Thread: PC which infected tena_79's pc
View Single Post
Old 12-06-2007, 08:55 PM   #1 (permalink)
scort
Registered User
 
Join Date: Dec 2007
Posts: 14
OS: XP SP1


Post PC which infected tena_79's pc
Hello, I'm recommended by tena_79 to refer to this site for the virus infection advice. She said that my pc was infecting her pc. She already done some disinfection on my pc which using Panda Activescan, DSS and Combofix which she has learned from your site. But I guess there are still viruses in my pc that cause it to run slowly.

Below is the DSS scan report from my pc. For your information, I'm using AVG antivirus.

Deckard's System Scanner v20071014.68
Run by imatera on 2007-12-07 09:25:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 79% (more than 75%).
Total Physical Memory: 240 MiB (512 MiB recommended).


-- HijackThis (run as imatera.exe) ---------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2007-12-07 09:26:38
Platform: Windows XP Service Pack 1 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\xampp\apache\bin\Apache.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\xampp\apache\bin\Apache.exe
C:\Program Files\xampp\mysql\bin\mysqld-max-nt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spyware Terminator\Spywareterminatorshield.Exe
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\prjJtksmERA\prjJtksmEra.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\imatera\Desktop\dss.exe
C:\Program Files\Trend Micro\HijackThis\imatera.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mohr.gov.my:8080
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...0C/wmv9dmo.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1181109283758
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E29FA32-96ED-4E6B-8B0F-CB069AC13198}: NameServer = 10.21.81.214,10.20.16.2
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\Program Files\Crawler\Toolbar\ctbr.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\Apache.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: mysql - Unknown owner - C:\Program Files\xampp\mysql\bin\mysqld-max-nt
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


--
End of file - 4878 bytes

-- Files created between 2007-11-07 and 2007-12-07 -----------------------------

2007-12-06 15:51:45 0 d------c- C:\Program Files\Trend Micro
2007-12-06 14:26:11 138752 --a------ C:\WINDOWS\System32\drivers\sp_rsdrv2.sys
2007-12-06 14:08:26 0 d------c- C:\Program Files\WinClamAVShield
2007-12-06 13:52:13 0 d------c- C:\Program Files\Crawler
2007-12-06 13:52:04 0 d------c- C:\Documents and Settings\imatera\Application Data\Spyware Terminator
2007-12-06 13:52:03 0 d------c- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2007-12-06 13:51:31 0 d------c- C:\Program Files\Spyware Terminator
2007-12-06 10:08:47 0 d-------- C:\WINDOWS\System32\ActiveScan


-- Find3M Report ---------------------------------------------------------------

2007-12-07 08:31:33 0 d------c- C:\Documents and Settings\imatera\Application Data\AVG7
2007-12-06 16:43:05 0 d------c- C:\Documents and Settings\imatera\Application Data\MySQL
2007-12-06 11:36:59 0 d------c- C:\Program Files\prjJtksmERA
2007-11-06 14:59:30 1956 --a------ C:\WINDOWS\System32\d3d8caps.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [24/10/2007 09:20]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [06/12/2007 14:07]




-- End of Deckard's System Scanner: finished at 2007-12-07 09:28:21 ------------


Below is also a report from Panda ActiveScan.


Incident Status Location

Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Music\My Music.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Music\My Playlists\My Playlists.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Sample Music.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\001034B3\001034B3.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\Sample Playlists.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Pictures\My Pictures.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sample Pictures.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\My Videos\My Videos.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\New Folder.exe
Virus:W32/Sohanat.BY.worm Disinfected C:\Documents and Settings\All Users\Documents\SSCVIIHOST.exe
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\imatera\Application Data\Mozilla\Firefox\Profiles\icwb8do7.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\imatera\Application Data\Mozilla\Firefox\Profiles\icwb8do7.default\cookies-1.txt[.adtech.de/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\imatera\Application Data\Mozilla\Firefox\Profiles\icwb8do7.default\cookies-1.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\imatera\Application Data\Mozilla\Firefox\Profiles\icwb8do7.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\imatera\Application Data\Mozilla\Firefox\Profiles\icwb8do7.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\imatera\Application Data\Mozilla\Firefox\Profiles\icwb8do7.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@247realmedia[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@adrevolver[3].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@adtech[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@adviva[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@bs.serving-sys[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@casalemedia[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@cgi-bin[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@ehg-dig.hitbox[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@gostats[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@go[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@overture[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@tradedoubler[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\imatera\Cookies\imatera@xiti[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\imatera\Desktop\ComboFix.exe[nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\imatera\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe


This is the report from the combofix yesterday.


ComboFix 07-12-02.7 - imatera 2007-12-06 9:51:08.1 - NTFSx86
Running from: C:\Documents and Settings\imatera\desktop\combofix.exe
Command switches used :: /KillAll
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-03 10:00 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-12-03 10:00 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-12-03 10:00 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-12-03 10:00 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-06 00:03 --------- dc----w C:\Documents and Settings\imatera\Application Data\AVG7
2007-12-05 08:23 --------- dc----w C:\Documents and Settings\imatera\Application Data\MySQL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"superproxy"="C:\WINDOWS\superproxy.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Graphics Driver"="C:\WINDOWS\System32\gfxdrvr.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 09:20]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 09:20]

S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 09:59:29
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 10:01:38 - machine was rebooted
.
--- E O F ---


Those are the reports and I hope you can help me. Thanks in advance.
scort is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here