Need Help

Hey
My pc is infected by trojan horse. this is the log files i get after i do the Read n Run Me First.

 

......

 

Hi Netmillenium,
Welcome back to the Malware Forum!

One of the things we ask you is not to run your computer in selective or diagnostic startup mode as this leads to problems. Please put your computer into normal startup mode and then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Thanks.
abri

 

hey
ok. this is the log file. thanks

 

Hi netmillenium,

1) Do you have a two-way firewall installed?

2) Go to add/remove programs and uninstall the below:

- Java(TM) 6 Update 3

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) Next we need to delete an NTService and then fix some entries with HijackThis.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Windows api Security Center
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste ntapisvcinto the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

O23 - Service: Windows api Security Center (ntapisvc) - Unknown owner - C:\WINDOWS\system32\apisvc.exe (file missing)

After clicking Fix, exit HJT.

6) Please run CCleaner and then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

How is your computer running now?

abri

 

hey
In your solution No. 5, i can not find the line 'O23 - Service: Windows api Security Center (ntapisvc) - Unknown owner - C:\WINDOWS\system32\apisvc.exe (file missing)' . I already save the log file with the name hijackthis.log. thanks

 

Hi netmillenium,

1) Do you have a two-way firewall installed? This would be different than the Windows Firewall.

2) I can't read some of your files. What are the following? You may have to compare them to the newfiles.txt log which you can find in the MGTools folder and just open by double clicking on it or by right-clicking on it and selecting open. If you scroll all the way to the bottom of the newfiles log, you'll find the uninstalls list and at the bottom of the list you posted to me, you will find the following two entries. Do you know what they are?

In add/remove programs:

ǧǧ¾²Ìý 5.0.1
ѸÀ×5

The other entries below are the same problem and can also be found in the newfiles.txt log under the headings which I have put here for you in bold print:

On your desktop under All Users here
C:\Documents and Settings\All Users\Desktop\

Ãâ·Ñ¸ßÇåµçÓ°.url
ѸÀ×5.lnk
HP ¿ØÖÆÆ÷.lnk

in your Start Menu here
C:\Documents and Settings\All Users\Start Menu\

HP ¿ØÖÆÆ÷.lnk

on the desktop of Leow C:\Documents and Settings\Leow\Desktop\

ppsÍø~1.lnk Feb 16 2008 746 "PPSÍøÂçµçÊÓ.lnk
ǧǧ¾²Ìý.lnk Jan 10 2008 1602 "ǧǧ¾²Ìý.lnk"
ǧǧÒô~1.url Jan 10 2008 111 "ǧǧÒôÀÖÔÚÏß.url"
¹§Ï²¹§~1.mp3 Jan 30 2008 3142398 "¹§Ï²¹§Ï²-ÖйúÍÞÍÞ.mp3"
²ÆÉñµ½~1.wma Jan 25 2008 1429105 "²ÆÉñµ½ - ³Âäø³Ç_»ÆÎÄÓÀ_ÁõÇ«Òæ.Wma"
ºØÐÂÄê~1.wma Jan 25 2008 4641644 "ºØÐÂÄê_¹§Ï²·¢²Æ_ÐÂÄê¸è¶ù´ó¼Ò³ª_´óµØ»Ø´º-ºØÄêר¼*.wma"
³ÂÈÊ·á~1 Feb 23 2008 "³ÂÈÊ·á ÒôÀÖ¹ÊÊÂ


3) Please find the following file in Windows Explorer and delete it:

C:\WINDOWS\system32\cid_store.dat

4) Let me know what all those files might be or if you don't know, let me know that.

Thanks.
abri

 

Hi netmillenium,
I want to add the following to my post number 7.

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

abri

 

hey,
1) 1st of all,wat is 2 way firewall?

2) i cant read the text u've posted. but according to the 'Newfiles' there have similar files which are '千千静听 5.0.1' and '迅雷5'. the 1st 1 is a multimedia software which can show the lyrics while plying the songs. the second 1 is a downloding software. both software are using chinese language. is there any problem with these 2 software.
For the second part(C:\Documents and Settings\All Users\Desktop\), Ãâ·Ñ¸ßÇåµçÓ°.url which shown in your post is the online tv software. ѸÀ×5.lnk is '迅雷5' softaware. HP ¿ØÖÆÆ÷.lnk is the hp controler. i think is the driver for the printer.
on the desktop of Leow C:\Documents and Settings\Leow\Desktop\,
ppsÍø~1.lnk Feb 16 2008 746 "PPSÍøÂçµçÊÓ.lnk is the online tv software
ǧǧ¾²Ìý.lnk Jan 10 2008 1602 "ǧǧ¾²Ìý.lnk" and ǧǧÒô~1.url Jan 10 2008 111 "ǧǧÒôÀÖÔÚÏß.url" is '千千静听 5.0.1'. and the last 4 files, ¹§Ï²¹§~1.mp3 Jan 30 2008 3142398 "¹§Ï²¹§Ï²-ÖйúÍÞÍÞ.mp3, ²ÆÉñµ½~1.wma Jan 25 2008 1429105 "²ÆÉñµ½ - ³Âäø³Ç_»ÆÎÄÓÀ_ÁõÇ«Òæ.Wma", ºØÐÂÄê~1.wma Jan 25 2008 4641644 "ºØÐÂÄê_¹§Ï²·¢²Æ_ÐÂÄê¸è¶ù´ó¼Ò³ª_´óµØ»Ø´º-ºØÄêר¼*.wma" and ³ÂÈÊ·á~1 Feb 23 2008 "³ÂÈÊ·á ÒôÀÖ¹ÊÊ are chinese songs.

all the files u cant read are in chinese language
thanks

 

Thanks netmillenium,

A two-way firewall like Zone Alarm and Comodo are firewalls which look at both incoming and outgoing traffic with regard to the internet. The Windows firewall only looks at what is trying to come into your computer. It's important to see what is trying to get out of your computer, as things like to call home, including bad things.

As for the other files, I figured they were in a foreign language, I just couldn't see what they belong to. None of those things are a problem.

How is your computer running now?

abri

 

hey
why i need to create a back up for my registry?

Now my pc doing quite well. the antivirus software oso din indicate there has any virus. Thanks for ur help.

 

Hi netmillenium,

I always ask people to make a back up of the registry before doing a registry patch.

Please follow the final cleanup instructions in the box below:

abri