Rahina

Cool

Please post a frsh hijackthislogfile

__________________

Guido_PA

Here it is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:30 AM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Secunia\PSI (RC1)\psi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://members.iatn.net/forums/read/...oop=1&loopcp=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref(".aim.away.autoreply", true);
user_pref(".aim.buddy.SndPlayFirstIncoming", true);
user_pref(".aim.buddy.SndPlayIncoming", true);
user_pref(".aim.buddy.SndPlayOutgoing", true);
user_pref(".aim.buddy.SndPlaySignOff", true);
user_pref(".aim.buddy.SndPlaySignOn", true);
user_pref(".aim.chat.AnnounceChatRoom", true);
user_pref(".aim.chat.FlashChatWin", true);
user_pref(".aim.chat.SndPlayIncoming", true);
user_pref(".aim.chat.SndPlayOutgoing", true);
user_pref(".aim.chat.unavailable", false);
user_pref(".aim.general.im.enterCR", false);
user_pref(".aim.general.im.smilies", true);
user_pref(".aim.general.im.tabKey", false);
user_pref(".aim.general.im.timeStamp", true);
user_pref(".aim.im.playall", false);
user_pref(".aim.mail.presence", true);
user_pref(".aim.proxy.host", "");
user_pref(".aim.proxy.password", "");
user_pref(".aim.proxy.port", 1080);
user_pref(".aim.proxy.protocol", 1);
user_pref(".aim.proxy.use", false);
user_pref(".
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Startup: Secunia PSI (RC1).lnk = C:\Program Files\Secunia\PSI (RC1)\psi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1198501212625
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1198501189968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C130F0B3-CD97-4DFC-B052-2BD17A7B82F5} - http://activex.microsoft.com/objects/ocget.dll
O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AshampooDefragService - - C:\Program Files\Ashampoo\Ashampoo Magical Defrag\bin\aDefragService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: W - Unknown owner - C:\DOCUME~1\awa00jle\LOCALS~1\Temp\W.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7731 bytes

Rahina

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O18 - Protocol: AutorunsDisabled - (no CLSID) - (no file)
O23 - Service: W - Unknown owner - C:\DOCUME~1\awa00jle\LOCALS~1\Temp\W.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

==========

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

__________________

Rahina

Let me know the results.

__________________

Guido_PA

Hi Rahina:

The results are below but something caught my attention. Earlier, I told you that the W.exe was back when I ran HijackThis. BTW, this was after a reboot. I ran it again after running Panda and rebooting. It doesn't show. What does show is the O18 item again. This was not there when I commented earlier today.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-15 21:42:10
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Internet Security 7.0.1.325 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139535 Application/Processor HackTools No 0 Yes No C:\SDFix\apps\Process.exe
00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\awa00jle\Desktop\Tools\SDFix.exe[SDFix\apps\Process.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
;===================================================================================================================================================================================
SUSPECTS
Sent Location 
;===================================================================================================================================================================================
No C:\Documents and Settings\awa00jle\Desktop\Tools\MsnVirRem.exe 
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description 
;===================================================================================================================================================================================
;===================================================================================================================================================================================

TIA,

Guido

Rahina

Looks good!

You can delete SDFIX, we won't need it.

Also delete MsnVirRem.exe you won't need it.

Are you still receiving issues?

__________________

Guido_PA

Hi Rahina:

I removed the two items as you directed. I then rebooted and then ran HijackThis and Spysweeper again. HijackThis appeared to be fine. SpySweeper flagged that pdf file again. I looked into this a little more since I had deleted it from Quarantine before running the sweep and it's been showing up consistently. The archive flag was turned on. (Sorry about that.) Anyhow, I manually deleted the file, deleted the Quarantine and ran HijackThis again. The O18 is back. Earlier it wasn't there. How would you like me to proceed.

The lady said that she's had no problems changing profiles. Before, it was impossible. A reboot was required as the box was locked up.

TIA,

Guido

Rahina

Good.

No worries, it does no harm. Doesn't need to be fixed.

I assume this computer is running much better now, correct me if i'm wrong.

Cheers.

Rahina

__________________

Guido_PA

Yes, it appears to be running much better. The only other thing I see being flagged is ComboFix by Kaspersky but I figure that's to be expected.

Rahina

Sorry for the delay, i did get a e-mail notification that you posted, i checked it as read but i forgot to answer.

Kaspersky is finding Combofix Components as "False positives", means that it finds it as bad but there is nothing to be worried about.

Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore.

If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

1. Windows XP System Restore Guide
   
   Reenable system restore with instructions from tutorial above
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
3. From within Internet Explorer click on the Tools menu and then click on Options.
4. Click once on the Security tab
5. Click once on the Internet icon so it becomes highlighted.
6. Click once on the Custom Level button.
   1. Change the Download signed ActiveX controls to Prompt
   2. Change the Download unsigned ActiveX controls to Disable
   3. Change the Initialize and script ActiveX controls not marked as safe to Disable
   4. Change the Installation of desktop items to Prompt
   5. Change the Launching programs and files in an IFRAME to Prompt
   6. Change the Navigate sub-frames across different domains to Prompt
   7. When all these settings have been made, click on the OK button.
   8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
7. Next press the Apply button and then the OK to exit the Internet Properties page.

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
• Install AVG Anti-Spyware - Install and download AVG Anti-Spyware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using AVG Anti-Spyware to remove Spyware, Malware, & Hijackers from Your Computer
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Let me know if you still receive problems :)

__________________

Guido_PA

Hi Rahina:

I did most of the stuff which you recommended. As an FYI, AVG no longer offers their Anti-spyware. That and the Anti-Rootkit is now part of their paid product. I've installed the trial version and ran it just for GP. I'm not sure if I'm that impressed. There were 198 warnings which appear to be false positives.

Spybot only flagged the Windows Firewall change, which AVG did not. The AVG is good for 30 days. Kaspersky's trial version is running out. I'll remove it and AVG shortly. Before I do that, I wish to run a few more different scans, at different times, just to make sure nothing is rearing its ugly head. Eventually, I'll put ZA back on. I had mentioned before that I have to have Symantec on this box. I'll need to re-install this but I'll attempt to use their Cleanup tool first. Needless to say, I wasn't that impressed with the efficacy of that program once I knew I had gotten bit back in the beginning of the year. I only realized it because I review the ZA logs on a periodic basis.

In retrospect, I didn't really see anything off the wall either. Maybe I was just being gun-shy.

I do sincerely appreciate your time.

Thank you,

Guido

Rahina

anytime

__________________

Guido_PA

Hi Rahina:

I've run all the tests that I can think of and I don't see any probs. I think we should close this thread and just chalk it up to perceived fear on my part. (I apologize to anyone viewing who expected to see an earth-shattering rootkit. I did.)

Again, I thank you for your time.

From the FWIW column, I think that I may be able to bring something to the forum and I intend to "enroll" in the adviser's training which is offered. I'm a firm believer that if you are exposed/ask for help from/ to people willing to help you that's it's oxymoronic to not try to help others who may need help.

Thanks again.

Guido