Topic: virus nga b?

[busted]

ung comp ng frined co, my virus ata, nde alam kung ano ggwin e,bka meron kang alm

lgi lumalabas e

exiplorer.exe

autorun.inf

effect,nde mbuksan drives, meron xang autorun.....

message on startup:
"Promise!" <----dialogue box title

"I am still waiting for the strawberry coming from my baguio! pls... help!"


help nman

[-=Kurabo=-]

gnyan din skin tol.. eixplorer.exe can't find daw. tpos plagueng nagre2start ung pc koh evrytym n

magla2ro ako ng gunbound tpos magiinternet ako pagkatpos.. actually khitdi gunbound rh.. khit ran..

[ian_kuLots]

me dsl kb? pag meron, try mo boot sa safe mode with networking. tapos pindot mo F8 ng madaming beses pagtapos press ng power button para makapunta sa windows advanced options.
tapos run ka windows live onecare (onecare.live.com) > safety scanner> protection scan para ma-check kung me virus/malware nga pc mo. me option din para ma-delete ang mga infection pagtapos ng scan. pwde rin avg antimalware (www.ewido.net).

kung dial-up, run mo nlng antivirus mo sa safe mode. check mo din add or remove programs kung me panget na applications, pwde rin punta sa system config utility (start> run> type msconfig> OK> start-up tab) o pag ala na, punta ka registry check mo:

HKEY_current_user>software>microsoft>windows>current version> run (or runonce)
HKEY_local_machine>software>microsoft>windows>current version> run (or runonce)

at check mo ung mga entry dun kung me mga malicious entry. i-google mo nlng. hehe.. 

[bodieph]

why not post a hijackthis log first. so you we can advise you on what to do next. obviously, there is some infection but as to what kind of infection we cannot tell unless we have some idea about your pc (hence the need for a hijackthis log)

[tranta]

ganyan din ung akin e. hinijack ko na pero andun parin sya. so ang ginawa ko, nag-reformat ako. kaya lang ang problema naman, nung sinave ko ung mga documents ko dun sa pc ng mga tita ko, un naman ang nagkaroon ng virus. one more thing, tinry kong i-check ung exiplorer.exe sa hijackthis, tapos fix checked. after nun, ni-run ko ung task manager, and ung exiplorer.exe, nawalang sandali. tapos after a few moments, ch-in-eck ko ulit ung task manager and nandun na ulit sya. un nmng sa welcome screen, pag lumabas ung welcome screen, kasabay nga lalabas ang isang window. sa title bar, "Promise?!?!" and then dun sa sort of text box was ung text nga na i am still waiting for my strawberries from baguio to come...blah..blah.. and then my command button na ok. ung welcome screen mag-hahang dun, until ung push ung "Ok" button. help nmn. disabled na din ung task manager nung sa tita ko. so ndi ko pa maibalik ung mga documents kong sinave ko dun. sana manulasan kaagad ito..

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
btw
anong ibig sabihin ng IMO, in my opinion?
IMHO, in my honest opinion?

back to the topic..
ndi sya nadetect ng AVAST

[Darklord Imuthis]

antivirus na tlaga ang gamitin nio

[jean paul valerio]

mukhang nauuso na ngayon yung mga autorun files sa root directory.
heheeh.parang yun sa taga lipa are.

[TobleRONe]

anong windows ba gamit ng friend mo? xp or 98... etc. anyway, gaya ng post sa itaas, kung xp,  i-boot mo sa safe mode with networking. then scan mo pc mo with programs for spyware or adwares. then scan mo with antivirus. kung free version kasi ng antivirus lang ang gamit mo, its not enough di kayang tanggalin lahat ng trojans. kung wala kang anti spyware, search mo lang sa download.com. hanapin mo lang lavasoft ad-aware or webroot spysweeper.

[tranta]

dudez, me problema! khit naka-safe mode na, nag-rurun pa din sya. lumalabas din ung "promise" window kahit naka-safe mode. promise. windows xp ang os ko. hijack ko mamaya ung isang cpu pra ma-tsek din ninyo.

[dubious]

Dahil sa hassle mag re-install, ang ginagawa ko sa mga ganyan na problem ay nilalagay ko ang hard disk sa enclosure, plug sa clean na pc with AV software, clean the infection, tapos sauli ang HD.

pag boot mo, may mga message ka pa na makikita na missing files. expected ito kasi hindi pa na-change ang registry mo particularly yung mga nasa autorun. so delete mo yung mga entries na yun. run mo registry editor (Start -> Run -> Regedit)

gaya ng sabi ni ian_kuLots:

HKEY_current_user>software>microsoft>windows>current version> run (or runonce)
HKEY_local_machine>software>microsoft>windows>current version> run (or runonce)

at check mo ung mga entry dun kung me mga malicious entry.

ngayon, kung ayaw ma run ang "regedit" or "msconfig" kasi baka na disable na rin yan ng virus o malware, create ka ng bagong user account at doon mo i-run ang regedit o msconfig.

pag nagka buhol-buhol na talaga ang mga pangyayari sa buhay mo dahil sa strawberry ng baguio, pwede mo naman i-reinstall (hassle!)

[TobleRONe]

punta ka ulit safe mode. hanapin mo yung autorun.ini burahin mo lahat ng laman or tingnan mo kung may entry na di dapat nandoon.

[Ibilam_pogi]

brontok ata ite eh

[tranta]

eto na ung logfile nung computer ng tita ko na na-infect ko with ung baguio ekek.

taskmanager has been disabled by admin. regedit has been disabled by admin.

Logfile of HijackThis v1.99.1
Scan saved at 8:38:10 PM, on 4/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winamp.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\System32\Realtek.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svcchosst.exe
C:\WINDOWS\System32\gcxsvbflf.exe
C:\WINDOWS\System32\fmduhwgu.exe
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\System32\messengerr.exe
C:\WINDOWS\system32\srvc.exe
C:\WINDOWS\System32\dwuyflofmg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\System32\tfvoseqagm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\aspi305464.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\glen\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Realtek Sound Manager] Realtek.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [Service Live] gcxsvbflf.exe
O4 - HKLM\..\Run: [Windows Service DC] fmduhwgu.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKLM\..\Run: [prosesor] tfvoseqagm.exe
O4 - HKLM\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [Microsoft Visual Service] dwuyflofmg.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [Windows Service DC] fmduhwgu.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKLM\..\RunServices: [Microsoft Visual Service] dwuyflofmg.exe
O4 - HKCU\..\Run: [Realtek Sound Manager] Realtek.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Service Live] gcxsvbflf.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Windows Service DC] fmduhwgu.exe
O4 - HKCU\..\Run: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKCU\..\Run: [prosesor] tfvoseqagm.exe
O4 - HKCU\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKCU\..\Run: [Microsoft Visual Service] dwuyflofmg.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177786328564
O17 - HKLM\System\CCS\Services\Tcpip\..\{93EF9642-D5AD-4CE1-AB32-EE8AB47C6451}: NameServer = 194.54.90.226
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi305464.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Winamp Service - Unknown owner - C:\WINDOWS\winamp.exe

eto naman nung naka-safe mode

Logfile of HijackThis v1.99.1
Scan saved at 20:23:48, on 14/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\exiplorer.exe
C:\WINDOWS\system32\exiplorer.exe
E:\My Documents\installers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [WindowNT] c:\WINDOWS\system32\exiplorer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

[tranta]

modz, psensya na, ndi kasya sa isang post e.

eh di ba nga na-infect itong pc ko. so ni-reformat ko. tapos after nun, in-install ko na lahat nung may installer ako. printer, messenger(dl ulit sa internet), real player, intel application accelerator, inter active monitor, nvidia(video adapter ata), nero, msoffice, ung sa sound, autocad, ung sa digicam namin, atsaka acrobat reader. yan un lahat dahil nasa CD lahat yan. pwera sa messenger. lahat e orig ata. pwera sa msoffice. tapos in-update ko na din ung real player. lahat nmn nung mga installers ko like, divx, hijack, anti-virus, blahblah.. e andun pa sa pc ng tita ko. dahil nga infected pa un, i decided na ndi muna kunin. and then, t-in-ry kong i-update sa SP2 ung system ko. ayaw namang mag-update. tapos ang lumalabas dun sa katabi nung clock, sabi nung autoupdate, infected with spyware. tapos d-in-ownload nya ung registry cleaner. and then nung na-scan na nya, pinapa-verify naman. e jafakes ung installer ko ng windows xp, so ndi sya gumana. e ang pinipilit ko sa kanyang i-dl ay ung sp2. so ayaw. tapos in-open ko ung task manager ko. e dahil sa dalas kong i-open ung task manager at tingnan ung mga processes, medyo acquainted na ko sa kanila and andaming bagong salta.

aspi302344.exe - SYSTEM
cmd.exe - SYSTEM
dwuyflofmg.exe - user
fmhduhwgu.exe - user.
gcxsvbflf.exe - user
irdvxc.exe - SYSTEM
nvsvc32.exe - SYSTEM
Realtek.exe - user
srvc.exe - user
svcchosst.exe - user
tcpipmon.exe - user (two times ung entry nya)
tfvoseqagm.exe - user
urdvxc.exe - SYSTEM
winamp.exe - SYSTEM (may winamp ba ang windows? ung ksma n tlga? dhil ndi ko nmn in-install)

eto ung logfile ko

Logfile of HijackThis v1.99.1
Scan saved at 8:38:10 PM, on 4/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\irdvxc.exe
C:\WINDOWS\System32\urdvxc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winamp.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\System32\Realtek.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svcchosst.exe
C:\WINDOWS\System32\gcxsvbflf.exe
C:\WINDOWS\System32\fmduhwgu.exe
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\System32\messengerr.exe
C:\WINDOWS\system32\srvc.exe
C:\WINDOWS\System32\dwuyflofmg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\tcpipmon.exe
C:\WINDOWS\System32\tfvoseqagm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\aspi305464.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\glen\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Realtek Sound Manager] Realtek.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [Service Live] gcxsvbflf.exe
O4 - HKLM\..\Run: [Windows Service DC] fmduhwgu.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKLM\..\Run: [prosesor] tfvoseqagm.exe
O4 - HKLM\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [Microsoft Visual Service] dwuyflofmg.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [Windows Service DC] fmduhwgu.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKLM\..\RunServices: [Microsoft Visual Service] dwuyflofmg.exe
O4 - HKCU\..\Run: [Realtek Sound Manager] Realtek.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Service Live] gcxsvbflf.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Windows Service DC] fmduhwgu.exe
O4 - HKCU\..\Run: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKCU\..\Run: [prosesor] tfvoseqagm.exe
O4 - HKCU\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKCU\..\Run: [Microsoft Visual Service] dwuyflofmg.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177786328564
O17 - HKLM\System\CCS\Services\Tcpip\..\{93EF9642-D5AD-4CE1-AB32-EE8AB47C6451}: NameServer = 194.54.90.226
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi305464.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Winamp Service - Unknown owner - C:\WINDOWS\winamp.exe

logfile ko naman habang naka-safe mode

Logfile of HijackThis v1.99.1
Scan saved at 8:42:48 PM, on 4/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\glen\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Realtek Sound Manager] Realtek.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [msvccc66] svcchosst.exe
O4 - HKLM\..\Run: [Service Live] gcxsvbflf.exe
O4 - HKLM\..\Run: [Windows Service DC] fmduhwgu.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKLM\..\Run: [prosesor] tfvoseqagm.exe
O4 - HKLM\..\Run: [johnj315] C:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [Microsoft Visual Service] dwuyflofmg.exe
O4 - HKLM\..\RunServices: [msvccc66] svcchosst.exe
O4 - HKLM\..\RunServices: [Windows Service DC] fmduhwgu.exe
O4 - HKLM\..\RunServices: [MSN MESSENGER 9.0] messengerr.exe
O4 - HKLM\..\RunServices: [Microsoft Visual Service] dwuyflofmg.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177786328564
O17 - HKLM\System\CCS\Services\Tcpip\..\{93EF9642-D5AD-4CE1-AB32-EE8AB47C6451}: NameServer = 194.54.90.226
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi305464.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Winamp Service - Unknown owner - C:\WINDOWS\winamp.exe

thanks sa agarang paglutas ng aking problema!

[bodieph]

yung first log mo, brontok nga yun

sa second naman, meron mga entries na most likely malware

check the running processes in safe mode. yung mga ala dyan hindi default ng windows. so yung mga nakitang mong user nakalagay, hindi windows default. so most likely they are malware (especially those that are in system folder) since you did not install them yourself

dwuyflofmg.exe - user
fmhduhwgu.exe - user.
gcxsvbflf.exe - user
srvc.exe - user
svcchosst.exe - user
tcpipmon.exe - user (two times ung entry nya)
tfvoseqagm.exe - user

delete the 04 entries in hijackthis and then delete the exe files manually while in safe mode. reboot, get another hijackthis log and lets see if they come back

also try doing a scan using updated anti spyware software

[tranta]

this just in. boss bodieph, ndi ko pa nagagawa ung sinabi mo. ginagamit kasi ng mama ang pc. nag y!mail sya. mag-spread kaya un sa add buk nya? e ang bagong problema kong nakita, everytime nag-sesearch ako sa yahoo, then i-tr-try kong i-open ung link, sa upspiral.com ako dinadala na wala namang ka-kone-koneksyon dun sa hinahanap ko. try kong gawin ung sinabi pagkatapos nito. how do u fix brontok? me threads na ba dito? kung meron na, wag k n reply. e ung system ko? pano ko i-upgrade sa sp2? ty!

[tranta]

eto na ung logfile pagkatapos i-clean using avg anti-virus and avg anti-spyware. ndi ko na kasi makita ung ewido. sabi pinalitan na daw nitong avg anti-spyware. dun sa av, more than 500 ang nakitang problems. nabura nmn lahat. sa spyware nmn, about 50++. then sinafe mode ko ata hinanap isa-isa ung mga exe files na nasa taskmgr. ndi ko n nmn cla nkita. kaya lang, after kong i-restart sa normal mode ulit nasa task manager n nmn ung aspi1785.exe. so hijack ulit ako at un nmng mga files na under question ang pinag-che-check-an ko. ch-in-ek-an ko na din ung mga files missing na unknown owner kc di ko din makita ung individual files nila. tapos ang problema ko pa, everytime mag-sesearch engine ako, laging neteu.com ang una sa list. ang plano ko ngayon e i-reformat na lang ulit ung system ko. kasi palagi na lang lumalabas ung avg na may threat detected so heal naman kaagad ako. e parang ang naiisip ko, pabalik lng ng pabalik itong kung anuman ito. nakaka-asar lng kasi bagong reformat ko lng at ang site lng na pinuntahan ko e dito sa ps pra i-dl ung ewido, avg, dr.alex, at cwshredder. ang gamit ko na ngayong pang-reformat e ung discwizard ng seagate. e baka infected din un so hahanap ako ng bago. baka acronis discwizard na lang dahil sabi nung seagate, mas maganda daw ung acronis. pero ang problema ko nmn pag nag-reformat, baka magloko na naman ung installer. kasi last time, nag-stall ung installation kasi ndi ma-copy from cd ung isang file kaya ayun. kung anu-ano pa ang ginawa ko. besides, ung installer ko e jafakes, gasgas-in na, atsaka SP1 p lng. hayyyyzzz! post ko sa isang araw ung sa mga tita ko nmn. ung may brontok! madami kasing ginagawa sa skul e. nag-susummer class kc ako e. 

pahabol. un atang 012 ung may .spop ang may dahil kung bakit ganun ang nangyayari everytime gumamit ako ng search engine. anyway, ch-in-eckan ko un at finix pero bumalik sya.

Logfile of HijackThis v1.99.1
Scan saved at 2:14:18 PM, on 5/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\winamp.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\zel\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O5 "LPT1:" /M "Stylus C41"
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Realtek Sound Manager] Realtek.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177786328564
O17 - HKLM\System\CCS\Services\Tcpip\..\{93EF9642-D5AD-4CE1-AB32-EE8AB47C6451}: NameServer = 194.54.90.226
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\System32\aspi1785.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Network Windows Service (MSWindows) - Unknown owner - C:\WINDOWS\System32\urdvxc.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Winamp Service - Unknown owner - C:\WINDOWS\winamp.exe

[bodieph]

well first off, palitan mo yung IE mo. try firefox para mas secure ka. im sure mabawasan mga problema mo pag naka firefox ka na

secondly, ano yung mga infections na nakikita ng anti virus mo? malinis na yung log mo. ala na yung mga file na namention mo before

[tranta]

yan! boss bodieph. ung problema ko dun sa pc ko e ndi ako maka-log-in kahapon sa ps. lagi cannot find server. tapos everytime na gumagamit ako ng search engine, un pa ding neteu.com ang una sa list. cguro mga 4 or more ung entries nya palagi. tpos nagpunta kong erotica pra matingnan kung down ang ps. ndi nmn. tapos nakita ko dun ung chatbox. naki-chat ako. sbi ko sa kanila i-open ang espiya.net. na-oopen nmn dw nila. tapos nung i-uupdate ko sana sa sp2, lagi kasing may lumalabas na do wish to debug dito sa IE, sabi nmn nya error. s-in-earch ko ung error at ang sabi e luma na daw ung NOD32 ko. may mas bago na daw. e di ba nga bagong reformat ako nun. kahit in-install ko un dati, in-uninstall ko din kasi ndi ako nagagandahan. tapos ano pa ba? un ung firefox. naisip ko din un. so punta ulit akong search engine. nakita ko ung site. nung i-ddl ko na, ayaw nmng mag-dl. eto ngaung pc na gamit ko e ung sa tita ko na infected with brontok. help nmn kung pano aalisin ito. pati ung nasa startup na promise im still waiting ..... nakakahiya kasing ibalik ng sira. tapos ung isa pa, ndi ko pa rin mapagana ung task manager dito. sabi nya disabled by admin. pati ung regedit. eto ung logfile o.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:23, on 03/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\caniedo_family\Desktop\avg75free_467a1008.exe
C:\DOCUME~1\CANIED~1\LOCALS~1\Temp\RarSFX0\avgsetup.exe
E:\My Documents\installers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

[tranta]

hi! hello! sa wakas nakabalik na ko!
pagkatapos ng napakaraming format at wipe disc, naisip ko na kung pano ko gagawin itong pc na to. (nagawa ko na actually) so nung isang araw, bagong reformat ako, the second binuhay ko ung modem ko, nakapasok na agad ung virus, malware, etc ... e naka-monitor ako sa taskmgr. aba! matindi ang ginawa nya. gumawa sya ng isang program named after dun sa mga entry ng taskmgr! meron dung isang explorer. isang services. internet explorer. ung tatlo na un. ung explorer, pinatay ko, e mali ung napatay ko. ung orig ung napatay ko. so run ko ulit ung explorer. e ung nag-rurun pag tinype ko e ung jafakes! so kailangan kong mag-restart pra mag-load ul8 ung tunay na explorer. so tiningnan ko ung mas mababa ang mem usage dahil un ung ndi tunay. un nmng sa iexplore, madali lng. naka-caps lock kasi ung orig so pinatay ko ung naka-small letters. pero ung sa services ang di ko mapatay. critical ek-ek daw kasi un kaya wala akong nagawa. so d-in-l ko na ung mga panlaban. ang problema, sa sobrang laki ng avg antivir, inaabot ako ng mga 5-7 minutes pra i-dl sya. ang masama naman, pag patapos n, mga 1 minute left, biglang mag-dedeclare ung pc ng kailangan mag-shutdown at ndi mo sya mahihinto. prang ni-run mo e "shutdown -s -f -t 60" ganun kasi ung window nya. atsaka npc ata ung lumalabas. something like nt authority system blah blah n ndi ko nmn maintindihan. dhil mas maliit ang antisp na-ddl ko sya. kaya lng ayaw nmn nyang mag-install. sbi nya lagi, 64-bit edition of windows is not supported so wala din. tapos sabi ko safe mode ko. ganun pa rin. mas malala pa. subrang bagal ng internet ko at aabutin ako ng halos 1 oras pra i-dl ung antivir. so patay. buhay. tapos sabi ko na. ala ndi ko na pagpapapatayin itong mga nag-rurun na to. i-rereformat ko na din nmn kya ok lng khit ma-infect. aba't akalain nyong gumana! na-dl ko silang lahat. isinama ko na rin ung antirootkit. so reformat. e write muna pala sa cd ung na-dl ko. tapos terminate muna lhat ng prog pra safe at ndi maisama sa cd. so ok na. reformat. so reinstall lhat nung dti. and then finally, pinag-iinstall ko na lahat ng mga iinstall ko. ksma n ung antivir at antispy.so go na. tapos ndi ko pa binubuhay ang modem. dsl ako, ewan ko kung bakit pero once mabuhay ang modem, automatic na naka-connect ako sa internet. kahit dun sa setup e ndi ako naglagay ng kung anuman. basta ganun. ni-run ko habang patay pa ang modem at ndi ko pa nabubuhay ever since pinakabagong reformat ko. e may nakitang isang adware ung avg antisp.so delete ako. may sense of accomplishment na ko sa wakas. tapos un na. buhay internet. update agad. patay internet. scan ulit. tpos ok na. tapos may nakapasok na isa pa. ginagawa nyang ang date ko e 2004. kaya nagkandaloko-loko. pati automatic update d-in-l ung genuine blah blah kaya hanggang ngaun sp1 pa din ako. anyway, dun sa nagbabago ng date. antirootkit ang nakakita sa kanya. tapos umayos na ulit. tapos sa wakas! natapos din! ang problema ko nmn ngaun e ung isang pc na may brontok! wahhhh! ty sa lahat ng tumulong sa akin lalong lalo na kay sir bodieph!

[bodieph]

yung rpc with shutdown thingy is msblast worm. that can be fixed by installing SP2

yung brontok naman, meron din fix yan. but first we need to now kung anong strain ng brontok (marami kasi) so we would what file/s it infected

[slash2_ph]

May 9, 2007

good day!
just for SUGGESTION:
for your pc to remain in good shape:
1.) updated windows xp sp2
2.) install and update an antivirus (i.e. kaspersky,nod32 etc.)
3.) install and update an  antispyware(i.e.Superantispyware-freeware-http://www.superantispyware.com/)
4.) install and update a firewall (i.e. comodo-freeware-http://www.personalfirewall.comodo.com/)
5.) use alternative to internet explorer (i.e. Mozilla Firefox)
6.) if you suspect any suspicious file in your pc try to send it to these websites to check online   before installing and/or accessing the said files.( no need to zip the files )
a.) http://virusscan.jotti.org/
b.) http://www.virustotal.com/en/indexx.html
c.) http://scanner.virus.org/

these are all just tips and recommendations.

hope this helps.

[tranta]

nahawahan ulit ako. kaya lang ayoko ng mag-reformat. sawang-sawa na kong mag-reformat. sabi pa nga ng computer ko DMA Error. FATAL ERROR. ano ba un?

anyway, na-stop ko na ung process nung worm. ang problema ko na lang may lumalabas sa startup screen ko na promise??? blahblahbla. tpos may nkita ko sa net na kung panu aausin un. sa regedit ko un ginawa. so nabura ko na ung nasa startup. kaso. ang problema ko nmn ngayon e ung sa C: pag c-in-lick ko, sasabihin nya, cannot find exiplorer.exe. so naghanap ako dun sa regedit ng exiplorer.exe nakita ko sya sa hkey_current_user>software>microsoft>windows>current version>explorer>Mountpoints2

tapos pinagdedelete ko. kaso bumabalik. pano bang gagawin ko para ndi na sya bumalik. sinet ko na nga sa zero lahat nung pwede kong i-set dun. pero pagka-restart, balik sa 1.

ang problema kasi ung nakita ko sa net, ang paraan nya ng pag-fifix e pag andun pa lahat nung virus. e natanggal ko na nga sya dhil sa hijack at smitfraudfix.

[bodieph]

nag smitfraudfix ka na?

bumabalik yan kasi hindi mo natanggal lahat. may naiwan

i suggest hanapin mo yung fix nya and then try mo hanapin lahat ng files na mention nya sa fix. manual mo tanggalin

[tranta]

nakapag-smitfraudfix na ko. nung una, ang problema, taskmgr: disabled; regedit:disabled; ayaw mag-open ng drive c: via double click; may lumalabas na window sa simula. even before the word welcome. so, nag-hijack ako at tinanggal ung taskmgr disabled. nakita ko ung exiplorer.exe fix checked din. kaso bumabalik. i ran smitfraudfix, bumalik ang regedit. kaya lang lumalabas pa din ung nasa before ng welcome screen. ayaw pa rin ng dobol clik. tinamad ako. tumigil ako. then after a few days, balik ulit ako. then sinearch ko sa net ung exiplorer.exe. nkita ko sa isang blog. ang problema ko na lang dat time e ung lumalabas sa unahan atsaka dobol click. pinapunta nya ko sa regedit at may pinabura. legal notice na ang value e promise at i'm still waiting for my blahblah. so nawala na. ang natira na lang na problema e open via double click. hard disk lang. ung documents naman e ok lng. so punta kong regedit, at search ng exiplorer.exe. sinearch ko din ung local disk para sa exiplorer.exe. tapos sinearch ko din ung name na lumabas sa avg antivirus nung na-detect sya before ako nag-hijack at smitfraud. vb.bhv ang ngalan nya. pati na rin ung pangalan nya sa blog which is worm_xpbaguio.a. ang nag-turn up lang was exiplorer.exe sa regedit at sa local disk. ung sa local disk, ang nakita nya eh ung saved logfile ng hijack so wala ung kaso pero dinelete ko pa din. tapos ung sa regedit naman e naka-attach, sort of sa rundll tapos may coma tapos may word pa na shell32. in the end binura ko din ung entry na un but still, ayaw pa din. and then nakalimutan ko ung sinearch ko pero dinala na nga ako dun sa

hkey_current_user>software>microsoft>windows>current version>explorer>Mountpoints2

tapos nakita ko may 4 na folders na naka-enclosed sa {} tapos may folders pa na a,c,d,e,f
bali 10 sila kasali ang cpc. tinry kong i-delete ung apat na naka-enclose sa {} and wahla! na-open ko na si c: via double click. so restart agad ako para ma-testing kung ok na. pero ndi pa pala. kasi ito palang si cpc, under nya e apat na folder ulit with the same name nitong apat na binura. ung binura ko nga pala e bumalik. tiningnan ko ung isa. and ang laman nya e (default), data, and generation. akala ko etong si generation ang nagreregenerate sa kanila. so tinry kong iset sa 0. unfortunately, ndi ko alam kung pano. so una kong ginawa, modify binary data and lahat ng 1, sinet ko sa zero. restart. balik sya sa 1. tinry ko naman ung modify lng. set 0. restart. andun ulit. di ko alam kung pano i-tratrace ung entry nung auto regenerate nun. un lng ung pede kong gawin. since di ba nga ung pc ng tita ko e na-infect nga. u see the problem is
1. sa ibang lugar un at hassle dahil dito. besides ginagamit din nila. atsaka un na lang din ung problema. im 70% certain un na lang ung problema.
2. ndi sila nka-dsl. so ndi pede ung mga online scans. or ung autoupdate ng mga antivir kc super bagal ng dial-up nila.
3. ndi pedeng i-reformat un. actually pinag-planuhan ko ng i-reformat un talaga e. kaya lang, andaming documents. 80gb ang hd nila. 40 lang ang amin. tapos ung iba pa nyang programs and hardwares, ndi ko alam kung alin. tapos kokonti lng ung binigay nya sa aking cd's. so pag ni-reformat un, baka lalong ndi magamit kasi ndi ma-install ung ibang hardwares. atsaka ndi ko alam kung genuine ung os nila. at kung genuine un, lalong patay kasi jafakes ung installer ko ng xp. naisip ko kung genuine un kasi ung isa pa nilang pc, e genuine atsaka maganda. lcd monitor, 3-in-1 fax, copier, printer, wireless keyboard, 3.2Ghz processor, 256Mb vidcard. blahblahblah. so please help. hehehehe! 

ps
ano ung fix boss bodieph?