Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem with my internet connection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problem with my internet connection

Unread postby Alexm200 » May 19th, 2008, 8:02 pm

Hello,
For a few days now my internet connection shortcut on my desktop doesn't work. I browsed my internet conections and I saw it was somehow gone and now i can't create it again. The same time this happened I think my antivirus found a virus. Here is my log, if you could look at it and tell me if something is wrong i would be grateful. Thanks in advance.
------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:18 μμ, on 19/5/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.otenet.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.otenet.gr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OTEnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Γραμμή Συντομεύσεων του Microsoft Office.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.otenet.gr/
O17 - HKLM\System\CCS\Services\Tcpip\..\{98BA8F23-8F21-4319-9112-0C7780467233}: NameServer = 195.170.0.2
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avg7Alrt - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe
O23 - Service: Avg7UpdSvc - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: ClipSrv - Unknown owner - C:\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Συντονισμός κατανεμημένων συναλλαγών (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: NetDDE - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: NetDDEdsdm - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

--
End of file - 4860 bytes
Alexm200
Regular Member
 
Posts: 19
Joined: May 19th, 2008, 7:46 pm
Advertisement
Register to Remove

Re: Problem with my internet connection

Unread postby Carolyn » May 24th, 2008, 3:04 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please reply to this thread, do not start another.
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

As I am still in training, everything that I post to you must be checked by one of the teachers. Thus, there may be a bit of a delay between posts, but it shouldn't be too long.

If you follow these instructions, everything should go smoothly.

we are currently looking at your log now and will be back as soon as possible with your instructions.
while you are waiting one other thing that can be of good use is an uninstall list so please do the following

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Carolyn » May 24th, 2008, 7:11 pm

Hello,

  1. Please download this tool from Microsoft.
  2. Double click on MGADiag.exe to run it.
  3. Click Continue.
  4. The program will run. It takes a while to finish the diagnosis, please be patient.
  5. Once done, click on Copy.
  6. Open Notepad and paste the contents in. Save this file and post it in your next reply along with a fresh HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Alexm200 » May 26th, 2008, 8:21 am

Here is the unistall list:

Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AVG 7.5
AVI Codec Pack
CCleaner (remove only)
Concord WinFax Plugin v3.0
Conexant ACF External PnP v92 Data Fax Voice Modem
HijackThis 2.0.2
HP Software Update
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft Office 97 Professional
Mozilla Firefox (1.5)
Nero 7 Essentials
NetWaiting
Photosmart 140,240,7200,7600,7700,7900 Series
PowerDVD
Spybot - Search & Destroy 1.4
Syberia
Symantec pcAnywhere
Symantec WinFax PRO
Video CD HP
Windows Live Messenger
Windows Media Format Runtime
Αυτόματος Μεταφραστής SYSTRAN Personal 4 της MLS

You may not understand the last program because its in my language (greek). It means "Automatic translator SYSTRAN Personal 4 of MLS".
________________________________________________________________________________________________________________________________________________________
Here are the results from Microsoft Genuine Advantage Diagnostics tool:


Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-X46VX-FY3H3-GQXXT
Windows Product Key Hash: odfcJtzg0MoE7hVJ0rlKtbnAIC8=
Windows Product ID: 55916-OEM-2215371-96506
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010100.0.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {E3CD9DE8-2D52-4EE1-87FB-9445CBEECD44}(3)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_63BB5E84-896-80004005_E2AD56EA-101-8009_E2AD56EA-102-2ee7_BB5C1257-54-80004005_BB5C1257-59-80040203_78155E4D-290-80040203
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control:
Active scripting:
Script ActiveX controls marked as safe for scripting:

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E3CD9DE8-2D52-4EE1-87FB-9445CBEECD44}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.0.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-GQXXT</PKey><PID>55916-OEM-2215371-96506</PID><PIDType>3</PIDType><SID>S-1-5-21-527237240-1383384898-725345543</SID><SYSTEM><Manufacturer>GBT___</Manufacturer><Model>AWRDACPI</Model></SYSTEM><BIOS><Manufacturer>Award Software International, Inc.</Manufacturer><Version>6.00 PG</Version><SMBIOSVersion major="2" minor="3"/><Date>20020916******.******+***</Date></BIOS><HWID>8F32348F0184A063</HWID><UserLCID>0408</UserLCID><SystemLCID>0408</SystemLCID><TimeZone>Χειμερινή ώρα GTB(GMT+02:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData>
<Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
___________________________________________________________________________________________________________________________________________________________
When I pressed "Continue" I received the following message from AVG:

Threat Detected!
While opening file: C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe
Trojan horse Generic10.KED

I pressed the button "Heal" from the options AVG gave beneath and I received a message that the object was healed successfully. I closed the MGADiag tool then I rerun it without receiving the same message and saved the results.
___________________________________________________________________________________________________________________________________________________________
Here is the fresh Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:30 μμ, on 26/5/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.otenet.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.otenet.gr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OTEnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Γραμμή Συντομεύσεων του Microsoft Office.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.otenet.gr/
O17 - HKLM\System\CCS\Services\Tcpip\..\{98BA8F23-8F21-4319-9112-0C7780467233}: NameServer = 195.170.0.2
O23 - Service: aawservice - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ClipSrv - Unknown owner - C:\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Συντονισμός κατανεμημένων συναλλαγών (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: NetDDE - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: NetDDEdsdm - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

--
End of file - 4885 bytes
___________________________________________________________________________________________________________________________________________________________
When hijackthis was doing the scan I received another similar message from AVG:

Threat detected!
While opening file: C:\WINDOWS\system32\msdtc.exe
Trojan horse Generic10.KED

I didnt press anything (e.g. Heal or Ignore) as the message disappeared by the time I wrote it down.

Finally I want to mention that before doing all the above I tried to install AVG 8.0 so I unistalled AVG 7.5 but when I run the setup file of AVG 8.0 I got a message that the install could not be made because the system requirements could not be met or something like that (I don't remember exactly). So I installed AVG 7.5 again.
Also I use a memory stick to copy files to this computer i am now in order to send them because the infected computer can not connect to the internet (it only has a 56k modem but it has this problem that I mentioned in the first post). That's why the AVG and the other programs are not up-to-date right now. But if any update is required (which I think will be) I can find the update file and put it using the memory stick.
Thanks for the time you spend for this! Your help is really appreciated!
Alexm200
Regular Member
 
Posts: 19
Joined: May 19th, 2008, 7:46 pm

Re: Problem with my internet connection

Unread postby Carolyn » May 27th, 2008, 7:14 am

Have you recently re-installed Windows XP? I see that there are no Service Packs installed and Windows XP has not been validated.

As long as you are not connected to the internet, you need not worry about your malware protection being outdated. When you are able to re-establish your connection to the internet, make certain that Windows Firewall is turned on and your Anti-virus software is enabled.
At that point you should update your virus definitions.


I will instruct you how and when to install Service Packs. Please do not try to do so before then.


Let's begin to clean this computer:

Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  1. Double click on mbam-setup.exe to install it.
  2. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  3. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  4. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  5. Leave the default options as it is and click on Start Scan.
  6. When done, you will be prompted. Click OK, then click on Show Results.
  7. Checked (ticked) all items and click on Remove Selected.
  8. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.


Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.


Please post the Malwarebytes' Anti-Malware log along with the contents of main.txt and extra.txt.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Alexm200 » May 28th, 2008, 8:51 am

The windows installation is a bit old, it was made around 2002-3 and none of the service packs were installed. I have the windows cd and it doesn't include any service pack. Also windows were not updated since then as it hasn't a decent connection with internet. As for the validation I don't know exactly why it wasn't made.

Here is the malwarebytes' anti-malware log:

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Full Scan (C:\|)
Objects scanned: 65652
Time elapsed: 18 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\System32\divxrs.dll (Rootkit.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\virtualdns.virtualdnsobj (Adware.WebDir) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{86c510e9-97ef-4749-914f-0280247be3a6} (Adware.WebDir) -> No action taken.
HKEY_CLASSES_ROOT\virtualdns.virtualdnsobj.1 (Adware.WebDir) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{1f63b171-e2f3-4362-a484-8563144d62e6} (Adware.WebDir) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{143414d1-c324-4d6f-9756-5075d9a4a485} (Adware.WebDir) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\divxrs (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dprot (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dprot (Rootkit.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dprot (Rootkit.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\VirtualDNS.dll (Adware.WebDir) -> No action taken.
C:\WINDOWS\System32\divxrs.dll (Rootkit.Agent) -> No action taken.
C:\WINDOWS\System32\dprot.sys (Rootkit.Agent) -> No action taken.
_______________________________________________________________________________________________________
I could not update the malwarebytes' anti-malware since the computer has no internet and I couldn't find any update file in order to patch it so I run it without updating.

Also I received the following message from AVG during the scan:

Threat detected!
While opening file: C:\System Volume Information\-restore{..-a lot of letters-..}\RP260\A0037336.exe
Trojan horse Generic10.KED

and also the same message while opening C:\WINODWS\system32\msdtc.exe
_______________________________________________________________________________________________________

Here are the two logs from Deckard's system scanner:

main.txt:

Deckard's System Scanner v20071014.68
Run by user on 2008-05-28 15:04:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
35: 2008-05-28 12:04:05 UTC - RP282 - Deckard's System Scanner Restore Point
34: 2008-05-26 10:33:29 UTC - RP281 - Installed AVG 7.5
33: 2008-05-21 09:08:25 UTC - RP280 - Σημείο ελέγχου συστήματος
32: 2008-05-20 08:54:59 UTC - RP279 - Installed AVG 7.5
31: 2008-05-20 08:53:47 UTC - RP278 - Removed AVG 7.5


-- First Restore Point --
1: 2008-02-28 07:13:20 UTC - RP248 - Σημείο ελέγχου συστήματος


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:32 μμ, on 28/5/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Επιφάνεια εργασίας\dss.exe
C:\HIJACK~1\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.otenet.gr/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.otenet.gr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OTEnet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Γραμμή Συντομεύσεων του Microsoft Office.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.otenet.gr/
O17 - HKLM\System\CCS\Services\Tcpip\..\{98BA8F23-8F21-4319-9112-0C7780467233}: NameServer = 195.170.0.2
O23 - Service: aawservice - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ClipSrv - Unknown owner - C:\WINDOWS\system32\clipsrv.exe (file missing)
O23 - Service: ImapiService - Unknown owner - C:\WINDOWS\System32\imapi.exe (file missing)
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\System32\mnmsrvc.exe (file missing)
O23 - Service: Συντονισμός κατανεμημένων συναλλαγών (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe
O23 - Service: NetDDE - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: NetDDEdsdm - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RasMan - Unknown owner - C:\DOCUME~1\user\LOCALS~1\Temp\1\svchost.exe (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

--
End of file - 4932 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 prodrv04 (HDEA S0220 @@@@ @@@@@@@@@@ @@@@@@ @@) - c:\windows\system32\drivers\prodrv04.sys <Not Verified; Protection Technology Co.; Star Force copy protection>
R2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>

S3 acfva - c:\windows\system32\drivers\acfva.sys <Not Verified; CONEXANT; Windows 2K/XP ACF Value-added driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 wfxsvc (WinFax PRO) - c:\windows\system32\wfxsvc.exe <Not Verified; Symantec Corporation; Symantec WinFax PRO>

S2 aawservice - c:\docume~1\user\locals~1\temp\1\svchost.exe (file missing)
S3 ClipSrv - c:\windows\system32\clipsrv.exe (file missing)
S3 ImapiService - c:\windows\system32\imapi.exe (file missing)
S3 mnmsrvc - c:\windows\system32\mnmsrvc.exe (file missing)
S3 NetDDE - c:\windows\system32\netdde.exe (file missing)
S3 NetDDEdsdm - c:\windows\system32\netdde.exe (file missing)
S3 RasMan - c:\docume~1\user\locals~1\temp\1\svchost.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-28 and 2008-05-28 -----------------------------

2008-05-28 14:35:09 0 d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-05-28 14:35:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 14:35:03 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-26 13:39:43 0 dr-h----- C:\$VAULT$.AVG
2008-05-26 13:37:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-05-26 13:36:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-26 13:34:07 0 d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-05-26 13:34:01 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-26 13:33:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-22 14:07:42 0 d-------- C:\Program Files\Lavasoft
2008-05-22 13:56:19 0 dr-h----- C:\Documents and Settings\user\Recent
2008-05-20 11:54:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-19 12:08:45 0 d-------- C:\hijackthis
2008-05-19 12:03:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-14 11:02:22 0 d-------- C:\otenetmp
2008-04-30 15:58:00 0 d-------- C:\Program Files\NetWaiting
2008-04-30 15:56:23 12074 -ra------ C:\WINDOWS\System32\hsfinst.dll <Not Verified; Conexant Systems; SoftK56>
2008-04-30 15:56:15 81920 --a------ C:\WINDOWS\System32\mdmxsdk.dll <Not Verified; Conexant; Diagnostic Interface>
2008-04-30 15:56:15 11683 --a------ C:\WINDOWS\System32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
2008-04-30 15:56:15 51168 --a------ C:\WINDOWS\System32\drivers\acfva.sys <Not Verified; CONEXANT; Windows 2K/XP ACF Value-added driver>
2008-04-30 15:56:14 495616 --a------ C:\WINDOWS\System32\drivers\UIUSetup.exe <Not Verified; Conexant Systems, Inc.; Conexant Universal Device Install/Uninstall Application>
2008-04-30 15:55:45 0 d-------- C:\WINDOWS\UnModem
2008-04-30 15:45:11 0 d-------- C:\WINDOWS\IIS Temporary Compressed Files
2008-04-30 15:43:08 0 d---s---- C:\WINDOWS\System32\Microsoft
2008-04-30 15:43:07 0 d-------- C:\WINDOWS\System32\Cache
2008-04-30 15:42:35 0 d-------- C:\Inetpub
2008-04-30 15:42:20 0 d-------- C:\WINDOWS\System32\Logfiles


-- Find3M Report ---------------------------------------------------------------

2008-05-28 14:58:32 0 --a------ C:\WINDOWS\System32\k86.bin
2008-05-19 12:02:30 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-14 11:38:21 456302 --a------ C:\WINDOWS\System32\perfh008.dat
2008-05-14 11:38:21 80050 --a------ C:\WINDOWS\System32\perfc008.dat
2008-04-30 16:12:13 0 d-------- C:\Program Files\CCleaner
2008-04-30 15:58:00 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-30 15:56:52 0 d-------- C:\Program Files\RS232 Modem
2008-04-15 11:18:32 7 --a------ C:\WINDOWS\System32\ngxt.bin
2008-04-11 13:23:50 14336 --a------ C:\WINDOWS\System32\msdtc.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [21/03/2002 05:23 §£ C:\WINDOWS\SOUNDMAN.EXE]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [26/07/2003 12:14 §£]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [21/08/2003 07:23 §£]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [25/06/2003 11:24 §£]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [21/08/2003 07:15 §£]
"WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [12/12/2002 03:45 ££]
"WinFaxAppPortStarter"="wfxsnt40.exe" [12/12/2002 03:45 ££ C:\WINDOWS\system32\WFXSNT40.EXE]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12/01/2006 05:40 ££]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 09:24 ££]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [26/05/2008 01:33 ££]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [27/11/2001 03:00 ££]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [01/06/2006 02:32 ££]

C:\Documents and Settings\user\Start Menu\¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
‚¨˜££γ ‘¬¤«¦£œη©œΰ¤ «¦¬ Microsoft Office.Lnk [28/7/2006 4:31:38 ££]

C:\Documents and Settings\All Users\Start Menu\¨¦š¨α££˜«˜\„΅΅ε¤ž©ž\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [19/10/2006 1:15:40 ££]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\WinFax\WfxSeh32.Dll [27/07/1998 04:54 §£ 38400]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dprot.sys]
@="Driver"




-- End of Deckard's System Scanner: finished at 2008-05-28 15:05:52 ------------

_______________________________________________________________________________________________________

extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600)
Architecture: X86; Language: Other (0408) - see http://preview.tinyurl.com/mhhp6

CPU 0: Intel(R) Pentium(R) 4 CPU 2.40GHz
Percentage of Memory in Use: 32%
Physical Memory (total/avail): 767.49 MiB / 517.09 MiB
Pagefile Memory (total/avail): 1878.63 MiB / 1664.62 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1941.78 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 15.94 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Removable (No Media)
G: is Removable (FAT32)

\\.\PHYSICALDRIVE0 - WDC WD400JB-00ENA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Σύστημα αρχείων προς εγκατάσταση - 37.26 GiB - C:

\\.\PHYSICALDRIVE1 - HP photosmart 7700 USB Device

\\.\PHYSICALDRIVE2 - Sony Storage Media USB Device - 494.19 MiB - 1 partition
\PARTITION0 - FAT των 16 bit - 500 MiB



-- Security Center -------------------------------------------------------------

AUState says computer is in an unknown state.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLIENTNAME=Console
CNVPATH=C:\Program Files\Systran_En\4_0\PersonalWOI\Dicts
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=GRAMMATIA
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\GRAMMATIA
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Symantec\pcAnywhere\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
USERDOMAIN=GRAMMATIA
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Αυτόματος Μεταφραστής SYSTRAN Personal 4 της MLS --> C:\WINDOWS\unvise32.exe C:\Program Files\Systran_En\4_0\PersonalWOI\uninstal.log
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVI Codec Pack --> C:\Program Files\AVI Codec Pack\uninstall.exe
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Concord WinFax Plugin v3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1008475-75B2-4475-B98C-51FAE8B62960}\setup.exe"
Conexant ACF External PnP v92 Data Fax Voice Modem --> C:\Program Files\InstallShield Installation Information\{207DD102-9883-416E-8F9B-4A4197AE9B09}\setup.exe deinst -removeonly
HijackThis 2.0.2 --> "C:\hijackthis\HijackThis.exe" /uninstall
HP Software Update --> MsiExec.exe /X{D43BB532-3537-4CE9-9CBB-92533BD29F0C}
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 1.80 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 97 Professional --> C:\Program Files\Microsoft Office\Office\Setup\Acme.exe /w Off97Pro.STF
Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (el)"
Nero 7 Essentials --> MsiExec.exe /I{11EED87A-E30F-4B09-890B-586E58A51032}
NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x8 ControlPanelAnyText
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Syberia --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Syberia\Uninstall\setup.exe" -l0x9
Symantec pcAnywhere --> MsiExec.exe /I{C05E8183-866A-11D3-97DF-0000F8D8F2E9}
Symantec WinFax PRO --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\WinFax\WFXUNIST.ISU" -c"C:\Program Files\WinFax\UNINSTUB.DLL"
Video CD HP --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
Windows Live Messenger --> MsiExec.exe /I{39CD7D93-BF66-4B8F-9A9C-560A1F939A0E}


-- Application Event Log -------------------------------------------------------

Event Record #/Type3638 / Error
Event Submitted/Written: 05/26/2008 01:39:37 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Κρεμασμένη εφαρμογή MGADiag.exe, έκδοση 1.7.95.0, στοιχείο ελέγχου κρεμάσματος hungapp, έκδοση 0.0.0.0, διεύθυνση κρεμάσματος 0x00000000.

Event Record #/Type3637 / Error
Event Submitted/Written: 05/26/2008 01:37:45 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Κρεμασμένη εφαρμογή MGADiag.exe, έκδοση 1.7.95.0, στοιχείο ελέγχου κρεμάσματος hungapp, έκδοση 0.0.0.0, διεύθυνση κρεμάσματος 0x00000000.

Event Record #/Type3635 / Error
Event Submitted/Written: 05/26/2008 01:01:48 PM
Event ID/Source: 1000 / Windows Live Messenger
Event Description:
msnmsgr.exe8.1.178.045b12d6antdll.dll5.1.2600.03c02cf8300000254c

Event Record #/Type3634 / Error
Event Submitted/Written: 05/26/2008 00:59:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Κρεμασμένη εφαρμογή msnmsgr.exe, έκδοση 8.1.178.0, στοιχείο ελέγχου κρεμάσματος hungapp, έκδοση 0.0.0.0, διεύθυνση κρεμάσματος 0x00000000.

Event Record #/Type3571 / Error
Event Submitted/Written: 04/30/2008 03:43:30 PM
Event ID/Source: 4691 / COM+
Event Description:
Δεν ήταν δυνατό να προετοιμαστεί το περιβάλλον χρόνου εκτέλεσης για συναλλαγές που απαιτούνται για την υποστήριξη στοιχείων συναλλαγής. Βεβαιωθείτε ότι η υπηρεσία MS-DTC εκτελείται.(DtcGetTransactionManagerEx(): hr = 0x8004d01b)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3488 / Error
Event Submitted/Written: 05/28/2008 03:04:35 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Δεν ήταν δυνατή η εκκίνηση της υπηρεσίας RasMan εξαιτίας του ακόλουθου σφάλματος:
%%3

Event Record #/Type3487 / Error
Event Submitted/Written: 05/28/2008 03:01:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Δεν ήταν δυνατή η εκκίνηση της υπηρεσίας RasMan εξαιτίας του ακόλουθου σφάλματος:
%%2

Event Record #/Type3486 / Error
Event Submitted/Written: 05/28/2008 03:01:29 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Δεν ήταν δυνατή η εκκίνηση της υπηρεσίας RasMan εξαιτίας του ακόλουθου σφάλματος:
%%2

Event Record #/Type3485 / Error
Event Submitted/Written: 05/28/2008 03:01:04 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
Δεν ήταν δυνατή η εκκίνηση της υπηρεσίας RasMan εξαιτίας του ακόλουθου σφάλματος:
%%2

Event Record #/Type3471 / Error
Event Submitted/Written: 05/28/2008 03:00:38 PM
Event ID/Source: 29 / W32Time
Event Description:
Η υπηρεσία παροχής χρόνου NtpClient έχει ρυθμιστεί να λαμβάνει ώρα από μία ή
περισσότερες προελεύσεις χρόνου, ωστόσο αυτή τη στιγμή δεν είναι προσπελάσιμη
καμία από αυτές.
Δεν θα γίνει καμία προσπάθεια επικοινωνίας με κάποια προέλευση χρόνου
για 14 λεπτά.
Ο NtpClient δεν έχει προέλευση ακριβούς ώρας.



-- End of Deckard's System Scanner: finished at 2008-05-28 15:05:52 ------------
Alexm200
Regular Member
 
Posts: 19
Joined: May 19th, 2008, 7:46 pm

Re: Problem with my internet connection

Unread postby Carolyn » May 28th, 2008, 1:55 pm

Hello,

Your computer has multiple infections, including a rootkit. A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

DO NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its rootkit functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are rootkits from Wikipedia
Why are rootkits dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups


Please let me know what you decide to do.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Alexm200 » May 31st, 2008, 6:56 am

I have decided to reformat tha hard drive and reinstall Windows as it is recommended. I will also try to install the service packs also. Any other suggestions how to keep the computer safe would be really appreciated. And could you not close the topic please in case I need to ask something else? It won't take me long.

Question: Do you know if I can download the service packs or do I need to buy them?
Alexm200
Regular Member
 
Posts: 19
Joined: May 19th, 2008, 7:46 pm

Re: Problem with my internet connection

Unread postby Carolyn » June 2nd, 2008, 7:25 am

Hello,

I will keep this thread open and do my best to answer your questions. However, if I do not hear from you for 5 days, I will close the thread.

Service Packs can be downloaded from the Microsoft Website or you can order them on CD for a very nominal fee ($3.99 US for example).
If you are going to download the Service Pack(s), you should do so from a clean computer before you begin to format/reinstall. That way you can install them before you connect to the internet.

You should begin by installing Service Pack 2, which can be downloaded or ordered from HERE.

Microsoft recently released Service Pack 3 which includes everything from the earlier Service Packs and Updates.
Microsoft recommends that you have Service Pack 2 installed before installing SP3 and SP1 is required as a minimum for the installation of SP3 - in other words, you should start by installing SP2.

Important Notes:
  • Do not install Service Pack 3 if you have an HP or Compaq computer that is equipped with an AMD processor.
  • SP3 has to be installed before Symantec programs are installed or you risk serious problems. Uninstall any Symantec products before installing SP3.
  • SP3 has to be installed before upgrading to Internet Explorer 7. Make sure your running IE 6 before installing SP3.
Service Pack 3 can be downloaded or ordered from HERE.

If you do not have an HP or Compaq computer with an AMD processor, then we strongly recommend that you install SP3.

Another suggestion: Formatting and reinstalling Windows is fairly involved. If you feel at all uncomfortable with the process you might do well to post requesting assistance from this bleepingcomputer.com forum Windows XP Home and Professional. They are more experienced than I am when it comes to dealing with general computer issues. They really know their stuff. :)


Here is a link with information that will be helpful: Reformatting Windows by wng_z3r0

Here are some important points to keep in mind before you begin this process:

Some Re-installation Notes (taken from When should I re-format? How should I reinstall?)

* Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.

The re-format process will wipe the computer's hard drive clean, destroying all data and programs.

* PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on http://www.google.com.

Some computers have the BIOS or re-installation software in small partitions on the hard drive.

- Do not re-partition the hard drive without carefully consulting the maker's manual and website.
- Check on the use of any partition, other than C:, before re-formatting it.

* Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. Use an uninfected computer to download these files to diskettes or a CD, and print out the installation instructions, in advance.

* Gather together the CDs, diskettes, and Internet addresses required to re-install the software.

* Since you should avoid searching the web until your computer is fully secured, it is a good idea to download any programs you will need to secure your computer prior to re-formatting. Use an uninfected computer to do this.

* Physically unplug the computer from the Internet before re-formatting.

* Leave the computer physically disconnected (unplugged) from the Internet until it is protected by a firewall (ICF, an NAT router, or other hardware or software firewall).

If the computer has a wireless card, remove or shield the card so that the computer cannot connect to any access points.)

* An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet.

The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds.

* When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, you must manually turn on a firewall.




After your computer is back up and running with all of the Service Packs and Updates installed, here are some steps that can help you to keep your computer safe from malware:
  • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once,and not on a regular basis


  • Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    Upgrade to Internet Explorer 7, then please read and follow the recommendations at this SITE


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:
    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK



  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Carolyn » June 6th, 2008, 11:24 am

It's been several days. Are you still in need of assistance?
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Alexm200 » June 8th, 2008, 1:50 pm

No I am ok. I will make the reformat tomorrow morning! I think I won't have any problem. Sorry that I kept you waiting. Thank you very much for your help! :) You are great!
Alexm200
Regular Member
 
Posts: 19
Joined: May 19th, 2008, 7:46 pm

Re: Problem with my internet connection

Unread postby Carolyn » June 9th, 2008, 9:47 am

Okay. Good luck with reformat. :)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Problem with my internet connection

Unread postby Elrond » June 15th, 2008, 9:09 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 270 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware