Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
awww viruses and pop ups! awww viruses and pop ups!
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 03-25-2007, 05:45 AM   #1 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


awww viruses and pop ups!
Here is my log!

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 4:44:19 AM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{906F0571-07C4-1033-1203-020210250001}\Update.exe
C:\Program Files\Adaptec\Wireless Utility\ADPCCfg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\CleanUp!\cleanup.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {77166651-cfa7-4a12-9b48-256f32b18033} - C:\WINDOWS\system32\kmdery.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp27.tmp.dll
O4 - HKLM\..\Run: [{906F0571-07C4-1033-1203-020210250001}] "C:\Program Files\Common Files\{906F0571-07C4-1033-1203-020210250001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjghh.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Global Startup: Adaptec Wireless PC Card v3.0 Utility.lnk = C:\Program Files\Adaptec\Wireless Utility\ADPCCfg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kmdery - C:\WINDOWS\SYSTEM32\kmdery.dll
O21 - SSODL: msvcrt62.dll - {2EA6B56D-C287-4AB7-BFEE-F787A7E504CD} - msvcrt62.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
cloud is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-25-2007, 01:45 PM   #2 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


Re: awww viruses and pop ups!
help...............
cloud is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-25-2007, 09:32 PM   #3 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: awww viruses and pop ups!
Hi cloud,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s do this first.

Please download Reset Associations and save it to your desktop:
  • Double-click Resetassociations.exe and it will create a new folder on your desktop called "reset associations".
  • Open the folder and double-click "reset.cmd".
  • This should restore all default file associations again since they have been modified.


NEXT:

Please download VundoFix.exe by Atribune and save it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. Run VundoFix and scan for Vundo as many times as necessary until VundoFix says "No infected files were found".


NEXT:

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:
REGEDIT4

[-HKEY_CLASSES_ROOT\.dbt]

[-HKEY_CLASSES_ROOT\DBTFILE]
Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {77166651-cfa7-4a12-9b48-256f32b18033} - C:\WINDOWS\system32\kmdery.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\tmp27.tmp.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\jkjghh.dll",setvm
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O20 - AppInit_DLLs:
O20 - Winlogon Notify: kmdery - C:\WINDOWS\SYSTEM32\kmdery.dll
O21 - SSODL: msvcrt62.dll - {2EA6B56D-C287-4AB7-BFEE-F787A7E504CD} - msvcrt62.dll (file missing)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\kmdery.dll
    C:\WINDOWS\system32\tmp27.tmp.dll
    C:\WINDOWS\jkjghh.dll
    C:\Program Files\Network Monitor\netmon.exe
    C:\WINDOWS\System32\IExplorer.dll .dbt
    C:\Program Files\Common Files\{906F0571-07C4-1033-1203-020210250001}

  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
  • Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the VundoFix scan.
  2. The results report from OTMoveIt.
  3. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-28-2007, 12:21 AM   #4 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


Re: awww viruses and pop ups!
File/Folder C:\WINDOWS\system32\kmdery.dll not found.
File/Folder C:\WINDOWS\system32\tmp27.tmp.dll not found.
File/Folder C:\WINDOWS\jkjghh.dll not found.
File/Folder C:\Program Files\Network Monitor\netmon.exe not found.
File/Folder C:\WINDOWS\System32\IExplorer.dll .dbt not found.
File/Folder C:\Program Files\Common Files\{906F0571-07C4-1033-1203-020210250001} not found.

Created on 03/28/2007 00:20:01





VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 11:55:30 PM 3/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\kmdery.dll
C:\WINDOWS\system32\tmp4.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kmdery.dll
C:\WINDOWS\system32\kmdery.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.18

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 12:02:30 AM 3/28/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...









Logfile of HijackThis v1.99.1
Scan saved at 12:21:44 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\NOTEDAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
cloud is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-28-2007, 01:01 AM   #5 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: awww viruses and pop ups!
Hi cloud,

OK, let’s do this next.

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download SDFix by AndyManchesta and save it to your desktop.

Right-click the SDFix.zip folder and choose Extract All to extract it to its own folder on the desktop.

Please then reboot your computer into Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.


Once in Safe Mode, please do the following:
  • Open the extracted folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum along with a new HijackThis log.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the Results report and paste it in your next reply for me to see):

C:\WINDOWS\NOTEDAD.EXE
C:\WINDOWS\system32\svchosts.exe
C:\Program Files\Network Monitor\netmon.exe


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:
  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the Windows tab.
  4. Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  5. Then, click the Applications tab:
    • UNCHECK everything there.
  6. Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  7. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  1. Click on Kaspersky Online Scanner.
  2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on Next.
  5. Now click on Scan Settings.
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  7. Click OK.
  8. Now under select a target to scan:
    • Select My Computer.
  9. This program will start and scan your system.
  10. The scan will take a while so be patient and let it run.
  11. Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  12. Save the file to your desktop.
  13. Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the SDFix scan.
  2. The results report from OTMoveIt.
  3. The log from the ComboFix scan.
  4. The log from the Kaspersky scan.
  5. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by Sempurna : 03-28-2007 at 01:07 AM.
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-28-2007, 08:12 AM   #6 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


Re: awww viruses and pop ups!
SDFix: Version 1.75

Run by Kit - Wed 03/28/2007 - 1:45:40.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
COM+ Messages

ImagePath:
"C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213

COM+ Messages Deleted


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Documents and Settings\Kit\Application Data\Install.dat - Deleted
C:\WINDOWS\hook.txt - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\WINDOWS\\system32\\lxcgcoms.exe"="C:\\WINDOWS\\system32\\lxcgcoms.exe:*:Enabled:2300 Series"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\temp\\947458936.exe"="C:\\WINDOWS\\temp\\947458936.exe:*:Enabled:Enabled"
"C:\\WINDOWS\\temp\\-679611630.exe"="C:\\WINDOWS\\temp\\-679611630.exe:*:Enabled:Enabled"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :


Finished







C:\WINDOWS\NOTEDAD.EXE moved successfully.
File/Folder C:\WINDOWS\system32\svchosts.exe not found.
File/Folder C:\Program Files\Network Monitor\netmon.exe not found.

Created on 03/28/2007 01:57:22



Logfile of HijackThis v1.99.1
Scan saved at 8:10:32 AM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {01118400-3E00-11D2-8470-0060089874ED} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
cloud is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-28-2007, 08:12 AM   #7 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


Re: awww viruses and pop ups!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 28, 2007 8:03:11 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/03/2007
Kaspersky Anti-Virus database records: 287431
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 19557
Number of viruses found: 24
Number of infected objects: 71 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:35:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Kit\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\History\History.IE5\MSHist012007032820070329\index.dat Object is locked skipped
C:\Documents and Settings\Kit\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe/stream/data0009 Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped
C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe/stream/data0010 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe/stream/data0011 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe/stream Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe NSIS: infected - 4 skipped
C:\Documents and Settings\Kit\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kit\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP106\A0010710.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP106\A0010711.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP106\A0010713.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP106\A0010716.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP106\A0010717.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP106\A0010724.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010735.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010764.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010765.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010771.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010771.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010771.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010773.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010775.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010786.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010788.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP107\A0010790.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010803.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010804.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010805.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010822.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010822.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010843.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010844.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010859.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010860.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP108\A0010861.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP110\A0010872.dll Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011021.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011022.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011023.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011024.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011025.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011026.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011027.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011028.dll Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011029.exe Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011030.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011031.dll Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011032.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011033.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011034.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011036.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0011037.EXE Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP111\A0012009.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP112\A0012033.dll Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP112\A0012035.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP112\A0012062.dll Infected: Trojan.Win32.Agent.agv skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP113\change.log Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008791.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008792.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008795.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008796.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008804.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008805.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008806.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008809.exe/stream/data0002 Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008809.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008809.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008809.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008810.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008810.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008810.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008810.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008811.exe/stream/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008811.exe/stream/data0002/stream Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008811.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008811.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008811.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008811.exe NSIS: infected - 5 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008812.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008812.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008812.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008812.exe Inno: infected - 3 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008816.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008816.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008816.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008816.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008816.exe WiseSFX: infected - 4 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008817.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008817.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008817.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008817.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008817.exe WiseSFX: infected - 4 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008818.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008819.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008822.dll Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008823.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008833.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fl skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008833.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008833.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP85\A0008837.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP87\A0009258.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010282.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010283.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010286.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010287.exe Object is locked skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010288.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010289.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fo skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010295.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010295.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{D82DBB20-E17E-45F8-B016-57F63CE520BB}\RP88\A0010295.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
cloud is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-28-2007, 08:13 AM   #8 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


Re: awww viruses and pop ups!
"Kit" - 07-03-28 2:02:38 Service Pack 2
ComboFix 07-03-27.4 - Running from: "C:\Documents and Settings\Kit\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\tmp5.tmp.dll
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\tsuninst.exe
C:\Program Files\network monitor
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\Program Files\Common Files\{306F0~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Kit
C:\qoobox\purity\DOCUME~1\Kit\APPLIC~1
C:\qoobox\purity\DOCUME~1\Kit\APPLIC~1\FNTS~1
C:\qoobox\purity\DOCUME~1\Kit\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Kit\APPLIC~1\RACLE~1
C:\qoobox\purity\WINDOWS\system32\TSKS~1
C:\qoobox\purity\WINDOWS\system32\WNSXS~1
C:\qoobox\purity\WINDOWS\system32\YSTEM3~1


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-28 ))))))))))))))))))))))))))))))))))


2007-03-28 01:58 <DIR> d-------- C:\Program Files\CCleaner
2007-03-27 23:55 <DIR> d-------- C:\VundoFix Backups
2007-03-25 16:03 12,219,983 --------- C:\AVG7QT.DAT
2007-03-25 04:30 <DIR> d-------- C:\Program Files\RegCleaner
2007-03-25 04:27 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-03-25 04:27 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-03-21 21:32 32,768 --a------ C:\WINDOWS\system32\svchtoost.exe
2007-03-17 15:44 <DIR> d-------- C:\WINDOWS\system32\bak
2007-03-17 14:00 27,232 --a------ C:\WINDOWS\system32\efedb.exe
2007-03-04 17:29 67 --a-s---- C:\WINDOWS\url1.bat


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-25 16:03 -------- d-------- C:\Program Files\lexmark 2300 series
2007-03-25 06:51 -------- d-------- C:\DOCUME~1\Kit\APPLIC~1\limewire
2007-02-28 23:47 -------- d-------- C:\Program Files\winamp
2007-02-26 22:33 2 --a------ C:\WINDOWS\system32\wcpit.exe
2007-02-24 13:59 -------- d-------- C:\DOCUME~1\Kit\APPLIC~1\google
2007-02-20 23:10 -------- d-------- C:\DOCUME~1\Kit\APPLIC~1\adobeum


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-28 2:03:57
cloud is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-28-2007, 09:15 PM   #9 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: awww viruses and pop ups!
Hi cloud,

Just one more infection to take care of, and then we can let you go home.

OK, let’s do this next.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

Code:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\temp\947458936.exe"=-
"C:\WINDOWS\temp\-679611630.exe"=-
Save this as fix2.reg and change the "Save as type" to "All Files" and place it on your desktop.

It should look like this:

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.


NEXT:

Please run OTMoveIt and quarantine the following files/folders (please also remember to copy the Results report and paste it in your next reply for me to see):

C:\WINDOWS\system32\svchtoost.exe
C:\WINDOWS\system32\efedb.exe
C:\WINDOWS\url1.bat
C:\WINDOWS\system32\wcpit.exe
C:\WINDOWS\temp\947458936.exe
C:\WINDOWS\\temp\-679611630.exe
C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe
C:\WINDOWS\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Please download FindAWF by noahdfear and save it to your desktop:
  • Please double-click FindAWF.exe to run it.
  • If a security alert shows, allow the program to run.
  • When the tool has completed, a report will open in Notepad.
  • Please post the results of the awf.txt in your next reply.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The results report from OTMoveIt.
  2. The log from the FindAWF scan.
  3. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Last edited by Sempurna : 03-29-2007 at 07:02 PM.
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 04-01-2007, 03:36 PM   #10 (permalink)
Registered User
 
Join Date: Oct 2004
Posts: 52
OS: xp


Re: awww viruses and pop ups!
C:\WINDOWS\system32\svchtoost.exe moved successfully.
C:\WINDOWS\system32\efedb.exe moved successfully.
C:\WINDOWS\url1.bat moved successfully.
C:\WINDOWS\system32\wcpit.exe moved successfully.
File/Folder C:\WINDOWS\temp\947458936.exe not found.
File/Folder C:\WINDOWS\\temp\-679611630.exe not found.
File/Folder C:\Documents and Settings\Kit\My Documents\Kits ****\My Documents\Cliprexdsfree.exe not found.<