Hell virus Help

Hi,

Sorry for late reply. I was working.
Few more files to remove yet and a bit of registry work.

Question:
Is new114.com.cn your intended home page?
I ask because I can't read it and often malware will change home page to unwanted sites.

Can you have this file:

C:\WINNT\System32\drivers\pshook11.sys

Scanned at either of these 2 sites please and let me know the results.

http://virusscan.jotti.org/

http://www.virustotal.com/

----------------------

Start Hijackthis
Run system scan and check:

O4 - HKLM\..\Run: [cmdbcs] C:\WINNT\cmdbcs.exe

Once checked, close all open windows and click "fix checked ". Then OK.

Exit hijachthis and boot to safe mode.

Once in safe...

Right click fix1.reg and choose merge
you will be asked if you want to add contents of fix1.reg to the registry.
Answer yes.
You should get success messege.

Find and delete the following:


C:\WINNT\cmdbcs.exe
C:\WINNT\System32\cmdbcs.dll
C:\WINNT\System32\7AD2F75E.DLL
C:\WINNT\System32\7AD2F75ET.EXE

Empty recycle bin.

Reboot back to normal mode and post a log file from this program please:

http://www.kztechs.com/sreng/sreng2.zip

Download the program
Unzip it to its own folder. It needs to be unzipped to work.
Double click swreng2.exe to run
Click "smart scan "
Wait untill scan finishes.
Once done the log will open.

Do not fix anything yet. Most of what you see is safe or essential to the system!

Post contents of log here or upload it here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=19

let me know how the computer is running.

Thanks

Tammy

 

okey blender yesterday i was off so i jusk back today mean monday so in the evening i m going to submit report n post n see what's the status of computer now

 

okey blender i've already upload file this http://www.bleepingcomputer.com/subm...php?channel=19 file name blender(z4u).zip in this folder already virus resul n plus swreng2.exe are attached.
here is external link for download it
http://maxupload.com/CEA4D8B3
i can't find this entry when i run hijack log
O4 - HKLM\..\Run: [cmdbcs] C:\WINNT\cmdbcs.exe
and
C:\WINNT\cmdbcs.exe didn't find
C:\WINNT\System32\cmdbcs.dll i've deleted
C:\WINNT\System32\7AD2F75E.DLL i'vedeleted
C:\WINNT\System32\7AD2F75ET.EXE i've deleted
now i wait 4 u to tell me what's system condition thanx bro..

 

Hi

Is new114.com.cn your real home page?
I ask because if it is not we need to fix it. I can't read Chinese so I can't read what is there.

What was the Jotti/Virus total results of this file:

C:\WINNT\System32\drivers\pshook11.sys

Let me know those 2 things and I can begin another fix.
There are still nasties to be dealt with.

Thanks

 

Is new114.com.cn your real home page
nope after deleting files it's not coming i fixed it using hijacthis so no more it appears
both virus scan result for is okey mean nothing found all status okey
C:\WINNT\System32\drivers\pshook11.sys
i've send ur blender(z4u).zip http://www.bleepingcomputer.com/subm...php?channel=19
here is external link for download it
http://maxupload.com/CEA4D8B3
so plz have a look n see

 

Hi,

Got your log. Thanks.

Please send me:

C:\WINNT\System32\drivers\pshook11.sys

You can send it to:
http://www.bleepingcomputer.com/submit-malware.php?channel=20

Or that other upload place. You may need to zip the file up before sending to maxupload.

Post me a fresh hijackthis log please.

Thanks

 

okey blender i have already send file pshook11.sys
to windowsbleep plz check it n here is hijack log thanx


Logfile of HijackThis v1.97.7
Scan saved at 7:19:55 PM, on 3/13/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\System32\CafeAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\HijackThis.exe

O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1

 

Hi

That file you sent is from TrekBlue software. You did have at one time or another installed SpywareNuker or PcOrian?
If it was installed since SpywareNuker 2004 it is alright.
If no longer installed we'll remove it just to clean up.

That hijackthis log is from an old version.

Please delete C:\Hijackthis.exe and use the one you have in your hijackthis folder on your desktop from now on.

Download Brute Force Uninstaller
http://www.merijn.org/files/bfu.zip

Create a folder for BFU on the C: drive called C:\BFU. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it BFU. Extract the files from the zip archive into that folder.

Next is attached a file called "fixit.zip "
Save this file and unzip it to c:\BFU

You should have C:\BFU\Fixit.bfu when done.

Close running programs because you will likely reboot shortly.

Copy these instructions to notepad or print them out because the fix you will be running will close explorer and IE so you won't see this page.

Open the BFU folder and double click BFU.exe
In the top bar where it says "script file to execute" type this:

c:\BFU\Fixit.bfu

Press the "execute" button.

Explorer will close so desktop will dissapear. (normal)
If any IE windows are open they will close also.

You should see a progress bar while the program is working.

what it will do is stop explorer and Internet explorer so it can:
Delete/repair the offending registry entries, set up to delete the offending file at reboot.

Your computer should reboot when it is done.

Once restarted please run a new scan (smart scan) with SREng.exe and send me the log.
Post here also a new hijackthis log.

Let me know how computer is running.

Thanks

<<edited for content>>

 

yeah last time i installed spynuker then i unistalled now i m using webroot spysweeper here is download link for sreng.exe plz download the file
http://maxupload.com/84F009D7

n here is is hijack log
Logfile of HijackThis v1.99.1
Scan saved at 7:43:37 PM, on 3/14/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\CafeAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\CafeAgent.exe" /normal
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\System32\CafeAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

 

Hi,

Doesn't look like that fixed any of the registry entries I wanted it to.

Did you get any errors with BFU?

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:

1.) Open it click >Options over to the left then >program options >Uncheck "load at windows startup ".
2.) Over to the left click "shields" and uncheck all there.
3.) Uncheck "home page shield ".
4.) Uncheck "automatically restore default without notification ".
5.) Exit the program.

Then please re-run BFU using the same procedure as in my last post.
You don't need to download it again. use the same one you have already.

Please send me a new SREng log and post fresh hijackthis log here.

Also send or post a log from this:

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning just press "scan "
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here

Thanks

 

log files http://maxupload.com/6FDB25DC

okey i have unchecked option of webroot spyware n did same procedure n i didn't recive any error when i run bfu like when i execute bfu everything clear n ask for restart when i click restart computer is not restarting bcs it says that bfu can't close windows n then i re-execute again n same ask for restart n then computer goes for restart last time also like that i did 2 time execute to restart the computer in 1st attempt bfu can't close msg window apeear n windows can't restart 2nd time when i execute then it goes for restart thanx

posting logs here plz downlaod it from here
hijacthis.log ,gmer.log, srenglog
http://maxupload.com/6FDB25DC

 

Hi,

Ok. Lets try something different.

Save these instructions to notepad or print them out.
Need to be in safe mode to do the fix and you won't see this page.

The following file is intended for z4u only! Anyone else running this may harm their computer!

Download and safe the attached file called z4u.zip.
Unzip it but don't run it yet.
You should have z4u.reg when done.

Boot to safe mode like this:

[*]Restart your computer

[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;

[*]Select the first option, to run Windows in Safe Mode, then press Enter.

[*]Choose your usual account.

Next:

Reveal Hidden Files

1. 
   
   [*]Click Start.
   
   [*]Open My Computer.
   
   [*]SelectTools menu
   
   [*]Click Folder Options.
   
   [*]Select the View Tab.
   
   [*]Select Show hidden files and foldersin the Hidden files and folders section.
   
   [*]Uncheck Hide protected operating system files (recommended) option.
   
   [*]Uncheck the Hide file extensions for known file types option.
   
   [*]Click Yes.
   
   [*]Click OK.
   

Find and delete this file:

C:\Program files\Internet Explorer\PLUGINS\SystemKb.sys

Delete it from recycle bin.

Locate z4u.reg
Right click it and choose merge
You should be asked "Do you want to add the contents of z4u.reg to your registry "?

Click "yes "

You should get "The contents of z4u.reg was added to the registry "

Click OK.

Reboot to normal windows.

Please send me a new SREng log.

Let me know if you had troubles with above.

Thanks

 

okey i followed ur instructions i untick hidden files n hide protected...
i was in the safe but now heheheh C:\Program files\Internet Explorer\PLUGINS\SystemKb.sys
this files is not inside the plugin n even i searched throgh whole drive i don't have that file so i didn't merge the file as well do i still merge the file plz than n tell me what's next?..

 

helo blender?..

 

Hi z4u,

Odd you can't find that file...

I attached a file called "delete.zip "
Download it> save it and unzip it.
You should have delete.bat when done.
Do nothing with it yet.

Boot to safe mode.
Locate z4u.reg
Right click it> select merge
Answer yes to merge contents of z4u.reg with the registry.
OK the success messege.

Locate delete.bat and double click it.

A "dos" window will flash up real quick & dissapear. This is normal.

While still in safe mode...

Open Internet Options in your control panel.
Click "delete files" and check to delete offline content. Then OK.
Wait till done.

Next:

Click start> run> type cleanmgr and hit enter.

Cleaning drive C:...

When it has finished scanning have ONLY the following checked:

Temporary Internet files
Temporary files
Recycle bin

Hit OK to clean up.

Wait till done.

Reboot back to normal windows and run a new SREng (smart scan) scan and send me the log.

Thanks

 

thanx blender i've done all procedure here my latest srenglog

Code:

2007-03-17,20:18:44

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows 2000 Professional  (Build 2195) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <load><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <NvCplDaemon>< "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows 2000 Publisher]
    <Synchronization Manager><mobsync.exe /logon>  [(Verified)Microsoft Windows 2000 Publisher]
    <avgnt>< "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min>  [Avira GmbH]
    <CafeAgent>< "C:\WINNT\System32\cafeagent.exe" /normal>  [CafeSuite]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
    <CafeAgent>< "C:\WINNT\System32\cafeagent.exe" /normal>  [CafeSuite]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Windows 2000 Publisher]
    <Userinit><C:\WINNT\system32\userinit.exe,>  [(Verified)Microsoft Windows 2000 Publisher]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]

==================================
Startup Folders
[Brightness Controller]
  <C:\Documents and Settings\ZR31\Start Menu\Programs\Startup\Brightness Controller.lnk --> C:\PROGRA~1\NEC-MI~1\BRIGHT~1\BRIGHT~1.EXE [NEC-Mitsubishi Display Electronics America Inc.]><N>

==================================
Services
[AntiVir PersonalEdition Classic Scheduler / AntiVirScheduler][Running/Auto Start]
  <C:\Program Files\AntiVir PersonalEdition Classic\sched.exe><Avira GmbH>
[AntiVir PersonalEdition Classic Guard / AntiVirService][Running/Auto Start]
  <C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe><AVIRA GmbH>
[CafeAgent of CafeSuite / CafeAgent][Running/Auto Start]
  <C:\WINNT\System32\CafeAgent.exe /service><CafeSuite>
[Logical Disk Manager Administrative Service / dmadmin][Stopped/Manual Start]
  <C:\WINNT\System32\dmadmin.exe /com><VERITAS Software Corp.>
[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]
  <C:\WINNT\System32\nvsvc32.exe><NVIDIA Corporation>
[Webroot Spy Sweeper Engine / WebrootSpySweeperService][Running/Auto Start]
  < "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe "><Webroot Software, Inc.>
[Portable Media Serial Number Service / WmdmPmSN][Stopped/Manual Start]
  <C:\WINNT\System32\svchost.exe -k netsvcs-->C:\WINNT\System32\mspmsnsv.dll><Microsoft Corporation>
[Washer Security Access / wwSecSvc][Running/Auto Start]
  <C:\WINNT\System32\wwSecure.exe><Webroot Software, Inc.>

==================================
Drivers
[CafeSuite File Protector / AFPAnsi][Running/Boot Start]
  <\SystemRoot\System32\AFPAnsi.sys><Alfa Corporation>
[avgntdd / avgntdd][Running/System Start]
  <SYSTEM32\DRIVERS\avgntdd.sys><AVIRA GmbH>
[avgntmgr / avgntmgr][Running/Boot Start]
  <\SystemRoot\SYSTEM32\drivers\avgntmgr.sys><AVIRA GmbH>
[D-Link DFE-538TX 10/100 Adapter NT Driver / DLKRTS][Running/Manual Start]
  <System32\DRIVERS\DLKRTS.SYS><D-Link Corporation>
[dmboot / dmboot][Stopped/Disabled]
  <System32\drivers\dmboot.sys><VERITAS Software Corp.>
[Logical Disk Manager Driver / dmio][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmio.sys><VERITAS Software Corp.>
[dmload / dmload][Running/Boot Start]
  <\SystemRoot\System32\drivers\dmload.sys><VERITAS Software Corp.>
[gmer / gmer][Stopped/Manual Start]
  <System32\DRIVERS\gmer.sys><GMER>
[nv / nv][Running/Manual Start]
  <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>
[Creative WebCam Vista / P1100BVD][Stopped/Manual Start]
  <System32\DRIVERS\P1100bVd.sys><Creative Technology Ltd.>
[Creative PD1100B HAL Service / P1100B_CT_CDI][Running/Auto Start]
  <System32\DRIVERS\P1100bCd.sys><Creative Technology Ltd.>
[Direct Parallel Link Driver / Ptilink][Running/Manual Start]
  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>
[Service for AC'97 Sample Driver (WDM) / SiS7012][Running/Manual Start]
  <system32\drivers\sis7012.sys><Silicon Integrated Systems Corporation>
[Spy Sweeper File System Filer Driver: 0509 / SSFS0509][Running/Boot Start]
  <\SystemRoot\SYSTEM32\Drivers\SSFS0509.SYS><Webroot Software Inc (www.webroot.com)>
[Spy Sweeper Hookrack MiniDriver / SSHRMD][Running/Boot Start]
  <\SystemRoot\SYSTEM32\Drivers\SSHRMD.SYS><Webroot Software Inc (www.webroot.com)>
[Spy Sweeper Interdiction Driver / SSIDRV][Running/Boot Start]
  <\SystemRoot\SYSTEM32\Drivers\SSIDRV.SYS><Webroot Software Inc (www.webroot.com)>
[Webroot Spy Sweeper Keylogger Shield Keyboard Filter / SSKBFD][Running/Manual Start]
  <System32\Drivers\sskbfd.sys><Webroot Software Inc (www.webroot.com)>
[World Standard Teletext Codec / WSTCODEC][Stopped/Manual Start]
  <System32\DRIVERS\WSTCODEC.SYS><Microsoft Corporation>

==================================
Browser Add-ons
[Megaupload Toolbar]
  {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} <C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL, MegaUpload>
[ST]
  {9394EDE7-C8B5-483E-8773-474BF36AF6E4} <C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll, Microsoft Corporation>
[MSNToolBandBHO]
  {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll, Microsoft Corporation>
[MSN]
  {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll, Microsoft Corporation>
[Megaupload Toolbar]
  {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} <C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL, MegaUpload>
[BDSCANONLINE Control]
  {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} <C:\WINNT\DOWNLO~1\CONFLICT.1\oscan8.ocx, SOFTWIN>
[HouseCall Control]
  {74D05D43-3236-11D4-BDCD-00C04F9A3B61} <C:\WINNT\DOWNLO~1\xscan53.ocx, N/A>
[Java Plug-in 1.5.0_03]
  {8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll, Sun Microsystems, Inc.>
[ActiveScan Installer Class]
  {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} <C:\WINNT\Downloaded Program Files\asinst.dll, N/A>
[a-squared Scanner]
  {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} <C:\WINNT\DOWNLO~1\asquared.ocx, N/A>
[Java Plug-in 1.5.0_03]
  {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINNT\System32\Macromed\Flash\Flash9b.ocx, Adobe Systems, Inc.>

==================================
Running Processes
[PID: 136][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.00.2170.1]
[PID: 160][\??\C:\WINNT\system32\csrss.exe]  [Microsoft Corporation, 5.00.2137.1]
[PID: 180][\??\C:\WINNT\system32\winlogon.exe]  [Microsoft Corporation, 5.00.2182.1]
    [C:\WINNT\system32\wdmaud.drv]  [Microsoft Corporation, 5.00.2147.1]
    [C:\WINNT\system32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
[PID: 208][C:\WINNT\system32\services.exe]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\system32\dmserver.dll]  [VERITAS Software Corp., 2191.1.296.2]
[PID: 796][C:\WINNT\Explorer.exe]  [Microsoft Corporation, 5.00.2920.0000]
    [C:\WINNT\System32\wdmaud.drv]  [Microsoft Corporation, 5.00.2147.1]
    [C:\WINNT\System32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
    [C:\Program Files\WinRAR\rarext.dll]  [N/A, ]
    [C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll]  [H+BEDV Datentechnik GmbH, 7.00.00.04]
    [C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\AntiVir PersonalEdition Classic\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\WINNT\System32\nvshell.dll]  [NVIDIA Corporation, 6.14.10.10525]
    [C:\WINNT\System32\msadp32.acm]  [Microsoft Corporation, 5.00.2134.1]
[PID: 1076][C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe]  [Avira GmbH, 7.00.02.01]
    [C:\Program Files\AntiVir PersonalEdition Classic\MFC71U.DLL]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\AntiVir PersonalEdition Classic\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\AntiVir PersonalEdition Classic\avgcmxp.dll]  [Avira GmbH, 7.00.02.00]
    [C:\Program Files\AntiVir PersonalEdition Classic\AVWINLL.DLL]  [Avira GmbH, 1.00.00.06]
[PID: 1096][C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe]  [NEC-Mitsubishi Display Electronics America Inc., 1, 0, 0, 0]
[PID: 800][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2800.1106]
    [C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll]  [Microsoft Corporation, 01.02.5000.1021]
    [C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\mtbres.dll]  [Microsoft Corporation, 01.02.5000.1021]
    [C:\WINNT\System32\msxml3.dll]  [Microsoft Corporation, 8.30.9926.0]
    [C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL]  [MegaUpload, 5.0.25]
    [C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll]  [Microsoft Corporation, 01.02.3000.1001]
    [C:\Program Files\Microsoft Office\Office10\msohev.dll]  [Microsoft Corporation, 10.0.2609]
    [C:\WINNT\System32\wdmaud.drv]  [Microsoft Corporation, 5.00.2147.1]
    [C:\WINNT\System32\msacm32.drv]  [Microsoft Corporation, 5.00.2134.1]
    [C:\WINNT\System32\msadp32.acm]  [Microsoft Corporation, 5.00.2134.1]
[PID: 696][C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe]  [Microsoft Corporation, 01.02.3000.1001]
    [C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\au_util.dll]  [Microsoft Corporation, 01.02.3000.1001]
    [C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\TBDwnMgr.dll]  [Microsoft Corporation, 01.02.3000.1001]
    [C:\WINNT\System32\msxml3.dll]  [Microsoft Corporation, 8.30.9926.0]
[PID: 272][C:\sys\sreng2\SREng.EXE]  [Smallfrogs Studio, 2.4.12.806]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. [ "%1" %*]
.COM  OK. [ "%1" %*]
.PIF  OK. [ "%1" %*]
.REG  OK. [regedit.exe  "%1"]
.BAT  OK. [ "%1" %*]
.SCR  OK. [ "%1" /S]
.CHM  OK. [ "C:\WINNT\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.JS   OK. [%SystemRoot%\System32\WScript.exe  "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

 

Hi,

Excellent

SREng log is clean. System running good still?

Please post me one more hijackthis log please.

Thanks

Tammy

 

thanx a lot blender give ur time n help to clean hell virus
here is my latest hijack log
Logfile of HijackThis v1.99.1
Scan saved at 8:38:01 AM, on 3/19/2007
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\System32\CafeAgent.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe
C:\HijackThis.exe

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [CafeAgent] "C:\WINNT\System32\cafeagent.exe" /normal
O4 - HKLM\..\RunServices: [CafeAgent] "C:\WINNT\System32\cafeagent.exe" /normal
O4 - Startup: Brightness Controller.lnk = C:\Program Files\NEC-Mitsubishi\Brightness Controller\BrightnessController.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9CDCC56-2E53-4682-9148-35B0714EA563}: NameServer = 192.168.0.1
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CafeAgent of CafeSuite (CafeAgent) - CafeSuite - C:\WINNT\System32\CafeAgent.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

 

Hi,

Start Hijackthis
Run system scan only and check:

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

Close all open windows and click "fix checked ", then OK.

Exit Hijackthis

Now...

Get yourself a firewall installed.

There are a few good free ones out there and will go a long way to protect you.

Choose only one of the following and install it.

Comodo:
http://www.personalfirewall.comodo.com/

Zone Alarm:
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Outpost:
http://www.agnitum.com/products/outpostfree/download.php

Sunbelt kerio:
http://www.sunbelt-software.com/Kerio.cfm

Understanding and using firewalls:

http://www.bleepingcomputer.com/tutorials/tutorial60.html

Once firewall is installed.....

Head over to windows Update and get Service Pack 4 installed!
Without the service packs and updates you leave yourself wide open for future exploits/attacks.

There will be an update or 2 before you get sp4 and there will be several after.
It will take several visits/reboots to get them all.
Keep at it till they say there are no more.

http://v4.windowsupdate.microsoft.com/en/default.asp

I suggest installing this program as well:

Spywareblaster <--this prog blocks known bad active x controls, many tracking cookies and puts many sites in restricted zone.
Install> update> enable all protection.
Updates are about once a month and is free.

Install an alternative browser for day to day surfing.
These 2 are free and have alot less security issues than IE:

Opera Browser

FireFox Browser

Once you have done the above, post me a fresh hijackthis log please.

Let me know how things are running.
I'll have some additional suggestions but lets stick with that for now.