Liz, you have prooven to be a great helper.
your time taken to solve other people´s problems is very meritable.
If only everybody was such a concerned person such as yourself, I´m sure we wouldn´t be here discussing "time taking issues" like viruses...
Thanks for the help.
______________________________________________________
Getting into business:
-followed your advices.
I already had most of those utilities(the "run now" ones), except for CWshredder; the other ones I don´t have a single one
and haven´t tried them yet, I´m still waiting for the response on the reports I´m about to send.
I already had previous reports of HijackThis from both PC´s (my Brother´s and mine) but the ones I´m posting are the ones that refer to the state of the machines after proceeding with your suggestions.
-CWshredder didn´t report nothing to fix;
-Ad-Aware Pro didn´t showed nothing and neither did SpyBot.
But that doesn´t mean much, because I run them very often and they are almost daily updated;
My Anti-virus is Avast Home Edition 4.6.
Daily Uptaded.
Still after Full scans(I usually only perform "smart scans") it reported :
In my Brother´s PC:
-VBS:Malware [Gen]
In my PC:
-Win32:Rbot-SF [Trj]
______________________________________________________
Here are the reports on my BROTHER pc:
CWShredder:
______________________________________________________
**** Run Keys ****
RUN: [Synchronization Manager] mobsync.exe /logon
RUN: [LoadQM] loadqm.exe
RUN: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
RUN: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
RUN: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
RUN: [WindowsRegKey update] lwzaweoxdd.exe
RUN: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
RUN: [Start Upping] xdcc.exe
RUN: [FreeRAM XP] "C:\Programas\FreeRAM XP Pro 1.40.exe" -win
RUN: [WindowsRegKey update] lwzaweoxdd.exe
RUN: [LeechGet]
RUN: [STManager] "C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe" -b
RUN: [Start Upping] xdcc.exe
**** Browser Helper Objects ****
BHO: [] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
**** IE Toolbars ****
TOOLBAR: [&Rádio] C:\WINNT\system32\msdxm.ocx
**** IE Extensions ****
IEExt: [Web Browser Applet Control] C:\WINNT\system32\msjava.dll
**** Hosts File Entries ****
HOSTS: 127.0.0.1 localhost
**** IE Settings ****
Default Page:
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default Search:
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: C:\WINNT\system32\blank.htm
Search Page:
http://www.microsoft.com/is&api/redir.dll?prd=iear=iesearch
**** IE Context Menu (Right click) ****
IEContext: [Analisar com LeechGet] file://C:\Programas\LeechGet 2004\\Parser.html
IEContext: [Download usando Assistente LeechGet] file://C:\Programas\LeechGet 2004\\Wizard.html
IEContext: [Download usando LeechGet] file://C:\Programas\LeechGet 2004\\AddUrl.html
IEContext: [E&xportar para o Microsoft Excel] res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
**** Layered Service Providers ****
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F8AD29C-AEF2-40B0-8108-5A4D9B4B4624}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F8AD29C-AEF2-40B0-8108-5A4D9B4B4624}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9532A504-2EA5-45DD-A1F2-49515F02C0AB}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9532A504-2EA5-45DD-A1F2-49515F02C0AB}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C93A4E74-2798-4D17-94D0-7A4A64162615}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C93A4E74-2798-4D17-94D0-7A4A64162615}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE1EF39C-BBDC-4FA4-9C76-2BEDB4D17E7D}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE1EF39C-BBDC-4FA4-9C76-2BEDB4D17E7D}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B4F7CB3-A58F-4447-BA89-67D54778DDBD}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B4F7CB3-A58F-4447-BA89-67D54778DDBD}] DATAGRAM 4
**** Blocked Control Panel Items ****
BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
**** Downloaded Program Files ****
DirectAnimation Java Classes [file://C:\WINNT\Java\classes\dajava.cab]
Microsoft XML Parser for Java [file://C:\WINNT\Java\classes\xmldso.cab]
{33564D57-0000-0010-8000-00AA00389B71} [
http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB]
**** Windows Services ****
[Alerter] %SystemRoot%\System32\services.exe
[AppMgmt] %SystemRoot%\system32\services.exe
[aswUpdSv] "C:\Programas\Alwil Software\Avast4\aswUpdSv.exe"
[avast! Antivirus] "C:\Programas\Alwil Software\Avast4\ashServ.exe"
[avast! Mail Scanner] "C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service
[avast! Web Scanner] "C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service
[BITS] %SystemRoot%\System32\svchost.exe -k BITSgroup
[Browser] %SystemRoot%\System32\services.exe
[cisvc] C:\WINNT\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[Dhcp] %SystemRoot%\System32\services.exe
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\services.exe
[Dnscache] %SystemRoot%\System32\services.exe
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINNT\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\faxsvc.exe
[KPF4] C:\Programas\Kerio\Personal Firewall 4\kpf4ss.exe
[lanmanserver] %SystemRoot%\System32\services.exe
[lanmanworkstation] %SystemRoot%\System32\services.exe
[LmHosts] %SystemRoot%\System32\services.exe
[Messenger] %SystemRoot%\System32\services.exe
[mnmsrvc] C:\WINNT\System32\mnmsrvc.exe
[MSDTC] C:\WINNT\System32\msdtc.exe
[MSIServer] C:\WINNT\System32\MsiExec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\services.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\regsvc.exe
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe -s
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\system32\MSTask.exe
[seclogon] %SystemRoot%\system32\services.exe
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] %SystemRoot%\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\services.exe
[UPS] %SystemRoot%\System32\ups.exe
[UtilMan] %SystemRoot%\System32\UtilMan.exe
[W32Time] %SystemRoot%\System32\services.exe
[WinMgmt] %SystemRoot%\System32\WBEM\WinMgmt.exe
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\system32\Services.exe
[wuauserv] %systemroot%\system32\svchost.exe -k wugroup
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
**** Custom IE Search Items ****
SEARCH: [SearchAssistant]
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch]
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
**** Complete IE Options ****
IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINNT\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page]
http://www.sapo.pt/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page]
http://www.microsoft.com/is&api/redir.dll?prd=iear=iesearch
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Q261272] yes
IEOPT: [Disable Script Debugger] yes
IEOPT: [Use FormSuggest] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Friendly http errors] no
IEOPT: [Default_Page_URL]
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IEOPT: [Default_Search_URL]
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Search Page]
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page]
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no
_____________________________________________________
My BROTHER´s HJT report
Logfile of HijackThis v1.99.1
Scan saved at 19:47:05, on 11-03-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Programas\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Programas\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\Explorer.EXE
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programas\FreeRAM XP Pro 1.40.exe
C:\Programas\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [WindowsRegKey update] lwzaweoxdd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Start Upping] xdcc.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] lwzaweoxdd.exe
O4 - HKLM\..\RunServices: [Start Upping] xdcc.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\DEFINI~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [MSPQM] RUNDLL32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
O4 - HKLM\..\RunOnce: [MSPCLOCK] RUNDLL32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programas\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [WindowsRegKey update] lwzaweoxdd.exe
O4 - HKCU\..\Run: [STManager] "C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Start Upping] xdcc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Analisar com LeechGet - file://C:\Programas\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download usando LeechGet - file://C:\Programas\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Serviço administrativo de gestão de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programas\Kerio\Personal Firewall 4\kpf4ss.exe
_____________________________________________________
Hope you can find something useful in these reports.
One question:
after analysing these could you check my own PC reports?
I won´t put them in here without asking because it might get confusing for you.
Thanks.
PS: about XDCC.exe
I´ve searched my PC and there is no file with this name.
Still, it appears on the registry and on startup.
I´ve tried to erradicate it before, in TuneUp and in Startup but it always appears again after refresh.