--r C:\WINDOWS\system32\??rvices.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~2\VPTray.exe" [2004-03-12 15:18]
"Tpwrtray"="TPWRTRAY.EXE" [2002-03-19 20:38 C:\WINDOWS\system32\TPWRTRAY.EXE]
"TouchED"="C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" [2002-04-12 11:13]
"Synchronization Manager"="%SystemRoot%\system32\mobsync.exe" []
"S3Hotkey"="s3hotkey.exe" [2001-09-13 20:27 C:\WINDOWS\system32\s3hotkey.exe]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.exe" [2006-04-26 08:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 22:40]
"AME_CSA"="amecsa.cpl" [2002-03-12 11:42 C:\WINDOWS\system32\AmeCSA.cpl]
"000StTHK"="000StTHK.exe" [2001-06-23 20:28 C:\WINDOWS\system32\000StTHK.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-01-24 11:37]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2003-03-31 20:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MSN Update"=dllcon.exe
"Microsoft Update Machine"=wininimil.exe
"Microsoft Windows Updater"=service.exe
"Microsoft Java Windows Update"=msssss.exe
"Microsoft Features"=ms32cfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"NoActiveDesktopChanges"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoWindowsUpdate"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"NoViewContextMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACUMon]
"C:\Program Files\Cisco Systems\Aironet Client Monitor\ACUMon.Exe" -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-14 21:32:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-14 21:33:44
C:\ComboFix-quarantined-files.txt ... 2007-06-14 21:33

--- E O F ---

#18 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 14 June 2007 - 10:43 AM

Man did I get fooled.

; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[-HKEY_USERS\.default\software\microsoft\windows\currentversion\run]



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Locate and delele these files in bold if found.

dllcon.exe
wininimil.exe
service.exe
msssss.exe
ms32cfg.exe


They may have been deleted but the run key in the registry was still present.

Submit a fresh HiJackThis log for review. Let me know what problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#19 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 14 June 2007 - 12:38 PM

I've followed the instructions and merge the file "Fix.reg" into the registry already. But i can't seems to find any of these in my computer :

dllcon.exe
wininimil.exe
service.exe
msssss.exe
ms32cfg.exe

and hence cannot delete them too. Apparently, the same old problem still exists.


Here is my fresh HijackThis log :


Logfile of HijackThis v1.99.1
Scan saved at 1:15:04 AM, on 6/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\s3hotkey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcaf...581/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = npstd.npnet.np.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = npstd.npnet.np.edu.sg
O17 - HKLM\System\CCS\Services\Tcpip\..\{389A9041-4B3F-47AC-B65D-848BC4D921BF}: NameServer = 165.21.100.88 165.21.83.88
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = mci.ict.np.edu.sg,ict.np.edu.sg,npnet.np.edu.sg,npstd.npnet.np.edu.sg,np.edu.sg
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#20 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 14 June 2007 - 06:03 PM

Hi ! After i post the last reply, i went to scan my system with Dr.Web CureIt again. I found out that there are 2 infections. Report of DrWeb.cvs as follow :

process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\WINDOWS\system32;Tool.ShutDown.11;Incurable.Moved.;


These 2 infections are being found previously in the 1st scan of Dr.Web CureIt. They haven been move to quarantine section but i don't know why they were duplicated again in my "\\system32" folder.

#21 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 15 June 2007 - 05:50 AM

Can you boot to Safe mode with internet connection?

Do you still get the Service Host error?
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#22 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2007 - 02:30 PM

i chose Safe Mode With Networking at startup. But then i am unable to connect to the internet using my prolink8000 dia up. Hence being unable to connect to the internet in safe mode.

#23 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 15 June 2007 - 03:10 PM

I'm starting to believe that your error message is cause by a bad driver at startUp.

Download and use this tool to stop programs for loading at startUp. Do not disable Windows Operating systems. Look at all the 3rd party programs being started. Hope it helps.

StartUpLite is a lightweight program that can disable or remove all known unnecessary startup entries from your computer and thus quicken the startup procedure of your system.

Simply download StartUpLite from http://www.malwareby...startuplite.php and save it to a convenient location. Double click on StartUpLite.exe. Select all options you would like executed and select continue.

More information on the site.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#24 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 15 June 2007 - 10:02 PM

Hi ! There isn't any suspicious 3rd party program or startups after i ran the tool, StartUpLite. Could it be caused by my Internet Explorer program itself or modem drivers ?

Edited by MarsPeople, 15 June 2007 - 10:03 PM.


#25 dreamz0708

dreamz0708

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 June 2007 - 02:47 AM

Hi, I got the same exactly same problem as you.

I just downloaded one of the MS patch and I haven't disconnected for at least 1 hour. Still monitoring. You may try:

http://www.microsoft...;displaylang=en

Hope it works for you. :)

#26 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 16 June 2007 - 07:24 AM

Use at your own risk.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#27 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 17 June 2007 - 10:38 AM

Hi dreamz0708, i've downloaded the patch and installed already. So far the problem doesn't occur anymore already. Really need to thank u a lot for this. So its just a patch that can solve this stupud problem all along.

Nasdaq, i also grealy appreaciated the help u had given me all along. Thanks for all the pointers and such. With your aid, i managed to clear away lots of unknown and hidden spywares from my system. As such, i also need to thank u for that.

#28 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 18 June 2007 - 06:52 AM

Glad we could help.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html

p.s. I have kept a note of this fix.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#29 MarsPeople

MarsPeople

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 19 June 2007 - 12:00 AM

Noted of the website already. I've bookmarked it. Thank You

#30 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 19 June 2007 - 07:35 AM

Glad we could help.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#31 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 30 June 2007 - 07:42 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button