Tech Support Forum - View Single Post

BigPapa · 02-27-2006, 04:27 AM

I basically followed the directions to the point in which my ewido scan was complete. Once done, I deleted all the items in the quarantine section. After doing so, and rebooting the system normally, I did some checking prior to running the Kaspersky scanner. I surfed a little on safe sites, basically used the PC for about 30 minutes and then looked for traces of the virus in windows/temp and other places. Nothing. At this point, it appears the process would be complete.

But alas, following the directions to a T, I ran the Kaspersky Online Scanner. And while it confirmed indeed that the particular infection was gone, it reported a problem with my Mirc installation. Since I don't have time to chat on Mirc anymore, I uninstalled the package just to be safe. And then I scanned again, since my first scan was limited to the C: drive only. The second scan took much longer due to the amount of data, but it proved worthy, as it reminded me that I should have also deleted the Mirc installation bundle I had backed up as well ;)

All in all, success!

Anyway, I give to you my logs and most appreciative gratitude!

---------------------------------------------------------

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:48:51 AM, 2/27/2006
+ Report-Checksum: 3FB27873

+ Scan result:

[252]

C:\WINDOWS\system32\wincqt32.dll
-> Hijacker.Small.kb : Cleaned with backup
C:\Documents and Settings\Big Papa Slim\Application Data\Мicrosoft.NET\smss.exe ->Downloader.PurityScan.bv : Cleaned with backup

<Editted for spams sake> REMOVED many many tracking cookies

C:\WINDOWS\system32\wincqt32.dll
-> Hijacker.Small.kb : Cleaned with backup

::Report End

---------------------------------------------------------

ONLINE SCAN 1
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, February 27, 2006 03:26:13
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/02/2006
Kaspersky Anti-Virus database records: 178919
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 29892
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 2162 sec

Infected Object Name - Virus Name
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616

Scan process completed.

------------------------------------------------------

ONLINE SCAN 2
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, February 27, 2006 04:41:22
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/02/2006
Kaspersky Anti-Virus database records: 178932
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
G:\
I:\

Scan Statistics:
Total number of scanned objects: 43973
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 3725 sec

Infected Object Name - Virus Name
I:\Software\Installed\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
I:\Software\Installed\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616

Scan process completed.

------------------------------------------------------

POST RESOLUTION HJT LOG
-------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:44:20 AM, on 2/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{748881EC-D6C7-4237-90F8-44CA9BFB8C39}: NameServer = 68.109.202.25,68.1.18.25
O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I will certainly making a donation in the near future!

02-27-2006, 04:27 AM	#4 (permalink)
BigPapa Registered User Join Date: Feb 2006 Posts: 5 OS: XP Pro SP2	Yet Another Reason To Love Subs I basically followed the directions to the point in which my ewido scan was complete. Once done, I deleted all the items in the quarantine section. After doing so, and rebooting the system normally, I did some checking prior to running the Kaspersky scanner. I surfed a little on safe sites, basically used the PC for about 30 minutes and then looked for traces of the virus in windows/temp and other places. Nothing. At this point, it appears the process would be complete. But alas, following the directions to a T, I ran the Kaspersky Online Scanner. And while it confirmed indeed that the particular infection was gone, it reported a problem with my Mirc installation. Since I don't have time to chat on Mirc anymore, I uninstalled the package just to be safe. And then I scanned again, since my first scan was limited to the C: drive only. The second scan took much longer due to the amount of data, but it proved worthy, as it reminded me that I should have also deleted the Mirc installation bundle I had backed up as well ;) All in all, success! Anyway, I give to you my logs and most appreciative gratitude! --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 1:48:51 AM, 2/27/2006 + Report-Checksum: 3FB27873 + Scan result: [252] C:\WINDOWS\system32\wincqt32.dll -> Hijacker.Small.kb : Cleaned with backup C:\Documents and Settings\Big Papa Slim\Application Data\Мicrosoft.NET\smss.exe ->Downloader.PurityScan.bv : Cleaned with backup <Editted for spams sake> REMOVED many many tracking cookies C:\WINDOWS\system32\wincqt32.dll -> Hijacker.Small.kb : Cleaned with backup ::Report End --------------------------------------------------------- ONLINE SCAN 1 ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, February 27, 2006 03:26:13 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 27/02/2006 Kaspersky Anti-Virus database records: 178919 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - Folders: C:\ Scan Statistics: Total number of scanned objects: 29892 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 2162 sec Infected Object Name - Virus Name C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 Scan process completed. ------------------------------------------------------ ONLINE SCAN 2 ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Monday, February 27, 2006 04:41:22 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 27/02/2006 Kaspersky Anti-Virus database records: 178932 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - Folders: C:\ G:\ I:\ Scan Statistics: Total number of scanned objects: 43973 Number of viruses found: 1 Number of infected objects: 2 Number of suspicious objects: 0 Duration of the scan process: 3725 sec Infected Object Name - Virus Name I:\Software\Installed\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 I:\Software\Installed\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 Scan process completed. ------------------------------------------------------ POST RESOLUTION HJT LOG ------------------------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 4:44:20 AM, on 2/27/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\HJT\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{748881EC-D6C7-4237-90F8-44CA9BFB8C39}: NameServer = 68.109.202.25,68.1.18.25 O20 - Winlogon Notify: wincqt32 - wincqt32.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe I will certainly making a donation in the near future!