Virus/Trojan Something messed me up need help

[NYCSTE2003]

hi all. last night i got hit with some kinda virus worn spyware thing and my AV picked it up right away so i went into safemode and cleaned everything up ran all my cleaning programs and believe the issue to be gone.

the issue was called.
sysmngt.exe
remacc radmin r_server.exe c:/windows/system32
trojan horse instsvc.exe c/windows/sysmngt

edit. just noticed the **** thing also shared the folder that the original problem file was found in a key g e n. i think. so the program made that folder shared on my network and full access to those files i just noticed that deleted it all.


i rebooted into xp like normal and for some reason 3 things ive noticed so far have changed or stopped working.

start menu doesnt do anything now. whether it be clicking it or hitting key on keyboard. it just blinks when clicked.

i use quicklaunch and for some reason the extra programs that dont fit on the line that little >> thingy doesnt work. it doesnt show me my extra programs to use.

and lastly humm think i forgot lastly. maybe only 2 issues. looking for any help.

But i did find this. on lockergnome

Copy the lines below into a file named 'IEReg.bat' and double click it to
run it. This will reregister some DLLs for IE and the operating system.
Restart for effect.

--------------------------------
regsvr32 comcat.dll /s
regsvr32 shdoc401.dll /s
regsvr32 shdoc401.dll /i /s
regsvr32 asctrls.ocx /s
regsvr32 oleaut32.dll /s
regsvr32 shdocvw.dll /I /s
regsvr32 shdocvw.dll /s
regsvr32 browseui.dll /s
regsvr32 browseui.dll /I /s
regsvr32 msrating.dll /s
regsvr32 mlang.dll /s
regsvr32 hlink.dll /s
regsvr32 mshtmled.dll /s
regsvr32 urlmon.dll /s
regsvr32 plugin.ocx /s
regsvr32 sendmail.dll /s
regsvr32 scrobj.dll /s
regsvr32 mmefxe.ocx /s
regsvr32 corpol.dll /s
regsvr32 jscript.dll /s
regsvr32 msxml.dll /s
regsvr32 imgutil.dll /s
regsvr32 thumbvw.dll /s
regsvr32 cryptext.dll /s
regsvr32 rsabase.dll /s
regsvr32 inseng.dll /s
regsvr32 iesetup.dll /i /s
regsvr32 cryptdlg.dll /s
regsvr32 actxprxy.dll /s
regsvr32 dispex.dll /s
regsvr32 occache.dll /s
regsvr32 occache.dll /i /s
regsvr32 iepeers.dll /s
regsvr32 urlmon.dll /i /s
regsvr32 cdfview.dll /s
regsvr32 webcheck.dll /s
regsvr32 mobsync.dll /s
regsvr32 pngfilt.dll /s
regsvr32 licmgr10.dll /s
regsvr32 icmfilter.dll /s
regsvr32 hhctrl.ocx /s
regsvr32 inetcfg.dll /s
regsvr32 tdc.ocx /s
regsvr32 MSR2C.DLL /s
regsvr32 msident.dll /s
regsvr32 msieftp.dll /s
regsvr32 xmsconf.ocx /s
regsvr32 ils.dll /s
regsvr32 msoeacct.dll /s
regsvr32 inetcomm.dll /s
regsvr32 msdxm.ocx /s
regsvr32 dxmasf.dll /s
regsvr32 l3codecx.ax /s
regsvr32 acelpdec.ax /s
regsvr32 mpg4ds32.ax /s
regsvr32 voxmsdec.ax /s
regsvr32 danim.dll /s
regsvr32 Daxctle.ocx /s
regsvr32 lmrt.dll /s
regsvr32 datime.dll /s
regsvr32 dxtrans.dll /s
regsvr32 dxtmsft.dll /s
regsvr32 WEBPOST.DLL /s
regsvr32 WPWIZDLL.DLL /s
regsvr32 POSTWPP.DLL /s
regsvr32 CRSWPP.DLL /s
regsvr32 FTPWPP.DLL /s
regsvr32 FPWPP.DLL /s
regsvr32 wshom.ocx /s
regsvr32 wshext.dll /s
regsvr32 vbscript.dll /s
regsvr32 scrrun.dll mstinit.exe /setup /s
regsvr32 msnsspc.dll /SspcCreateSspiReg /s
regsvr32 msapsspc.dll /SspcCreateSspiReg /s
exit
--------------------------------


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

-to no help didnt solve anything.


still no one can offer any help. noticed a third issue.

1. title bars on all folders are missing the words the aka abilty to actually change stuff i think called title bar here is a pick
http://img514.imageshack.us/my...ge=viruspicturere0.jpg"]

[/url]
there are 4 things circled in red to show what my known problems ARE.

2. start button wont do anything. when clicked it changes color and does nothing. hitting the windows buttomon keyboard does nothing either

3. that little >> thing at bottom right of screen on taskbar quciklaunch doesnt work either even though there are programs hidden there.

looking for some advice or at least where better to post this question and problem.

-again this happened because i was hit wiht 2 diff types of virus/trojan/things which i believe to be fully removed.

Software -> Security
-Schadenfroh

 

[mechBgon]

1) Give us the precise names of the viruses/trojans/things. Your antivirus logs should say. Paste it in here. If you can pin down the site that the infection might've come from, send me a PM or paste it here in non-clickable form, for example: hXXp://www.mechbgon(DOT)com

2) If you want to go forward with the fight against the malware, follow all the instructions on this page. My advice would also include removing AVG Free Edition and installing a 30-day trial version of Kaspersky AntiVirus 7, then going through all the settings and maxing out everything, including the heuristics, and then updating and doing a full scan, including the rootkit scan.

3) If you want to go backward, then use System Restore to "go back in time" to before the attack.

4) If you want to do what is absolutely guaranteed to work, back up your data safely, then make a DBAN CD-ROM, unplug all drives except your boot drive, DBAN it, then reinstall Windows while taking security precautions (scroll halfway down that page). After finishing, absolutely do not run any infectable filetypes from your old files. DO scan them with a bunch of online virus scanners to try to reduce the chance there's bad things left in them.

 

[NYCSTE2003]

Originally posted by: mechBgon
1) Give us the precise names of the viruses/trojans/things. Your antivirus logs should say. Paste it in here. If you can pin down the site that the infection might've come from, send me a PM or paste it here in non-clickable form, for example: hXXp://www.mechbgon(DOT)com

2) If you want to go forward with the fight against the malware, follow all the instructions on this page. My advice would also include removing AVG Free Edition and installing a 30-day trial version of Kaspersky AntiVirus 7, then going through all the settings and maxing out everything, including the heuristics, and then updating and doing a full scan, including the rootkit scan.

3) If you want to go backward, then use System Restore to "go back in time" to before the attack.

4) If you want to do what is absolutely guaranteed to work, back up your data safely, then make a DBAN CD-ROM, unplug all drives except your boot drive, DBAN it, then reinstall Windows while taking security precautions (scroll halfway down that page). After finishing, absolutely do not run any infectable filetypes from your old files. DO scan them with a bunch of online virus scanners to try to reduce the chance there's bad things left in them.

just wanted to say thanks for your reply im reading stuff now. i have actually removed the AV program i was using when i got infected.

here is a list of all the programs i use whenever i think i have a problem.

Antivir
AVG
Claimwin
symantec corp av
adaware se (used to use newest one but annoying processes made me go back)
regscrubxp
rogueremover
spyware terminator
wise disk cleaner
wise registry cleaner
a2 anti dialer
a2 free
a2 hijackfree
spybot search and destroy
free window registry repair
crap cleaner

ok thats my list of programs i run weekly. maybe im a clean freak haha.


in response to you.

1. ill try and list everything i can find in any log files. some of them i cant read. as posted in beginning of this thread these are the things i know popped up.
sysmngt.exe
remacc radmin r_server.exe c:/windows/system32
trojan horse instsvc.exe c/windows/sysmngt
msn something.exe in system32 folder i think

2. intersting advice to remove avg run tiral program and scan everything. ill prob try this maybe not tonight though. great idea.
-and reading everything on that site and finding all and more free scanner programs i know there are a few more i ran that i didnt list like cwshredder and avast tool and stuff

3. system restore on my computers are always turned off instantly. is this bad i dont know ive never had a problem. i usually reformat if i really run into a problem.

4. alittle confused on that dban thing ill reread it. i have my harddrives partitioned and only 2 sections might be at risk if at all anymore.

-due to all my cleaning of the computer with all above mentioned programs nothing shows up as infected or issues anymore. but im still left with my 3 broken things.

thanks for respodning ill try and track more stuff down.

 

[NYCSTE2003]

finnally found something usefull going through all my log files on entire computer.

a-squared Free - Version 3.0
Last update: 6/12/2007 7:47:10 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\WINDOWS\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 9/5/2007 4:26:16 AM

c:\windows\system32\syscfg32.exe detected: Trace.File.Sbot
Value: HKEY_CLASSES_ROOT\CLSID\{30349568-DAB5-4FA9-B254-4D3BA77C7952}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Radlight
Value: HKEY_CLASSES_ROOT\CLSID\{68D6728A-D715-492A-A57B-8DDA01F4921F}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Radlight
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30349568-DAB5-4FA9-B254-4D3BA77C7952}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Radlight
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68D6728A-D715-492A-A57B-8DDA01F4921F}\InprocServer32 --> ThreadingModel detected: Trace.Registry.Radlight
C:\WINDOWS\sysmngt\admin.exe detected: Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\install.exe detected: Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\nzm.exe detected: Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\preinstall.exe detected: Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\sysmngt.exe detected: Riskware.Server-FTP.Win32.Serv-U.6105
C:\WINDOWS\system32\syscfg32.exe detected: Trojan.Win32.Agent.awz
C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL detected: Riskware.AdTool.Win32.MyWebSearch.a

Scanned

Files: 32259
Traces: 135708
Cookies: 1
Processes: 15

Found

Files: 7
Traces: 5
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 9/5/2007 5:02:27 AM
Scan time: 12:36:11 AM

C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL Quarantined Riskware.AdTool.Win32.MyWebSearch.a
C:\WINDOWS\sysmngt\sysmngt.exe Quarantined Riskware.Server-FTP.Win32.Serv-U.6105
C:\WINDOWS\sysmngt\admin.exe Quarantined Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\install.exe Quarantined Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\nzm.exe Quarantined Trojan.Win32.Agent.awz
C:\WINDOWS\sysmngt\preinstall.exe Quarantined Trojan.Win32.Agent.awz
C:\WINDOWS\system32\syscfg32.exe Quarantined Trojan.Win32.Agent.awz
Value: HKEY_CLASSES_ROOT\CLSID\{30349568-DAB5-4FA9-B254-4D3BA77C7952}\InprocServer32 --> ThreadingModel Quarantined Trace.Registry.Radlight
Value: HKEY_CLASSES_ROOT\CLSID\{68D6728A-D715-492A-A57B-8DDA01F4921F}\InprocServer32 --> ThreadingModel Quarantined Trace.Registry.Radlight
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30349568-DAB5-4FA9-B254-4D3BA77C7952}\InprocServer32 --> ThreadingModel Quarantined Trace.Registry.Radlight
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{68D6728A-D715-492A-A57B-8DDA01F4921F}\InprocServer32 --> ThreadingModel Quarantined Trace.Registry.Radlight
c:\windows\system32\syscfg32.exe Quarantined Trace.File.Sbot

Quarantined

Files: 7
Traces: 5
Cookies: 0

 

[NYCSTE2003]

ok out of the listed programs i use regularly can anyone point me to the file or log im trying to find. i just went through everyfolder i could find unless they are system protected i only found that a2 log posted above which actually a2 found most of my issues i was proud of the free program.

Antivir
AVG
Claimwin
symantec corp av
adaware se (used to use newest one but annoying processes made me go back)
regscrubxp
rogueremover
spyware terminator
wise disk cleaner
wise registry cleaner
a2 anti dialer
a2 free
a2 hijackfree
spybot search and destroy
free window registry repair
crap cleaner

where could i find the files i checked everything in windows, program files, all the user files, admin etc. unless they hidden or something lots of them were dat files or something no idea how to read those.

 

[mechBgon]

Generally you'd start the program and then go to its Reports or Logs or whatever, and it would list them. visual example :camera:

The info you gave there indicates Trojans, which is not very surprising. People might run a Trojan and infect their own computer (infected warez, music files or video files containing exploits, etc), and that's up to them to wise up and stop being gullible idiots.

Exploits can also hit you with Trojans, and they are preventible/containable --> http://www.mechbgon.com/build/security2.html

At this point, you have your options. Fight your way forward, System-Restore your way back, or burn it to the ground and start over. If you are patient and can follow instructions exactly, then the CastleCops.com HijackThis forum has experts who would get you cleaned up, but it can be a lengthy process and requires restraint and self-discipline on your part to NOT go willy-nilly doing stuff they didn't tell you.

 

[NYCSTE2003]

Originally posted by: mechBgon
Generally you'd start the program and then go to its Reports or Logs or whatever, and it would list them. visual example :camera:

The info you gave there indicates Trojans, which is not very surprising. People might run a Trojan and infect their own computer (infected warez, music files or video files containing exploits, etc), and that's up to them to wise up and stop being gullible idiots.

Exploits can also hit you with Trojans, and they are preventible/containable --> http://www.mechbgon.com/build/security2.html

At this point, you have your options. Fight your way forward, System-Restore your way back, or burn it to the ground and start over. If you are patient and can follow instructions exactly, then the CastleCops.com HijackThis forum has experts who would get you cleaned up, but it can be a lengthy process and requires restraint and self-discipline on your part to NOT go willy-nilly doing stuff they didn't tell you.

im glad your here and solving issues like this are really exciting for me. wow that sounded corny but yea its true. thanks for spending time trying to help you are helping and im learning about new sites and programs that help.

1. currently im running online fsecure test.
2. downloaded and installing
-Comodo BOClean Anti-Malware_4.25.exe
-AVG Anti-Spyware 7.5-7.5.1.43.exe
-avast! Virus Cleaner - free virus removal tool v1.0.211, built on 11.5.2007.exe
-SUPERAntiSpyware Version 3.9.1008 .exe
3. gonna install them all figure them out and run them.
4. im pretty sure im cleaned up but my issues remain soo maybe im not fully clean.

thanks for you help. ill keep this thread updated. and am interested in castlecops site.

 

[mechBgon]

Another possible bail-out would be to do a in-place upgrade, Method 2, aka a "repair install" of Windows.

You may find this thread interesting if you've been placing lots of faith in security software alone. Risk avoidance, reducing/eliminating "attack surface" and using the low-rights approach should also be considered.

 

[NYCSTE2003]

Originally posted by: mechBgon
Another possible bail-out would be to do a in-place upgrade, Method 2, aka a "repair install" of Windows.

You may find this thread interesting if you've been placing lots of faith in security software alone. Risk avoidance, reducing/eliminating "attack surface" and using the low-rights approach should also be considered.

thanks dude im reading your thread. i love what you did i really do.

perhaps we can be AIM buddies? my name is my name here send me a message sometime we can keep each other up to date and i can scan things for ya too maybe.

thanks again for your help and interest. this is interesting and exciting and amazing how with all those programs added together they prob didnt find 100percent of the stuff u were testing.

truly amazing.

 

[mechBgon]

I don't use an IM, but thanks for the invitation

 

[NYCSTE2003]

Originally posted by: mechBgon
I don't use an IM, but thanks for the invitation

hey im into bike riding too just looked at your site.

 

[mechBgon]

Originally posted by: NYCSTE2003

Originally posted by: mechBgon
I don't use an IM, but thanks for the invitation

hey im into bike riding too just looked at your site.

Cool As you can see, my security fixation doesn't stop with Windows PCs

 

[NYCSTE2003]

hey mechbgon. question for ya those online virus scanner sites you gotta download files to start but once you do that once do you still have to download the entire thing eachtime you use the scan feature?

also can i run all like 4 sites at once. or not advised. also when running scan programs like all those listed above howmany should be run at once i usually do 1-4 at a time but i know they get a lot slower doing that but i just like seeing them at once etc.

just for ref i got 3gbs core 2duo e6300 i thnk so i should be able to handle whatever scaning programs there are right

 

[mechBgon]

Originally posted by: NYCSTE2003
hey mechbgon. question for ya those online virus scanner sites you gotta download files to start but once you do that once do you still have to download the entire thing eachtime you use the scan feature?

Typically there's some files it will re-use, and some it will download all over again.

also can i run all like 4 sites at once. or not advised. also when running scan programs like all those listed above howmany should be run at once i usually do 1-4 at a time but i know they get a lot slower doing that but i just like seeing them at once etc.

With a fast system, you should be able to run several at once. It might be better to run them sequentially so they don't have to fight over who gets to delete what at the end, or if one locks up the system then you have to start all of them again.

 

[NYCSTE2003]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/07/2007 at 01:59 AM

Application Version : 3.9.1008

Core Rules Database Version : 3301
Trace Rules Database Version: 1307

Scan type : Custom Scan
Total Scan Time : 00:59:18

Memory items scanned : 518
Memory threats detected : 0
Registry items scanned : 5311
Registry threats detected : 25
File items scanned : 31672
File threats detected : 1

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance


i checked out the location of file

C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS

and it was last modified 8/24 way before i believe any infection happened which was 1/3days ago from a keygen.

according to the program it says this

Detected Item Description and Information

Listed below is basic information about the detected application/process. This application may not be safe to have on your system.

Summary : Unclassified.Oreans32.Process

Company : Unknown

Description : Unclassified.Oreans32 may be used for legitimate applications, but also for spyware - if you have this on your system, and you have another spyware infection, this is likley bad.

Threat Level (1-10) : 6

Processes : OREANS32.SYS


soo idk if oreans32 is good or bad. but thats all that the scanners found.

ran 3 new things and only this came up and fsecure online scan found something in my data folder not sure what it removed my firefox was messed up from that scan.

 

[NYCSTE2003]

also was infected with c:\windows\system32\msnmsg.exe

this started up after i cleaned out the first stuff. after this nothing else showed up. but im running the 3 online scanners so far fsecure found nothing but 3 more to go.

 

[NYCSTE2003]

results from 3 more online scanners found nothing important.

 

[NYCSTE2003]

alright someone told me to install and run windows live onecare. installed scanned and nothing really came up.

so at this point i dont see how something is hiding in my system anymore and if possible just changed the folder settings and taskbar settings that arent allowing them too work. i have no idea what they are properly called any help there would be great.

id guess title bar, start bar or button and not sure what >> is called. those are the only things not working and wrong

 

[mechBgon]

You could try a repair installation of Windows. http://support.microsoft.com/kb/315341/ Method 2. Or use System Restore to go back to before the attack.

so at this point i dont see how something is hiding in my system anymore

It could just be something that none of those scanners recognize, bro. Or that the bad stuff is being successfully hidden from the scanners. I have some malware files that none of your scans would detect. That's what that whole other thread was about, drilling it into peoples' heads that a "clean" scan doesn't mean stuff is necessarily clean.

(yes yes, it's probably just residual damage... see preceding advice)

 

[NYCSTE2003]

tried doing a fix repair thing and never got the options i read in that quide with my custom xp cd i ended up making a second windows drive in same area so now on boot up i got 2 xps gah.

how do i remove that second one?

and i gotta find my plain vanilla windows xp cd and patch sp2 i guess to it and see if that cd works lately i cant seem to get any discs to work with like nlite and stuff which im used to doing

 

[NYCSTE2003]

alright ive been finding more and more programs which help scan clean etc etc. programs you use after your infected and i run several scans daily for the past couple days trying to rid my system of whatever bug i have that appears to keep dodging all scan programs.

avg antispyware just found
C:\WINDOWS\system32\drivers\etc\wtf15\pnc.exe

its quarantined i think. this wtf15 folder has shown up on a few searches over the past couple days does anyone know if the folder itself is important can i just delete it?

here is a picture of said folder looking for advice.

just ran adaware se and it found nothing.

while keeping avg always running and i tried antivir as main AV for a few days and that worked well too just testing out diff programs since i plan on reformating anyway

http://img410.imageshack.us/my...newbitmapimage2xf0.jpg"]

[/url]

 

[mechBgon]

Try uploading each file from that folder to the analyzer at http://www.virustotal.com and paste the resulting diagnoses for each file here. This should be interesting...

 

[NYCSTE2003]

Originally posted by: mechBgon
Try uploading each file from that folder to the analyzer at http://www.virustotal.com and paste the resulting diagnoses for each file here. This should be interesting...

will do thankyou.

running 3 programs now.
spybot search and destroy
spyware terminator
combofix
aboutbuster
Prevx2Agent.1.0.2.86

avg antitoolkit after reboot

 

[NYCSTE2003]

for some reason spybot wont do a full scan keep saying stopped by user. gonna see what happens after reboot.

also internet exploere tried to take over firefox again.

exploxer crashed.

checking all those files in dir wtf15. at vir ustotal.com

File 123.bat received on 09.12.2007 07:05:00 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File 139.txt received on 09.12.2007 07:05:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File fixt received on 09.12.2007 07:05:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File httpget.exe received on 09.12.2007 07:06:08 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/32 (21.88%)
-details
AhnLab-V3 2007.9.11.1 2007.09.11 -
AntiVir 7.6.0.5 2007.09.12 -
Authentium 4.93.8 2007.09.12 Possibly a new variant of W32/CrazyCrunch-based!Maximus
Avast 4.7.1043.0 2007.09.11 -
AVG 7.5.0.485 2007.09.11 -
BitDefender 7.2 2007.09.12 -
CAT-QuickHeal 9.00 2007.09.11 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.09.12 -
DrWeb 4.33 2007.09.11 -
eSafe 7.0.15.0 2007.09.11 suspicious Trojan/Worm
eTrust-Vet 31.1.5127 2007.09.12 -
Ewido 4.0 2007.09.11 -
FileAdvisor 1 2007.09.12 Low threat detected
Fortinet 3.11.0.0 2007.09.12 PossibleThreat
F-Prot 4.3.2.48 2007.09.12 -
F-Secure 6.70.13030.0 2007.09.11 -
Ikarus T3.1.1.12 2007.09.12 -
Kaspersky 4.0.2.24 2007.09.12 -
McAfee 5117 2007.09.11 -
Microsoft 1.2803 2007.09.12 -
NOD32v2 2523 2007.09.12 -
Norman 5.80.02 2007.09.11 -
Panda 9.0.0.4 2007.09.11 Suspicious file
Prevx1 V2 2007.09.12 -
Rising 19.40.20.00 2007.09.12 -
Sophos 4.21.0 2007.09.12 -
Sunbelt 2.2.907.0 2007.09.12 -
Symantec 10 2007.09.12 -
TheHacker 6.1.10.184 2007.09.11 -
VBA32 3.12.2.4 2007.09.12 -
VirusBuster 4.3.26:9 2007.09.11 -
Webwasher-Gateway 6.0.1 2007.09.12 Trojan.Downloader.Win32.Malware.gen (suspicious)
Additional information
File size: 17566 bytes
MD5: 7aa74d465d11a1c4308530eb13b19029
SHA1: 1918cb3e8b8dcc6d92f9b67f0ba784b70c10539f
Bit9 info: http://fileadvisor.bit9.com/se...11a1c4308530eb13b19029
packers: Aspack

 

[NYCSTE2003]

File ntinstall.ini received on 09.12.2007 07:07:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File qb.bat received on 09.12.2007 07:07:57 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File qbkill.bat received on 09.12.2007 07:08:10 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File smnt.scr received on 09.12.2007 07:08:23 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File kill.bat received on 09.12.2007 07:07:43 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

File kill.exe received on 09.12.2007 07:07:48 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 1/32 (3.13%)
-details
Fortinet 3.11.0.0 2007.09.12 Misc/MSKILL