skywatcher Posted February 14, 2009 Report Share Posted February 14, 2009 hi sarah,thanks for your message. just to remind you in case you are looking at this a while later. you helped with a previous problem, and you thought that my computer would always be vulnerable as it runs win2000p. it was clean for a month or more with just the occasional warning bubble, but the last few days they have become more frequent and this evening i got quite an avalanche of them. so here is my hijack this log. thanks in advance,malcolmlog follows.....................Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:10:09, on 14/02/2009Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINNT\System32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINNT\system32\mabidwe.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINNT\system32\internat.exeC:\WINNT\system32\RUNDLL32.EXEC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Sony Ericsson\Mobile\audevicemgr.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\LimeWire\LimeWire.exeC:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXEc:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exeC:\WINNT\system32\rundll32.exeC:\Program Files\Outlook Express\msimn.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINNT\DOWNLO~1\Manager.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startupO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [internat.exe] internat.exeO4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInitO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXEO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: Phone Connection Monitor.lnk = C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exeO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dllO16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231600798538O16 - DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} (ContactExtractor Class) - http://www.facebook.com/controls/contactx.dllO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/...tiveXPlugin.cabO23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exeO23 - Service: afisicx Service (afisicx) - Unknown owner - C:\WINNT\system32\afisicx.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeO23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINNT\system32\mabidwe.exeO23 - Service: Networks - GlobalSCAPE Texas, LP - C:\WINNT\system32\nets.dllO23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINNT\system32\noytcyr.exe (file missing)O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINNT\system32\roytctm.exe (file missing)O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINNT\system32\soxpeca.exe (file missing)O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINNT\system32\tdydowkc.exe (file missing)O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\WINNT\system32\wsldoekd.exe (file missing)--End of file - 8030 bytes Quote Link to post Share on other sites
skywatcher Posted February 19, 2009 Author Report Share Posted February 19, 2009 i forgot to apply email notification so this is just to add that for if or when someone is able to look at my post. thanks.malcolm Quote Link to post Share on other sites
therock247uk Posted February 24, 2009 Report Share Posted February 24, 2009 Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Quote Link to post Share on other sites
skywatcher Posted February 24, 2009 Author Report Share Posted February 24, 2009 all done! there were losts of nasties in there. here is the log. thanks, malcolmMalwarebytes' Anti-Malware 1.34Database version: 1799Windows 5.0.2195 Service Pack 424/02/2009 22:22:18mbam-log-2009-02-24 (22-22-18).txtScan type: Quick ScanObjects scanned: 71169Time elapsed: 7 minute(s), 39 second(s)Memory Processes Infected: 2Memory Modules Infected: 0Registry Keys Infected: 21Registry Values Infected: 1Registry Data Items Infected: 1Folders Infected: 0Files Infected: 16Memory Processes Infected:C:\WINNT\system32\mabidwe.exe (Trojan.Agent) -> Unloaded process successfully.C:\WINNT\system32\soxpeca.exe (Backdoor.Bot) -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mabidwe (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsldoekd (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\roytctm (Trojan.Agent) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer (Backdoor.Bot) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CLASSES_ROOT\txtfile\shell\open\command\ (Hijack.Notepad) -> Bad: ("C:\WINNT\system32\nxtepad.exe" "%1") Good: (notepad.exe %1) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\qn.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\V6J9MIGB\w[1].bin (Trojan.DNSChanger) -> Quarantined and deleted successfully.C:\WINNT\system32\afisicx.exe (Trojan.Agent) -> Delete on reboot.C:\WINNT\system32\mabidwe.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINNT\system32\tdydowkc.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINNT\system32\wsldoekd.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINNT\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINNT\system32\msrstart.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\nxtepad.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\o.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\umtcdtw.sys (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\soxpeca.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\noytcyr.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\udxfytw.sys (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINNT\system32\roytctm.exe (Trojan.Agent) -> Quarantined and deleted successfully. Quote Link to post Share on other sites
therock247uk Posted February 24, 2009 Report Share Posted February 24, 2009 Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.Download SDFix and save it to your Desktop.Double click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Please then reboot your computer in Safe Mode by doing the following :Restart your computerAfter hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;Instead of Windows loading as normal, the Advanced Options Menu should appear;Select the first option, to run Windows in Safe Mode, then press Enter.Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt(Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.