Solved F2:ntos.exe Infection

z4u · 2007/09/21

[Resolved] F2:ntos.exe Infection

I JUST USE HIJACK AND FOUND OUT THIS SUSPICIOUS ENTRIES IN MY SYSTEM I GUESS IT'S VIRUS CAN U PLZ CHECK MY HIJACK N HOW CAN I FIX IT EVEN I USE HIJACK THIS TO FIX IT BUT IT'S COMES BACK HOW TO GET RID FROM IT ..
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,C:\WINNT\system32\ntos.exe,

Logfile of HijackThis v1.97.7
Scan saved at 5:22:06 PM, on 9/21/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\HijackThis.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe

F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,C:\WINNT\system32\ntos.exe,
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF95A9-4A82-4879-8C66-E244F359FDCB}: NameServer = 192.168.0.1

noahdfear · 2007/09/21

Hi z4u

There are usually other malware files about with that infection, so we'll run a tool to check for them.

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

z4u · 2007/09/21

okey noahdfear here is comobox fix log n down hijack log as well my system taking longer time of loading compare to b4.
ComboFix 07-09-21.2 - "PC4" 09/22/2007 9:35:01.2 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.43 [GMT 8:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-22 to 2007-09-22 )))))))))))))))))))))))))))))))
.

2007-09-22 09:34 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_310.dat
2007-09-21 18:14 <DIR> d-------- C:\sys
2007-09-21 17:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-21 17:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-21 17:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-21 17:49 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-18 15:24 59,904 --a------ C:\WINNT\qn0oka2b.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
12/06/99 08:00p 32528 --a------ C:\WINNT\inf\wbfirdma.sys
10/10/06 05:52p 271 ---h----- C:\Program Files\desktop.ini
10/10/06 05:52p 21952 ---h----- C:\Program Files\folder.htt
2007-03-05 01:11:28 0 --sha-r C:\WINNT\system32\nhatquanglan9.exe
2007-03-05 04:50:18 0 --sha-r C:\WINNT\system32\SVICHOSSST.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BF77FF3-E054-4728-ADD0-B21EF95EECE1} REG_SZ COM+ Service]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINNT\system32\cafeagent.exe" [10/27/06 06:05p]
"NvCplDaemon "= "C:\WINNT\system32\NvCpl.dll" [06/15/05 05:20p]
"Synchronization Manager "= "mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06/15/05 05:20p C:\WINNT\system32\nwiz.exe]
"avgnt "= "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [09/11/07 02:25p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/19/05 07:34p]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINNT\system32\cafeagent.exe /normal
"Canon NetSpot Suite Service "=;©w

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Yahoo Messengger "=C:\WINNT\system32\RVHOST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableChangePassword "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableChangePassword "=1 (0x1)
"DisableLockWorkstation "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)
"NoSecurityTab "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)
"NofolderOptions "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 AFPAnsi;CafeSuite File Protector;C:\WINNT\system32\AFPAnsi.sys
R0 avgntmgr;avgntmgr;C:\WINNT\system32\drivers\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys
R2 Canon NetSpot Suite Service;Canon NetSpot Suite Service;C:\Program Files\Canon\VDC\AuVdc.exe
R2 P1100B_CT_CDI;Creative PD1100B HAL Service;C:\WINNT\system32\DRIVERS\P1100bCd.sys
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;C:\WINNT\system32\DRIVERS\DLKRTS.SYS
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINNT\system32\drivers\sis7012.sys
S2 CafeAgent;CafeAgent of CafeSuite;C:\WINNT\system32\cafeagent.exe /service
S3 P1100BVD;Creative WebCam Vista;C:\WINNT\system32\DRIVERS\P1100bVd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 01:00:02 C:\WINNT\Tasks\At1.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-22 09:36:22
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Canon NetSpot Suite Service = ;??w????????????0W??t????p???????????{?w|????G@??????y?wHn?w?????????I?w?G@??>@??{?w?W??????????0W??H?T??????{?w?W???????$???????????J?w????}rI??$????????????@?????????????8?I???????@?8????????????V????????????I?????????????`???????h???W?I?_?P?R?I?N?T?E?R?_?O?B?J?E?C?T?0?????(???????????????????????X5??P5??????????????????T*?w????C:\DOCUME~1\ZR12~1\LOCALS~1\Temp?????;??????xq?? ????}?wxq???X???2???????s??????,{??xq???;??????x????{?w?????z??????xq??D???????`<??1???xq???????????????2???p???3?????w?3???6?w(???`??w?2??l????????????2??????F??w(=?w?????3???????????????????????????????X???????????;??????xq???????}?wxq???X???2???????s??????,{??xq???;??????\????{?w?????z??????xq???X???{?w`<??4??wxq?????????w?????2???p???3?????w?3???6?w(???`??w?2??l????????????2??????F??w(=?w?????3???????????????????????????????X??????????H??????????w?3??????????????`??w0W???X??l????G@?xq???????????\?w?s??3??????????????F?2??t??????w?v??8??????????w?X??8????????????p???G@??????p???q??P???R??w?2???dA?p???r??wlI?w?;???;?????w?q???{?w?W?????w0q???2??Q??w

scanning hidden files ...

**************************************************************************
.
Completion time: 09/22/2007 9:37:32
.
--- E O F ---
Logfile of HijackThis v1.97.7
Scan saved at 9:40:45 AM, on 9/22/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\sys\HijackThis.exe

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF95A9-4A82-4879-8C66-E244F359FDCB}: NameServer = x.x.x.x

noahdfear · 2007/09/21

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINNT\SVICHOSSST.exe
C:\WINNT\qn0oka2b.exe
C:\WINNT\system32\ntos.exe
C:\WINNT\system32\nhatquanglan9.exe
C:\WINNT\system32\SVICHOSSST.exe
C:\WINNT\system32\winload.dll
C:\WINNT\system32\autorun.ini
C:\WINNT\system32\setting.ini
C:\WINNT\Tasks\At1.job

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3BF77FF3-E054-4728-ADD0-B21EF95EECE1} REG_SZ COM+ Service]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
 "Yahoo Messengger "=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
 "NofolderOptions "=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
 "DisableChangePassword "=dword:00000000
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

z4u · 2007/09/22

okey i followed ur instruction n put cfscript in comobox after then combofix run and mesage appear
sed: can't read profiles.folder.dat: no such file
and then windows appear 1 to contenu so i contiou it just back the reg files n then combo fix extis that's all computer not restarted n no log appear

noahdfear · 2007/09/22

Please try creating CFScript again. Make sure you copy only what I put inside of the code box above and paste into notepad.

Highlight the contents by dragging your cursor across the text while holding the left mouse button, then release and press Ctrl+C to copy the contents to the clipboard. Open a blank notepad and press Ctrl+V to paste the contents of the clipboard. Save the file to your desktop, making sure to name it CFScript.txt

Now drag-n-drop CFScript.txt onto Combofix.exe

z4u · 2007/09/23

okey run again script n followed ur instruction as u mention above but it doesn't work so i run combox again n here is new combofix log
ComboFix 07-09-21.2 - "PC4" 2007-09-24 8:43:52.3 - FAT32x86
Microsoft Windows 2000 Professional 5.0.2195.0.1252.1.1033.18.26 [GMT 8:00]
.

((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.

2007-09-24 08:50 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_300.dat
2007-09-22 17:55 51,200 --a------ C:\WINNT\NirCmd.exe
2007-09-22 09:49 <DIR> d-------- C:\Program Files\ArcaOnline
2007-09-22 09:44 14,965 --a------ C:\WINNT\progq.exe
2007-09-21 18:14 <DIR> d-------- C:\sys
2007-09-21 17:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-21 17:52 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-21 17:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-18 15:24 59,904 --a------ C:\WINNT\qn0oka2b.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
99-12-06 20:00 32528 --a------ C:\WINNT\inf\wbfirdma.sys
07-07-20 12:01 767280 --a------ C:\WINNT\system32\ArcaMicroScanUpdater.exe
07-07-20 10:34 847872 --a------ C:\WINNT\system32\ArcaOnline.dll
06-10-10 17:52 271 ---h----- C:\Program Files\desktop.ini
06-10-10 17:52 21952 ---h----- C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot_Sat 09-22-2007_ 93627.01 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 139,264 2005-03-04 06:01:24 C:\WINNT\system32\ArcaOnlineUninstall.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINNT\system32\cafeagent.exe" [06-10-27 18:05 ]
"NvCplDaemon "= "C:\WINNT\system32\NvCpl.dll" [05-06-15 17:20 ]
"Synchronization Manager "= "mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [05-06-15 17:20 C:\WINNT\system32\nwiz.exe]
"avgnt "= "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [07-09-11 14:25 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\ypager.exe" [05-08-19 19:34 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINNT\system32\cafeagent.exe /normal
"Canon NetSpot Suite Service "=;©w

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableChangePassword "=1 (0x1)
"DisableLockWorkstation "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableChangePassword "=1 (0x1)
"DisableLockWorkstation "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=1 (0x1)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)
"NoSecurityTab "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)
"NofolderOptions "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [06-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R0 AFPAnsi;CafeSuite File Protector;C:\WINNT\system32\AFPAnsi.sys
R0 avgntmgr;avgntmgr;C:\WINNT\system32\drivers\avgntmgr.sys
R1 avgntdd;avgntdd;C:\WINNT\system32\DRIVERS\avgntdd.sys
R2 CafeAgent;CafeAgent of CafeSuite;C:\WINNT\system32\cafeagent.exe /service
R2 Canon NetSpot Suite Service;Canon NetSpot Suite Service;C:\Program Files\Canon\VDC\AuVdc.exe
R2 P1100B_CT_CDI;Creative PD1100B HAL Service;C:\WINNT\system32\DRIVERS\P1100bCd.sys
R3 DLKRTS;D-Link DFE-538TX 10/100 Adapter NT Driver;C:\WINNT\system32\DRIVERS\DLKRTS.SYS
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINNT\system32\drivers\sis7012.sys
S3 P1100BVD;Creative WebCam Vista;C:\WINNT\system32\DRIVERS\P1100bVd.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 01:00:02 C:\WINNT\Tasks\At1.job "
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-24 08:50:53
Windows 5.0.2195 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Canon NetSpot Suite Service = ;??w????????????0W??t????p???????????{?w|????G@??????y?wHn?w?????????I?w?G@??>@??{?w?W??????????0W??H?T??????{?w?W???????$???????????J?w????}rI??$????????????@?????????????8?I???????@?8????????????V????????????I?????????????`???????h???W?I?_?P?R?I?N?T?E?R?_?O?B?J?E?C?T?0?????(???????????????????????X5??P5??????????????????T*?w????C:\DOCUME~1\ZR12~1\LOCALS~1\Temp?????;??????xq?? ????}?wxq???X???2???????s??????,{??xq???;??????x????{?w?????z??????xq??D???????`<??1???xq???????????????2???p???3?????w?3???6?w(???`??w?2??l????????????2??????F??w(=?w?????3???????????????????????????????X???????????;??????xq???????}?wxq???X???2???????s??????,{??xq???;??????\????{?w?????z??????xq???X???{?w`<??4??wxq?????????w?????2???p???3?????w?3???6?w(???`??w?2??l????????????2??????F??w(=?w?????3???????????????????????????????X??????????H??????????w?3??????????????`??w0W???X??l????G@?xq???????????\?w?s??3??????????????F?2??t??????w?v??8??????????w?X??8????????????p???G@??????p???q??P???R??w?2???dA?p???r??wlI?w?;???;?????w?q???{?w?W?????w0q???2??Q??w

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-24 8:52:17 - machine was rebooted
C:\ComboFix2.txt ... 07-09-22 09:37
C:\ComboFix-quarantined-files.txt ... 07-09-24 08:52
.
--- E O F ---

noahdfear · 2007/09/24

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.bat
Save as type: All Files (*.*)

Code:

@echo off
cls
IF EXIST C:\WINNT\progq.exe del /q C:\WINNT\progq.exe
IF EXIST C:\WINNT\qn0oka2b.exe del /q C:\WINNT\qn0oka2b.exe
IF EXIST C:\WINNT\system32\winload.dll del /q C:\WINNT\system32\winload.dll
IF EXIST C:\WINNT\system32\autorun.ini del /q C:\WINNT\system32\autorun.ini
IF EXIST C:\WINNT\system32\setting.ini del /q C:\WINNT\system32\setting.ini
IF EXIST C:\WINNT\Tasks\At1.job del /q C:\WINNT\Tasks\At1.job
cls
echo REGEDIT4>>fix.reg
echo.>>fix.reg
echo [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]>>fix.reg
echo  "NofolderOptions "=dword:00000000>>fix.reg
echo.>>fix.reg
echo [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]>>fix.reg
echo  "DisableChangePassword "=dword:00000000>>fix.reg
echo.>>fix.reg
regedit.exe /s fix.reg
cls
@echo off
cls
echo batch has run>>log.log
echo.>>log.log
IF EXIST C:\WINNT\progq.exe echo C:\WINNT\progq.exe present >>log.log
IF EXIST C:\WINNT\qn0oka2b.exe echo C:\WINNT\qn0oka2b.exe present >>log.log
IF EXIST C:\WINNT\system32\winload.dll echo C:\WINNT\system32\winload.dll present >>log.log
IF EXIST C:\WINNT\system32\autorun.ini echo C:\WINNT\system32\autorun.ini present >>log.log
IF EXIST C:\WINNT\system32\setting.ini echo C:\WINNT\system32\setting.ini present >>log.log
IF EXIST C:\WINNT\Tasks\At1.job echo C:\WINNT\Tasks\At1.job present >>log.log
IF NOT EXIST C:\WINNT\progq.exe echo C:\WINNT\progq.exe deleted >>log.log
IF NOT EXIST C:\WINNT\qn0oka2b.exe echo C:\WINNT\qn0oka2b.exe deleted >>log.log
IF NOT EXIST C:\WINNT\Tasks\At1.job echo C:\WINNT\Tasks\At1.job deleted >>log.log
del /q fix.reg
cls
exit

Boot to safe mode.
Double click fix.bat to run it. It will place a file named log.log on the desktop when it completes. Please post the contents of log.log (it will open with notepad) when back in normal mode. Post a fresh HijackThis log as well.

z4u · 2007/09/24

here is fix.bat log result
batch has run

C:\WINNT\progq.exe deleted
C:\WINNT\qn0oka2b.exe deleted
C:\WINNT\Tasks\At1.job deleted
n here is fresh hijack log
Logfile of HijackThis v1.97.7
Scan saved at 9:38:53 AM, on 9/25/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\sys\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF95A9-4A82-4879-8C66-E244F359FDCB}: NameServer = xx.xx.xx.xx

noahdfear · 2007/09/24

Great!

Now, lets get another closer look at things.

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.

Close all applications and windows.

Double click on dss.exe to run it and follow the prompts.

When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

z4u · 2007/09/25

Main.txt log
Deckard's System Scanner v20070905.67
Run by PC4 on 2007-09-26 08:10:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 128 MiB (256 MiB recommended).

-- HijackThis (run as PC4.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:47 AM, on 9/26/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\ZR 12\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\PC4.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CafeAgent] C:\WINNT\system32\cafeagent.exe /normal
O4 - HKLM\..\RunServices: [Canon NetSpot Suite Service] ;©w
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINNT\bdoscandel.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FFF95A9-4A82-4879-8C66-E244F359FDCB}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\system32\cafeagent.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

--
End of file - 3761 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1 ",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 AFPAnsi (CafeSuite File Protector) - c:\winnt\system32\afpansi.sys <Not Verified; Alfa Corporation; AlfaFP (TM) 9.08 Ansi Build for Windows NT/2K>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 DLKRTS (D-Link DFE-538TX 10/100 Adapter NT Driver) - c:\winnt\system32\drivers\dlkrts.sys <Not Verified; D-Link Corporation; D-Link DFE-538TX 10/100 Adapter>

S3 catchme - c:\docume~1\zr12~1\locals~1\temp\catchme.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - c:\program files\antivir personaledition classic\sched.exe <Not Verified; Avira GmbH; Scheduler>
R2 Canon NetSpot Suite Service - c:\program files\canon\vdc\auvdc.exe <Not Verified; CANON INC.; NetSpot Suite>

S2 CafeAgent (CafeAgent of CafeSuite) - c:\winnt\system32\cafeagent.exe /service <Not Verified; CafeSuite; CafeAgent of CafeSuite>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-08-26 and 2007-09-26 -----------------------------

2007-09-26 08:11:38 0 d-------- C:\Program Files\Trend Micro
2007-09-22 09:49:07 0 d-------- C:\Program Files\ArcaOnline
2007-09-21 18:14:59 0 d-------- C:\sys
2007-09-21 17:59:56 0 d-------- C:\Documents and Settings\ZR 12\Local Settingsocal Settings
2007-09-21 17:53:10 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-21 17:52:40 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-21 17:52:40 0 d-------- C:\Documents and Settings\ZR 12\Application Data\SUPERAntiSpyware.com
2007-09-21 17:52:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-07 10:11:39 0 d-------- C:\WINNT\Sun
2007-09-07 10:11:38 0 d-------- C:\Documents and Settings\ZR 12\Application Data\Sun

-- Find3M Report ---------------------------------------------------------------

2007-07-30 15:53:02 203 --a------ C:\WINNT\system32\lsprst7.dll
2007-07-20 10:34:38 847872 --a------ C:\WINNT\system32\ArcaOnline.dll <Not Verified; ArcaBit; ArcaBit Online Scanner>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CafeAgent "= "C:\WINNT\system32\cafeagent.exe" [10/27/06 06:05p]
"NvCplDaemon "= "C:\WINNT\system32\NvCpl.dll" [06/15/05 05:20p]
"Synchronization Manager "= "mobsync.exe" [06/19/03 12:05p C:\WINNT\system32\mobsync.exe]
"nwiz "= "nwiz.exe" [06/15/05 05:20p C:\WINNT\system32\nwiz.exe]
"avgnt "= "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [09/11/07 02:25p]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/10/06 07:51p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager "= "C:\Program Files\Yahoo!\Messenger\ypager.exe" [08/19/05 07:34p]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"CafeAgent "=C:\WINNT\system32\cafeagent.exe /normal
"Canon NetSpot Suite Service "=;©w

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop "=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableChangePassword "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"DisableChangePassword "=1 (0x1)
"DisableLockWorkstation "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword "=0 (0x0)
"NoSecCPL "=0 (0x0)
"NoConfigPage "=0 (0x0)
"NoFileSysPage "=0 (0x0)
"NoDevMgrPage "=0 (0x0)
"NoVirtMemPage "=0 (0x0)
"NoDispCPL "=0 (0x0)
"NoDispAppearancePage "=0 (0x0)
"NoDispBackgroundPage "=0 (0x0)
"NoDispScrSavPage "=0 (0x0)
"NoDispSettingsPage "=0 (0x0)
"DisableLockWorkstation "=0 (0x0)
"DisableTaskMgr "=0 (0x0)
"DisableRegistryTools "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoInternetIcon "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoActiveDesktop "=1 (0x1)
"ForceActiveDesktopOn "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoSaveSettings "=0 (0x0)
"NoDesktop "=0 (0x0)
"NoClose "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"StartMenuLogoff "=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Software\CafeSuite\CafeAgent]
"LTC "=33765 (0x83e5)
"LTCID "=13359652 (0xcbda24)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoRecentDocsNetHood "=1 (0x1)
"ClearRecentDocsOnExit "=1 (0x1)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoViewOnDrive "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "=0 (0x0)
"NoRecentDocsNetHood "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"NoSharedDocuments "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoActiveDesktopChanges "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoViewContextMenu "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoSaveSettings "=0 (0x0)
"NoInternetIcon "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoClose "=0 (0x0)
"DisableLocalMachineRun "=0 (0x0)
"DisableLocalMachineRunOnce "=0 (0x0)
"DisableCurrentUserRun "=0 (0x0)
"DisableCurrentUserRunOnce "=0 (0x0)
"NoWinKeys "=0 (0x0)
"NoSecurityTab "=0 (0x0)
"NoStartMenuSubFolders "=0 (0x0)
"NoCommonGroups "=0 (0x0)
"NoSetFolders "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoRun "=0 (0x0)
"NoFind "=0 (0x0)
"NoFavoritesMenu "=1 (0x1)
"NoRecentDocsMenu "=0 (0x0)
"NoLogOff "=0 (0x0)
"StartMenuLogoff "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoSMMyPictures "=0 (0x0)
"NoStartMenuMyMusic "=0 (0x0)
"NoSMHelp "=0 (0x0)
"NoSMMyDocs "=0 (0x0)
"NoStartMenuNetworkPlaces "=0 (0x0)
"NoNetworkConnections "=0 (0x0)
"NofolderOptions "=0 (0x0)
"NoActiveDesktop "=1 (0x1)
"ForceActiveDesktopOn "=0 (0x0)
"NoDesktop "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/06 01:55p 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/07 01:41p 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

-- End of Deckard's System Scanner: finished at 2007-09-26 08:12:12 ------------

noahdfear · 2007/09/25

Only problem I see is a broken control panel file association. The following will fix it.

** dss.exe must be on the desktop as instructed above for the following command to work. **

Highlight and copy the bolded command below.

"%userprofile%\desktop\dss.exe" /daft

Click Start>Run and paste the command in, then hit enter.

An interface of Deckards file association fix will open.

Click Scan.

cpl should come up in the list.

Check the box next to it, then click Fix.

Exit when complete.

Is there a reason why this computer is so far behind on Windows Updates?

Probably should do an online scan just to be sure we haven't missed something.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log.

z4u · 2007/09/26

thanx okey cpl files is fixed n here is virus can log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 27, 2007 8:50:43 AM
Operating System: Microsoft Windows 2000 Professional, (Build 2195)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 27/09/2007
Kaspersky Anti-Virus database records: 423811
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 46020
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 00:46:16

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped
C:\WINNT\security\logs\scepol.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SETUPLOG.HTM Infected: Trojan-Downloader.HTML.Agent.el skipped
C:\WINNT\SETUPLOGMSE.HTM Infected: Trojan-Downloader.HTML.Agent.el skipped
C:\WINNT\SETUPLOGMSEMSD.HTM Infected: Trojan-Downloader.HTML.Agent.el skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\Documents and Settings\ZR 12\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ZR 12\Local Settings\History\History.IE5\MSHist012007092720070928\index.dat Object is locked skipped
C:\Documents and Settings\ZR 12\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ZR 12\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ZR 12\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ZR 12\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ZR 12\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ZR 12\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

Scan process completed.
Is there a reason why this computer is so far behind on Windows Updates?
no there no any reason few month i updaet in sp4 but faced problem in ms word when i save file it not repsonded so i uninstall back after that don't feel to update it bcs of that problem ur suggestion?.

noahdfear · 2007/09/26

I'm not sure what these setup logs are from, but Kaspersky says they're infected.

C:\WINNT\SETUPLOG.HTM
C:\WINNT\SETUPLOGMSE.HTM
C:\WINNT\SETUPLOGMSEMSD.HTM

I recommend you remove them.

Otherwise, your computer is clean. Is it performing as it should?

I recommend you get fully updated with Windows Update. Issue, such as the one you had with Word, can usually easily be resolved.

z4u · 2007/09/27

thanx a lot i m going to delete all these setup files n later i update windows with sp4 i hope system is clean now.. do u recomened any best anitvirus that can monitor these hell kind of virus tq.

noahdfear · 2007/09/27

Happy I could help z4u

AntiVir has a good enough reputation, and without personal experience I can't say that's it is inadequate. I think you would do well to install a firewall though.

Log in or Sign up

Solved F2:ntos.exe Infection

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved F2:ntos.exe Infection

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

z4u Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches