Solved

Cant open most of the applications

Posted on 2008-06-13
19
2,459 Views
Last Modified: 2013-11-22
Example, if I try to run msconfig.exe, sfc /scannow, cmd.exe I get "Open With" screen. This is the case with most of the applications. Most probably PC is infected with something, but I cant start anything to try to find out with what.

Can someone help me with this problem? I know I can reinstall windows easily, but I wold like to work this out without reinstall, if possible.

Thanks,
Goran
0
Comment
Question by:Priest04
  • 7
  • 6
  • 4
  • +1
19 Comments
 
LVL 23

Assisted Solution

by:Admin3k
Admin3k earned 100 total points
ID: 21783488
Do you get an error message related to CMD , registry editing,etc.. being disabled by restrictions, or you get another error ?

Download and run Hijack this from Trendmicro

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Post the log here.

0
 
LVL 23

Expert Comment

by:Admin3k
ID: 21783498
I re-read your message

I believe  the below REG file can solve the OPEN With problem  for EXE files

http://filext.com/WinXP_EXE_Fix.reg
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 200 total points
ID: 21783499
Try this and see if you can run exes again:

Start > type in:

command.com

and in the command.com prompt, type/paste:

ftype exefile="%1" %*


This will restore exe files again.
then run Hijackthis and show us the logfile to check what infections is present.
Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" please don't fix anything yet.
Please attach the logfile as "Code Snippet".
0
 
LVL 18

Author Comment

by:Priest04
ID: 21783566
I have tried ftype command. and it restored the exe files.

Hijack log:

*HJT log moved and attached as code snippet,
by rpggamergirl - Zone Advisor*
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 02:24:40, on 6/14/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal
 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

D:\WINDOWS\system32\drivers\CDAC11BA.EXE

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe

D:\Program Files\Eset\nod32krn.exe

D:\WINDOWS\system32\nvsvc32.exe

D:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe

D:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe

D:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe

D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe

D:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE

D:\WINDOWS\system32\devldr32.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Program Files\FlashGet\flashget.exe

D:\WINDOWS\system32\ntvdm.exe

C:\Downloads\HiJackThis.exe
 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/default

O1 - Hosts: 61.129.115.198 www.xldd.com

O1 - Hosts: 61.129.115.198 www.ojiang.com

O1 - Hosts: 61.129.115.198 www.shuixian.net

O1 - Hosts: 61.129.115.198 www.xlarea.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\PROGRA~1\FlashGet\getflash.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] D:\WINDOWS\JM\JMInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] D:\WINDOWS\system32\JMRaidSetup.exe boot

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [NSLauncher] D:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup

O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [googletalk] D:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [S7UB Start] "D:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" -StartDB

O4 - HKLM\..\Run: [WinCC flexible Smart Start] "D:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2007\HmiSmartStart.exe" /startup

O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [soundmix] D:\WINDOWS\system32\soundmix.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [PcSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] D:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p

O4 - Global Startup: Service Manager.lnk = D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)

O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B01423C-E9DF-49AF-8AF3-B01904D63357}: NameServer = 192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip\..\{5862EE4B-0557-4181-9DF3-361C53DDC348}: NameServer = 194.106.162.2,194.106.162.10

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B01423C-E9DF-49AF-8AF3-B01904D63357}: NameServer = 192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{0B01423C-E9DF-49AF-8AF3-B01904D63357}: NameServer = 192.168.1.1

O23 - Service: Automation License Manager Service (almservice) - SIEMENS AG - D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe

O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - D:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: S7 Global Services (s7asysvx) - SIEMENS AG - D:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe

O23 - Service: SIMATIC IEPG Help Service (s7oiehsx) - SIEMENS AG - D:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe

O23 - Service: S7TraceServiceX - SIEMENS AG - D:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe

O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
 

--

End of file - 7407 bytes

Open in new window

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21783669
Can you please run Combofix, we'll clean out your hijackthis log afterwards if the bad entries are still present.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


This link tells you How to use Combofix as well as installing RC if you haven't yet.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
LVL 18

Author Comment

by:Priest04
ID: 21784859

ComboFix 08-06-12.2 - Dejan 2008-06-14 12:34:41.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.535 [GMT 2:00]

Running from: D:\Documents and Settings\Dejan\Desktop\ComboFix.exe

Command switches used :: D:\Documents and Settings\Dejan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

 * Created a new restore point

.
 

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.
 

D:\WINDOWS\2PQPQpexYafmis

D:\WINDOWS\2PQPQpexYafmis\[u]0[/u]0000000000000000000.DLL

D:\WINDOWS\4PUPQPPPPPfmis

D:\WINDOWS\4PUPQPPPPPfmis\[u]0[/u]0000000000000000000.DLL

D:\WINDOWS\4PUPSPPPPPfmis

D:\WINDOWS\4PUPSPPPPPfmis\[u]0[/u]0000000000000000000.DLL

D:\WINDOWS\system\msvbvm60.dll

D:\WINDOWS\system32\2PQPQpexYafmis

D:\WINDOWS\system32\2PQPQpexYafmis\[u]0[/u]0000000000000000000.DLL

D:\WINDOWS\system32\4PUPQPPPPPfmis

D:\WINDOWS\system32\4PUPQPPPPPfmis\[u]0[/u]0000000000000000000.DLL

D:\WINDOWS\system32\4PUPSPPPPPfmis

D:\WINDOWS\system32\4PUPSPPPPPfmis\[u]0[/u]0000000000000000000.DLL

D:\WINDOWS\system32\MSINET.oca
 

.

(((((((((((((((((((((((((   Files Created from 2008-05-14 to 2008-06-14  )))))))))))))))))))))))))))))))

.
 

2008-06-14 12:21 . 2008-06-14 12:21	<DIR>	d--------	D:\WINDOWS\LastGood

2008-06-14 12:21 . 2008-06-14 12:21	<DIR>	d--------	D:\Program Files\Marvell

2008-06-14 02:32 . 2008-06-14 02:37	<DIR>	d--------	D:\WINDOWS\system32\drivers\Avg

2008-06-14 02:32 . 2008-06-14 02:32	<DIR>	d--------	D:\Program Files\AVG

2008-06-14 02:32 . 2008-06-14 02:32	<DIR>	d--------	D:\Documents and Settings\All Users\Application Data\avg8

2008-06-14 02:32 . 2008-06-14 02:32	96,520	--a------	D:\WINDOWS\system32\drivers\avgldx86.sys

2008-06-14 02:32 . 2008-06-14 02:32	75,272	--a------	D:\WINDOWS\system32\drivers\avgtdix.sys

2008-06-14 02:32 . 2008-06-14 02:32	10,520	--a------	D:\WINDOWS\system32\avgrsstx.dll

2008-06-14 00:26 . 2004-08-04 00:56	21,504	--a------	D:\WINDOWS\system32\hidserv.dll

2008-06-14 00:26 . 2004-08-04 00:56	21,504	--a--c---	D:\WINDOWS\system32\dllcache\hidserv.dll

2008-06-14 00:26 . 2004-08-03 22:58	14,848	--a------	D:\WINDOWS\system32\drivers\kbdhid.sys

2008-06-14 00:26 . 2004-08-03 22:58	14,848	--a--c---	D:\WINDOWS\system32\dllcache\kbdhid.sys

2008-06-11 11:02 . 2008-04-14 13:01	272,128	---------	D:\WINDOWS\system32\drivers\bthport.sys

2008-06-11 11:02 . 2008-04-14 13:01	272,128	-----c---	D:\WINDOWS\system32\dllcache\bthport.sys

2008-06-01 13:47 . 2008-06-01 13:47	<DIR>	d--h-c---	D:\$AVG8.VAULT$

2008-05-17 03:00 . 2008-05-17 03:00	<DIR>	d--------	D:\Program Files\MSXML 4.0
 

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-06-14 10:35	---------	d-----w	D:\Program Files\FlashGet

2008-06-14 00:46	---------	d-----w	D:\Program Files\Runtime Software

2008-06-14 00:45	---------	d-----w	D:\Program Files\CDBurnerXP Pro 3

2008-06-14 00:45	---------	d-----w	D:\Program Files\Beads

2008-06-14 00:44	---------	d-----w	D:\Program Files\Winamp

2008-06-14 00:44	---------	d-----w	D:\Program Files\SimpleCenter

2008-06-14 00:39	---------	d-----w	D:\Program Files\Common Files\Teleca Shared

2008-06-14 00:36	---------	d--h--w	D:\Program Files\InstallShield Installation Information

2008-06-14 00:36	---------	d-----w	D:\Program Files\Nokia

2008-06-14 00:35	---------	d-----w	D:\Documents and Settings\All Users\Application Data\Downloaded Installations

2008-06-14 00:33	---------	d-----w	D:\Program Files\EA SPORTS

2008-06-14 00:29	---------	d-----w	D:\Program Files\Eset

2008-05-16 02:52	---------	d-----w	D:\Documents and Settings\Dejan\Application Data\uTorrent

2008-05-08 12:28	202,752	----a-w	D:\WINDOWS\system32\drivers\rmcast.sys

2008-05-07 05:18	1,287,680	----a-w	D:\WINDOWS\system32\quartz.dll

2008-05-05 14:06	---------	d-----w	D:\Program Files\Cenega

2008-05-04 15:12	---------	d-----w	D:\Documents and Settings\Dejan\Application Data\AdobeAUM

2008-05-04 15:06	---------	d-----w	D:\Documents and Settings\Dejan\Application Data\Teleca

2008-04-28 08:52	---------	d-----w	D:\Program Files\Ubisoft

2008-04-21 07:04	659,456	----a-w	D:\WINDOWS\system32\wininet.dll

2008-04-14 15:42	---------	d-----w	D:\Program Files\PI

2008-03-27 08:12	151,583	----a-w	D:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47	1,845,248	----a-w	D:\WINDOWS\system32\win32k.sys

.
 

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4
 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100EB1FD-D03E-47FD-81F3-EE91287F9465}]

			D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll
 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

"PcSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]
 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 D:\WINDOWS\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2006-11-14 11:21 16270848 D:\WINDOWS\RTHDCPL.EXE]

"JMB36X IDE Setup"="D:\WINDOWS\JM\JMInsIDE.exe" [2006-10-31 06:44 36864]

"36X Raid Configurer"="D:\WINDOWS\system32\JMRaidSetup.exe" [2006-11-17 03:05 1953792]

"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2007-01-24 03:39 7630848]

"nwiz"="nwiz.exe" [2007-01-24 03:39 1519616 D:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="D:\WINDOWS\system32\NvMcTray.dll" [2007-01-24 03:39 86016]

"googletalk"="D:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 23:22 3739648]

"QuickTime Task"="D:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]

"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"WinampAgent"="D:\Program Files\Winamp\winampa.exe" [2007-05-15 00:22 35328]

"S7UB Start"="D:\Program Files\Common Files\Siemens\S7ubtoox\s7ubtstx.exe" [2007-07-27 18:04 102453]

"WinCC flexible Smart Start"="D:\Program Files\Siemens\SIMATIC WinCC flexible\WinCC flexible 2007\HmiSmartStart.exe" [2007-07-20 02:02 159744]

"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-14 02:32 1177368]
 

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - D:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll
 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"aux"= ctwdm32.dll
 

[HKLM\~\startupfolder\D:^Documents and Settings^Dejan^Start Menu^Programs^Startup^50 FREE MP3s from eMusic!.lnk]

path=D:\Documents and Settings\Dejan\Start Menu\Programs\Startup\50 FREE MP3s from eMusic!.lnk

backup=D:\WINDOWS\pss\50 FREE MP3s from eMusic!.lnkStartup
 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001
 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"D:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=

"D:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"D:\\Program Files\\uTorrent\\uTorrent.exe"=

"E:\\Install\\eMule0.48a\\emule.exe"=

"D:\\Program Files\\Common Files\\Siemens\\SQLANY\\dbsrv9.exe"=

"D:\\Program Files\\Siemens\\Step7\\S7BIN\\S7tgtopx.exe"=

"D:\\Program Files\\Siemens\\Step7\\S7INF\\S7usiapx.exe"=

"D:\\WINDOWS\\system32\\s7otbxsx.exe"=

"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\HmiES.exe"=

"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\TraceServer.exe"=

"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007\\Extern\\ExConServer.exe"=

"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\Miniweb.exe"=

"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\SmartServer.exe"=

"D:\\Program Files\\Siemens\\SIMATIC WinCC flexible\\WinCC flexible 2007 Runtime\\HmiLoad.exe"=

"D:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"D:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
 

R1 AvgLdx86;AVG AVI Loader Driver x86;D:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-14 02:32]

R2 almservice;Automation License Manager Service;"D:\Program Files\Common Files\Siemens\sws\almsrv\almsrvx.exe" [2007-07-26 09:08]

R2 avg8emc;AVG8 E-mail Scanner;D:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-14 02:32]

R2 avg8wd;AVG8 WatchDog;D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-14 02:32]

R2 AvgTdiX;AVG8 Network Redirector;D:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-14 02:32]

R2 Dpmtrcdd;Dpmtrcdd;D:\WINDOWS\system32\DRIVERS\dpmtrcdd.sys [2007-06-25 15:47]

R2 MSSQL$WINCCFLEXIBLE;MSSQL$WINCCFLEXIBLE;"D:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlservr.exe" -sWINCCFLEXIBLE []

R2 s7asysvx;S7 Global Services;"D:\Program Files\Siemens\Step7\S7BIN\s7asysvx.exe" [2007-07-27 14:06]

R2 s7oiehsx;SIMATIC IEPG Help Service;D:\Program Files\Common Files\Siemens\S7IEPG\s7oiehsx.exe [2007-11-07 18:42]

R2 s7snsrtx;PROFINET IO RT-Protocol;D:\WINDOWS\system32\DRIVERS\s7snsrtx.sys [2007-07-30 11:06]

R2 S7TraceServiceX;S7TraceServiceX;D:\Program Files\Common Files\Siemens\Automation\TraceEngine\bin\S7TraceServiceX.exe [2007-08-31 10:32]

R2 SNTIE;SIMATIC Industrial Ethernet (ISO);D:\WINDOWS\system32\DRIVERS\sntie.sys [2007-08-10 08:34]

R2 SQLAgent$WINCCFLEXIBLE;SQLAgent$WINCCFLEXIBLE;"D:\Program Files\Microsoft SQL Server\MSSQL$WINCCFLEXIBLE\Binn\sqlagent.EXE" -i WINCCFLEXIBLE []

R3 fwkbdrtm;fwkbdrtm;D:\WINDOWS\system32\drivers\fwkbdrtm.sys [2007-07-19 20:56]

S3 dpmcslv;dpmcslv;D:\WINDOWS\system32\drivers\dpmcslv.sys [2005-07-04 16:04]

S3 gdrv;gdrv;D:\WINDOWS\gdrv.sys [2007-07-09 00:54]

S3 PciCon;PciCon;F:\PciCon.sys []

S3 s7oefs_x;SIMATIC MPI/EFS Driver;D:\WINDOWS\system32\drivers\s7oefs_x.sys [2002-10-18 02:34]
 

*Newly Created Service* - CATCHME

.

**************************************************************************
 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-06-14 12:36:15

Windows 5.1.2600 Service Pack 2 NTFS
 

scanning hidden processes ... 
 

scanning hidden autostart entries ...
 

scanning hidden files ... 
 

scan completed successfully

hidden files: 0
 

**************************************************************************

.

Completion time: 2008-06-14 12:36:54

ComboFix-quarantined-files.txt  2008-06-14 10:36:40
 

Pre-Run: 47,132,852,224 bytes free

Post-Run: 47,745,863,680 bytes free
 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional Dejan" /noexecute=optin /fastdetect

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional Nikola" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
 

166	--- E O F ---	2008-06-12 01:02:03

Open in new window

0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 200 total points
ID: 21786130
If you donno what are these domains, they should be fixed.

O1 - Hosts: 61.129.115.198 www.xldd.com
O1 - Hosts: 61.129.115.198 www.ojiang.com
O1 - Hosts: 61.129.115.198 www.shuixian.net
O1 - Hosts: 61.129.115.198 www.xlarea.com
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - D:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)


You should fix your registry in order to fix the files Association.
Here are few of them that you can fix using the scripts/reg keys provided by dougknox
http://www.dougknox.com/xp/file_assoc.htm

Or you can Try a registry fix tool, Here's a free one.

http://www.regiclean.com/

Note:
Before you start fixing the registry, you should use system restore to create a restore point.

Good luck
0
 
LVL 18

Author Comment

by:Priest04
ID: 21802279
I have already unistalled Shopping report, and some other adware software. How can I remove above hosts?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21802332
Run hijackthis, Rescan and fix the above nasties... You have to check each line and then click Fix...
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 18

Author Comment

by:Priest04
ID: 21802399
OK, one more quesion - what above nasties actually do? :)
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21802501
It's actually a worm agent,,, but i believe the hosts are to redirect your web-browser when you surf the internet to different malware websites.... any sites that would infect your pc by downloading spyware/cookies....etc

As mentioned below in this kb article

###It modifies the system's HOSTS files to prevent users from accessing certain Web sites.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGENT.XSB

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGENT.XSB&VSect=Sn
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21802599
Yes Fix those 01 hosts entries IF still present in Hijackthis.
They're part of the WORM_AGENT.XSB that stopped most programs from opening, same worm as the 04 entry in your first hijackthis log.
O4 - HKLM\..\Run: [soundmix] D:\WINDOWS\system32\soundmix.exe


D:\WINDOWS\system32\drivers\fwkbdrtm.sys <-- also can you check the properties of this driver? could belong to Siemens.
0
 
LVL 18

Author Comment

by:Priest04
ID: 21814307
Ok. removed them. fwkbdrtm.sys is a part of WinCC siemens software, and is not a threat. Would that be all?

Thanks for all the help so far.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21814358
Yes unless you still have any other issues?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21820334
Hi Priest04

Please return back to the question to finalize it by awarding points to the most helpful answer or splitting points among experts who participated in solving your problem.

If you are still having problems in regard with the question then let us know.
0
 
LVL 18

Author Comment

by:Priest04
ID: 21820457
Hello, moh10ly, why impatient, all the credits will be assigned. I believe I should test the PC if anything else is wrong with it, so it would be kind if you could wait a day or two. I couldn't test the PC last night, since I am not in the office in that hour. The PC has been disconnected from the network until the issue is solved. this I connected it and searching for remaining problems, if there are any.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 21820561
Sorry for the misunderstanding I just wanted to know if everything is solved or you are still having problem,,, It's not about credits or points... I'm just here to help regardless anything else.
0
 
LVL 18

Author Comment

by:Priest04
ID: 21841291
Last week I tested the PC and didnt find any problems, so I think all is ok. Thanks guys for all the help.

Goran
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 21842984
Goran,

Glad to know that the problem is gone.
You can now uninstall Combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Press OK.

Thanks!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now