E:\WINDOWS\system32\winsys16_061230.dll

nawtyboy · #1 (**permalink**) 01-11-2007, 08:51 AM

ComboFix 07-11-01.1 - Administrator 2007-11-01 12:46:40.1 - FAT32x86

Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\WINDOWS\mywinsys.ini
E:\WINDOWS\system32\AlxRes061230.exe
E:\WINDOWS\system32\scrsys061230.scr
E:\WINDOWS\system32\scrsys16_061230.scr
E:\WINDOWS\system32\xydzyh.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\Indexingbox

((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 11:22 <DIR> d-------- E:\Program Files\Spyware Doctor
2007-11-01 11:22 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\TEMP
2007-11-01 11:22 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\PC Tools
2007-11-01 11:22 626,688 --a------ E:\WINDOWS\system32\msvcr80.dll
2007-11-01 11:22 499,712 --a------ E:\WINDOWS\system32\msvcp71.dll
2007-11-01 11:22 348,160 --a------ E:\WINDOWS\system32\msvcr71.dll
2007-11-01 11:22 79,688 --a------ E:\WINDOWS\system32\drivers\iksyssec.sys
2007-11-01 11:22 62,280 --a------ E:\WINDOWS\system32\drivers\iksysflt.sys
2007-11-01 11:22 41,288 --a------ E:\WINDOWS\system32\drivers\ikfilesec.sys
2007-11-01 11:22 29,000 --a------ E:\WINDOWS\system32\drivers\kcom.sys
2007-11-01 11:03 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-11-01 10:41 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2007-11-01 10:41 0 --a------ E:\WINDOWS\nsreg.dat
2007-11-01 10:37 512,096 --a------ E:\WINDOWS\system32\drivers\amon.sys
2007-11-01 10:37 299,392 --a------ E:\WINDOWS\system32\imon.dll
2007-11-01 10:37 15,424 --a------ E:\WINDOWS\system32\drivers\nod32drv.sys
2007-11-01 10:17 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Hewlett-Packard
2007-11-01 10:17 82,380 --a------ E:\WINDOWS\system32\drivers\AFS2K.SYS
2007-11-01 10:15 <DIR> d-------- E:\Program Files\Common Files\Hewlett-Packard
2007-11-01 10:15 31,616 --a------ E:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-01 10:15 31,616 --a------ E:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-01 10:15 15,104 --a------ E:\WINDOWS\system32\drivers\usbscan.sys
2007-11-01 10:15 15,104 --a------ E:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-01 10:14 <DIR> d-------- E:\Program Files\Hewlett-Packard
2007-11-01 10:13 20,724 --a------ E:\WINDOWS\hpoins01.dat
2007-11-01 10:13 16,618 --------- E:\WINDOWS\hpomdl01.dat
2007-11-01 01:41 22,016 --a------ E:\WINDOWS\system32\dllcache\agt0408.dll
2007-11-01 01:41 19,968 --a------ E:\WINDOWS\system32\dllcache\agt040e.dll
2007-11-01 01:41 19,456 --a------ E:\WINDOWS\system32\dllcache\agt041f.dll
2007-11-01 01:41 19,456 --a------ E:\WINDOWS\system32\dllcache\agt0419.dll
2007-11-01 01:41 19,456 --a------ E:\WINDOWS\system32\dllcache\agt0415.dll
2007-11-01 01:41 19,456 --a------ E:\WINDOWS\system32\dllcache\agt0405.dll
2007-11-01 01:41 8,704 --a------ E:\WINDOWS\system32\dllcache\batt.dll
2007-10-31 21:23 17,920 --a------ E:\WINDOWS\system32\mdimon.dll
2007-10-31 21:22 <DIR> d-------- E:\WINDOWS\SHELLNEW
2007-10-31 21:22 <DIR> d-------- E:\Program Files\Symbian OS Tools
2007-10-31 21:22 <DIR> d-------- E:\Program Files\SignSIS-GUI
2007-10-31 21:22 <DIR> d-------- E:\Program Files\Microsoft.NET
2007-10-31 21:22 <DIR> d-------- E:\Program Files\Microsoft ActiveSync
2007-10-31 21:22 <DIR> d-------- E:\Program Files\Common Files\Symbian
2007-10-31 21:19 <DIR> d-------- E:\Program Files\Yahoo!
2007-10-31 21:19 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-31 21:11 <DIR> d-------- E:\Program Files\Java
2007-10-31 21:11 <DIR> d-------- E:\Program Files\Common Files\Java
2007-10-31 21:09 <DIR> d-------- E:\Program Files\Codec Pack - All In 1
2007-10-31 21:09 737,280 --a------ E:\WINDOWS\iun6002.exe
2007-10-31 21:06 <DIR> d-------- E:\Program Files\TATA Indicom Web Accelerator
2007-10-31 21:06 86,016 --a------ E:\WINDOWS\system32\sliprt.dll
2007-10-31 21:02 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\WinZip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-31 15:35 502,272 ----a-w E:\WINDOWS\system32\winlogon.exe
2007-10-31 15:29 --------- d-----w E:\Program Files\D-Link
2007-10-31 15:27 --------- d-----w E:\Program Files\Netropa
2007-10-31 15:27 --------- d-----w E:\Program Files\iBall
2007-10-31 15:22 --------- d-----w E:\Program Files\Analog Devices
2007-10-31 15:20 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-31 15:20 --------- d-----w E:\Program Files\Intel
2007-10-31 15:20 --------- d-----w E:\Program Files\Common Files\InstallShield
2007-10-31 15:02 --------- d-----w E:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Smapp"="E:\Program Files\Analog Devices\SoundMAX\Smtray.exe" [2002-06-26 17:36]
"IgfxTray"="E:\WINDOWS\system32\igfxtray.exe" [2002-09-09 00:18]
"HotKeysCmds"="E:\WINDOWS\system32\hkcmd.exe" [2002-09-09 00:05]
"IMONTRAY"="C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe" [2002-09-19 17:33]
"LWBMOUSE"="E:\Program Files\iBall\2.2\LWBWHEEL.exe" [2002-09-05 10:47]
"MULTIMEDIA KEYBOARD"="E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2001-11-08 23:10]
"SlipStream"="E:\Program Files\TATA Indicom Web Accelerator\TATA_Indicom_Accelerator.exe" [2006-04-06 04:53]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"CoolSwitch"="E:\WINDOWS\system32\taskswitch.e xe" [2002-03-19 17:30]
"nod32kui"="E:\Program Files\Eset\nod32kui.exe" [2007-11-01 10:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hpoddt01.exe.lnk - E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2002-12-02 20

10]
hp psc 1000 series.lnk - E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 21:08:34]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
DcomLaunch DcomLaunch

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 04:47:54 E:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1193892449.job"
- E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 12:49:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-01 12:49:44 - machine was rebooted
.
--- E O F ---

my virus is deleted?

i dunno bt sypware doctor is still sayin some adware in my pc and it removes it but again wen i scan it still shows

nawtyboy · #2 (**permalink**) 01-11-2007, 08:58 AM

and one more thing.....

i cannot create restore point.....

y is that so?

Neal · #3 (**permalink**) 01-11-2007, 09:56 PM

In my signature is a link to hijackthis, click it and when new page comes up scroll down to hijackthis and follow instructions there and copy/paste a copy of hijackthis back here. Thanks.

nawtyboy · #4 (**permalink**) 02-11-2007, 09:35 AM

thx for the reply mate....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:36 PM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
E:\WINDOWS\system32\igfxtray.exe
E:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
E:\Program Files\iBall\2.2\LWBWHEEL.exe
E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
E:\Program Files\TATA Indicom Web Accelerator\TATA_Indicom_Accelerator.exe
E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
E:\WINDOWS\system32\taskswitch.exe
E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
E:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
E:\Program Files\Netropa\Onscreen Display\OSD.exe
E:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
E:\Program Files\TATA Indicom Web Accelerator\TIWAgui.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\taskmgr.exe
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - E:\Program Files\TATA Indicom Web Accelerator\PBHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: TATA Indicom Web Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - E:\Program Files\TATA Indicom Web Accelerator\Toolband.dll
O4 - HKLM\..\Run: [Smapp] E:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IgfxTray] E:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [LWBMOUSE] E:\Program Files\iBall\2.2\LWBWHEEL.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] E:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SlipStream] "E:\Program Files\TATA Indicom Web Accelerator\TATA_Indicom_Accelerator.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [CoolSwitch] E:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Show All Original Images - res://E:\Program Files\TATA Indicom Web Accelerator\gui_resource.dll/327
O8 - Extra context menu item: Show Original Image - res://E:\Program Files\TATA Indicom Web Accelerator\gui_resource.dll/328
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - E:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: OESH (Office Source Engine Help) - Unknown owner - E:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - E:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - E:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5330 bytes

Neal · #5 (**permalink**) 02-11-2007, 06:51 PM

Thanks for that,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log