|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-25-2007, 07:00 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Antivirus pop up message-W32/Dzan.a attack
This is my log file for my pc. I hope this problem can be resolved
 Deckard's System Scanner v20071014.68 Run by Yakansang on 2007-11-26 10:47:55 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- System Restore is disabled; attempting to re-enable...success. -- Last 1 Restore Point(s) -- 1: 2007-11-26 02:48:03 UTC - RP219 - System Checkpoint Backed up registry hives. Performed disk cleanup. Percentage of Memory in Use: 86% (more than 75%). Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as Yakansang.exe) ------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:55:47, on 26/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\xampp\apache\bin\Apache.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\xampp\mysql\bin\mysqld-max-nt.exe C:\Program Files\Nakido\nakido.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\xampp\apache\bin\Apache.exe C:\Program Files\VMware\VMware Server\vmserverdWin32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Documents and Settings\Yakansang\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Yakansang.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mohr.gov.my:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mohr.gov.my;10.21*;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1155019823402 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imateradigital.com O17 - HKLM\Software\..\Telephony: DomainName = imateradigital.com O17 - HKLM\System\CCS\Services\Tcpip\..\{FE4D789C-6192-49F8-AC90-9C2F59DC9728}: NameServer = 10.21.81.214,10.20.16.2 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imateradigital.com O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\Apache.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: mysql - Unknown owner - C:\Program.exe (file missing) O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe -- End of file - 10449 bytes -- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) ----------- backup-20071126-102432-187 O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Yakansang\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing) -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 VMnetBridge (VMware Bridge Protocol) - c:\windows\system32\drivers\vmnetbridge.sys <Not Verified; VMware, Inc.; VMware bridge driver (32-bit)> R2 VMnetuserif (VMware Network Application Interface) - c:\windows\system32\drivers\vmnetuserif.sys <Not Verified; VMware, Inc.; VMware network application interface driver (32-bit)> R2 VMparport (VMware VMparport) - c:\windows\system32\drivers\vmparport.sys <Not Verified; VMware, Inc.; VMware parallel port driver> R2 vmx86 (VMware vmx86) - c:\windows\system32\drivers\vmx86.sys <Not Verified; VMware, Inc.; VMware kernel driver> R2 vstor2 (Vstor2 Virtual Storage Driver) - c:\program files\common files\vmware\vmware virtual image editing\vstor2.sys <Not Verified; VMware, Inc.; VMware Virtual Machine Importer> S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler> R2 Apache2 - "c:\program files\xampp\apache\bin\apache.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server> R2 mysql - "c:\program files\xampp\mysql\bin\mysqld-max-nt" --defaults-file="c:\windows\my.ini" "mysql" (file missing) R2 Nakido - c:\program files\nakido\nakido.exe <Not Verified; Nakido; Nakido> R2 VMAuthdService (VMware Authorization Service) - c:\program files\vmware\vmware server\vmware-authd.exe <Not Verified; VMware, Inc.; VMware Server> R2 VMnetDHCP (VMware DHCP Service) - c:\windows\system32\vmnetdhcp.exe <Not Verified; VMware, Inc.; VMware Server> R2 vmount2 (VMware Virtual Mount Manager Extended) - "c:\program files\common files\vmware\vmware virtual image editing\vmount2.exe" <Not Verified; VMware, Inc.; VMware Virtual Machine Importer> R2 vmserverdWin32 (VMware Registration Service) - c:\program files\vmware\vmware server\vmserverdwin32.exe <Not Verified; VMware, Inc.; VMware Server> R2 VMware NAT Service - c:\windows\system32\vmnat.exe <Not Verified; VMware, Inc.; VMware Server> R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution> S2 UTSCSI (USBest Service Zero) - c:\windows\system32\utscsi.exe S2 XAMPP (XAMPP Service) - c:\program files\xampp\service.exe S3 OracleClientCache80 - c:\orant\bin\onrsd80.exe S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318} Description: MPU-401 Compatible MIDI Device Device ID: ACPI\PNPB006\4&1D71E168&0 Manufacturer: Microsoft Name: MPU-401 Compatible MIDI Device PNP Device ID: ACPI\PNPB006\4&1D71E168&0 Service: ms_mpu401 -- Files created between 2007-10-26 and 2007-11-26 ----------------------------- 2007-11-26 10:21:05 0 d-------- C:\Program Files\Trend Micro 2007-11-23 08:58:32 0 d-------- C:\Program Files\Kaspersky Lab 2007-11-23 08:58:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-23 08:58:30 7968 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-23 08:58:30 2714912 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-20 10:36:02 0 d-------- C:\WINDOWS\system32\upft 2007-11-19 16:02:27 0 d-------- C:\Program Files\Gran Paradiso 2007-11-02 16:08:50 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Opera 2007-11-01 10:21:13 0 d-------- C:\Program Files\Common Files\NSV 2007-10-29 08:27:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Macromedia 2007-10-29 08:27:13 0 d-------- C:\Program Files\Common Files\Macromedia 2007-10-29 08:27:12 0 d-------- C:\Program Files\Macromedia 2007-10-29 08:25:38 0 d-------- C:\WINDOWS\Downloaded Installations -- Find3M Report --------------------------------------------------------------- 2007-11-26 08:07:44 0 d-------- C:\Program Files\Nakido 2007-11-22 17:05:43 0 d-------- C:\Documents and Settings\Yakansang\Application Data\MySQL 2007-11-20 14:10:19 0 d-------- C:\Program Files\prjJtksm_WC 2007-11-20 14:09:39 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-11-12 09:18:48 0 d-------- C:\Program Files\Java 2007-11-01 10:21:13 0 d-------- C:\Program Files\Common Files 2007-10-29 09:38:15 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Macromedia 2007-10-10 10:53:57 0 d-------- C:\Program Files\Mozilla Thunderbird 2007-10-08 13:11:35 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Adobe 2007-10-08 09:21:46 0 d-------- C:\Program Files\Common Files\Adobe 2007-10-08 09:17:19 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-10-08 09:16:31 0 d-------- C:\Program Files\PSCS2Updater 2007-10-08 09:10:42 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-10-01 11:38:17 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Nokia 2007-10-01 11:32:28 0 d-------- C:\Documents and Settings\Yakansang\Application Data\PC Suite 2007-10-01 11:31:44 0 d-------- C:\Program Files\Common Files\PCSuite 2007-10-01 11:31:25 0 d-------- C:\Program Files\Common Files\Nokia 2007-10-01 11:31:23 0 d-------- C:\Program Files\Nokia 2007-10-01 11:30:59 0 d-------- C:\Program Files\DIFX 2007-10-01 11:30:24 0 d-------- C:\Program Files\PC Connectivity Solution 2007-09-03 17:08:10 6112 --a------ C:\WINDOWS\mozver.dat 2007-09-03 15:17:49 159 --a------ C:\Documents and Settings\Yakansang\Application Data\mainhst.zgh -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [26/10/2007 09:43] "LClock"="C:\Program Files\LClock\LClock.exe" [] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [11/10/2007 08:30] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [08/11/2006 13:27] "kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [24/03/2006 18:09] "@"="" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k] C:\Program Files\Glass2k\Glass2k.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fbf5f0-6fcc-11db-bd80-005056c00008}] AutoRun\command- E:\idstick.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b4d1570-d378-11db-aaef-005056c00008}] Auto\command- boot.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63f0c060-a13d-11db-96ac-005056c00008}] Auto\command- RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{642e2bca-7831-11db-9670-005056c00008}] Auto\command- H:\RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac5f2d50-86bd-11db-9692-005056c00008}] Auto\command- infrom.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e290c850-6f05-11db-bd7a-005056c00008}] Auto\command- RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e -- End of Deckard's System Scanner: finished at 2007-11-26 10:58:18 ------------ |
|
     |
| Sponsored Links |
|
11-29-2007, 04:35 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
Hi, this is not a bump, just an update what I've done to my pc. I've searched an old thread with the same problem and I followed the instruction given. It said to download FixWareout and run it. Then it said to send the C:\fixwareout\report.txt and main.txt. So here I send both of the report.
After I did all this, my kapersky popped up a message saying there are trojans in the system and need to be deleted (autorun.inf). This occurs everytime I boot my system. Here is the report.txt Username "Yakansang" - 30/11/2007 8:13:29 [Fixwareout edited 9/01/2007] ~~~~~ Prerun check Successfully flushed the DNS Resolver Cache. System was rebooted successfully. ~~~~~ Postrun check HKLM\SOFTWARE\~\Winlogon\ "System"="" .... .... ~~~~~ Misc files. .... ~~~~~ Checking for older varients. .... ~~~~~ Current runs (hklm hkcu "run" Keys Only) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "kav"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\"" "SpywareTerminator"="\"C:\\Program Files\\Spyware Terminator\\SpywareTerminatorShield.exe\"" "avgnt"="\"C:\\Program Files\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" .... Hosts file was reset, If you use a custom hosts file please replace it... ~~~~~ End report ~~~~~ Here is the main.txt Deckard's System Scanner v20071014.68 Run by Yakansang on 2007-11-30 08:25:19 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 86% (more than 75%). Total Physical Memory: 511 MiB (512 MiB recommended). -- HijackThis (run as Yakansang.exe) ------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:25:50, on 30/11/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\xampp\apache\bin\Apache.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\xampp\mysql\bin\mysqld-max-nt.exe C:\Program Files\Spyware Terminator\sp_rsser.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\VMware\VMware Server\vmware-authd.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\Program Files\xampp\apache\bin\Apache.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\Program Files\VMware\VMware Server\vmserverdWin32.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Yakansang\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\YAKANS~1.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.mohr.gov.my:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *mohr.gov.my;10.21*;<local> R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: IECatcher Class - {B930BA63-9E5A-11D3-A288-0000E80E2EDE} - C:\PROGRA~1\MASSDO~1\MDHELPER.DLL (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: + &Mass Downloader: download this file - C:\Program Files\Mass Downloader\Add_Url.htm O8 - Extra context menu item: + Mass Downloader: download &All files - C:\Program Files\Mass Downloader\Add_All.htm O8 - Extra context menu item: Crawler Search - tbr:iemenu O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1155019823402 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = imateradigital.com O17 - HKLM\Software\..\Telephony: DomainName = imateradigital.com O17 - HKLM\System\CCS\Services\Tcpip\..\{FE4D789C-6192-49F8-AC90-9C2F59DC9728}: NameServer = 10.21.81.214,10.20.16.2 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = imateradigital.com O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file) O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\xampp\apache\bin\Apache.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: mysql - Unknown owner - C:\Program.exe (file missing) O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Program Files\xampp\service.exe -- End of file - 9459 bytes -- Files created between 2007-10-30 and 2007-11-30 ----------------------------- 2007-11-27 16:16:36 138752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2007-11-27 16  13 0 d-------- C:\Program Files\Crawler2007-11-27 16:05:51 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Spyware Terminator 2007-11-27 16:05:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2007-11-27 16:05:04 0 d-------- C:\Program Files\Spyware Terminator 2007-11-26 16:26:42 0 d-------- C:\Program Files\SpywareBlaster 2007-11-26 11:59:19 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-11-26 10:21:05 0 d-------- C:\Program Files\Trend Micro 2007-11-23 08:58:32 0 d-------- C:\Program Files\Kaspersky Lab 2007-11-23 08:58:32 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-23 08:58:30 34592 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-23 08:58:30 6003232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-20 10:36:02 0 d-------- C:\WINDOWS\system32\upft 2007-11-02 16:08:50 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Opera 2007-11-01 10:21:13 0 d-------- C:\Program Files\Common Files\NSV -- Find3M Report --------------------------------------------------------------- 2007-11-29 17:11:49 0 d-------- C:\Program Files\Ahead 2007-11-29 17:11:03 0 d-------- C:\Program Files\Common Files\Ahead 2007-11-29 16:44:52 0 d-------- C:\Documents and Settings\Yakansang\Application Data\MySQL 2007-11-26 14:53:27 0 d-------- C:\Program Files\prjJtksm_WC 2007-11-26 14:53:06 0 d-------- C:\Program Files\PC Connectivity Solution 2007-11-20 14:09:39 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows> 2007-11-12 09:18:48 0 d-------- C:\Program Files\Java 2007-11-01 10:21:13 0 d-------- C:\Program Files\Common Files 2007-10-29 09:38:15 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Macromedia 2007-10-29 08:34:08 0 d-------- C:\Program Files\Common Files\Macromedia 2007-10-29 08:28:16 0 d-------- C:\Program Files\Macromedia 2007-10-10 10:53:57 0 d-------- C:\Program Files\Mozilla Thunderbird 2007-10-08 13:11:35 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Adobe 2007-10-08 09:21:46 0 d-------- C:\Program Files\Common Files\Adobe 2007-10-08 09:17:19 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-10-08 09:16:31 0 d-------- C:\Program Files\PSCS2Updater 2007-10-08 09:10:42 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared 2007-10-01 11:38:17 0 d-------- C:\Documents and Settings\Yakansang\Application Data\Nokia 2007-10-01 11:32:28 0 d-------- C:\Documents and Settings\Yakansang\Application Data\PC Suite 2007-10-01 11:31:44 0 d-------- C:\Program Files\Common Files\PCSuite 2007-10-01 11:31:25 0 d-------- C:\Program Files\Common Files\Nokia 2007-10-01 11:31:23 0 d-------- C:\Program Files\Nokia 2007-10-01 11:30:59 0 d-------- C:\Program Files\DIFX 2007-09-03 17:08:10 6112 --a------ C:\WINDOWS\mozver.dat 2007-09-03 15:17:49 159 --a------ C:\Documents and Settings\Yakansang\Application Data\mainhst.zgh -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [24/03/2006 18:09] "@"="" [] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [27/11/2007 16:14] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [11/10/2007 08:30] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:56] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k] C:\Program Files\Glass2k\Glass2k.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UTSCSI"=2 (0x2) "Nakido"=2 (0x2) "AVGEMS"=2 (0x2) "Avg7Alrt"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) "AntiVirScheduler"=2 (0x2) "Adobe LM Service"=3 (0x3) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fbf5f0-6fcc-11db-bd80-005056c00008}] AutoRun\command- E:\idstick.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b4d1570-d378-11db-aaef-005056c00008}] Auto\command- boot.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63f0c060-a13d-11db-96ac-005056c00008}] Auto\command- RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{642e2bca-7831-11db-9670-005056c00008}] Auto\command- H:\RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac5f2d50-86bd-11db-9692-005056c00008}] Auto\command- infrom.exe AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e290c850-6f05-11db-bd7a-005056c00008}] Auto\command- RavMonE.exe e AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e -- End of Deckard's System Scanner: finished at 2007-11-30 08:27:23 ------------ Last edited by tena_79; 11-29-2007 at 04:41 PM. |
|
|
|
|
12-03-2007, 01:53 AM
|
#5 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
Welcome to the forum
Start Hijackthis Scan and place a check next to these items If there. O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file) O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file) Optional fix's O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll ==================================== Hit fix checked and close Hijackthis. Post a combofix log 1. Download this file - combofix.exe to your desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe alternate link http://www.techsupportforum.com/sect...s/ComboFix.exe 2. Run the program in this fashion, go start run and copy paste in "%userprofile%\desktop\combofix.exe" /KillAll Hit ok or press enter 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. If you already have combofix re-download please as it is updated often. Why do you have three antivirus programs installed ? |
|
|
|
|
12-03-2007, 05:29 PM
|
#6 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
Thank you for your reply, here is the combo fix report.
ComboFix 07-12-02.7 - Yakansang 2007-12-04 9:12:48.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT 8:00] Running from: C:\Documents and Settings\Yakansang\desktop\combofix.exe Command switches used :: /KillAll * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Yakansang\Application Data\macromedia\Flash Player\#SharedObjects\XSEFZ9BX\iforex.com C:\Documents and Settings\Yakansang\Application Data\macromedia\Flash Player\#SharedObjects\XSEFZ9BX\iforex.com\Emerp\Events\flash_object.swf\user_data.sol C:\Documents and Settings\Yakansang\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com C:\Documents and Settings\Yakansang\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol C:\WINDOWS\system32\Cache C:\WINDOWS\system32\components . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\LEGACY_NPF ((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 ))))))))))))))))))))))))))))))) . 2007-11-30 16:51 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-30 16:51 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-30 10:19 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys 2007-11-30 10:18 . 2001-08-17 12:48 281,600 --a--c--- C:\WINDOWS\system32\dllcache\atimtai.sys 2007-11-30 10:17 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll 2007-11-30 10:16 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys 2007-11-30 10:16 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys 2007-11-30 10:16 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys 2007-11-30 10:16 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys 2007-11-30 10:16 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys 2007-11-30 10:16 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys 2007-11-30 10:14 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys 2007-11-30 10:14 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll 2007-11-30 10:14 . 2001-08-17 22:36 462,848 --a--c--- C:\WINDOWS\system32\dllcache\a3dapi.dll 2007-11-30 10:14 . 2001-08-17 12:48 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys 2007-11-30 10:14 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll 2007-11-30 10:14 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys 2007-11-30 10:14 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys 2007-11-30 10:14 . 2001-08-17 14:55 38,400 --a--c--- C:\WINDOWS\system32\dllcache\8514a.dll 2007-11-30 10:14 . 2001-08-17 13:52 23,552 --a--c--- C:\WINDOWS\system32\dllcache\abp480n5.sys 2007-11-30 10:14 . 2004-08-03 23:00 12,288 --a--c--- C:\WINDOWS\system32\dllcache\4mmdat.sys 2007-11-30 10:14 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys 2007-11-30 10:12 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll 2007-11-27 16:16 . 2007-11-27 16:16 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2007-11-27 16:06 . 2007-11-27 16:07 <DIR> d-------- C:\Program Files\Crawler 2007-11-27 16:05 . 2007-12-03 11:33 <DIR> d-------- C:\Program Files\Spyware Terminator 2007-11-27 16:05 . 2007-12-03 11:01 <DIR> d-------- C:\Documents and Settings\Yakansang\Application Data\Spyware Terminator 2007-11-27 16:05 . 2007-12-03 11:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2007-11-26 16:26 . 2007-11-26 16:32 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-26 16:26 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2007-11-26 11:59 . 2007-11-27 11:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-11-26 11:59 . 2007-11-26 11:59 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-11-26 11:59 . 2007-11-26 11:59 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-26 11:59 . 2007-11-26 11:59 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-26 10:46 . 2007-11-26 10:46 <DIR> d-------- C:\Deckard 2007-11-26 10:21 . 2007-11-26 10:21 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-23 08:58 . 2007-11-23 08:58 <DIR> d-------- C:\Program Files\Kaspersky Lab 2007-11-23 08:58 . 2007-11-23 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-23 08:58 . 2007-12-04 09:18 6,003,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-23 08:58 . 2007-12-04 09:18 61,700 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-23 08:58 . 2007-12-04 09:19 55,072 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-23 08:58 . 2007-12-04 09:18 6,212 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-11-20 10:36 . 2007-11-20 10:36 <DIR> d-------- C:\WINDOWS\system32\upft 2007-11-20 09:19 . 2007-11-23 10:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-11-20 09:19 . 2007-11-20 09:19 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-04 01:22 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware 2007-12-04 01:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware 2007-11-30 09:07 --------- d-----w C:\Documents and Settings\Yakansang\Application Data\MySQL 2007-11-30 02:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7 2007-11-29 09:11 --------- d-----w C:\Program Files\Common Files\Ahead 2007-11-29 09:11 --------- d-----w C:\Program Files\Ahead 2007-11-28 00:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2007-11-26 06:53 --------- d-----w C:\Program Files\prjJtksm_WC 2007-11-26 06:53 --------- d-----w C:\Program Files\PC Connectivity Solution 2007-11-20 06:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-11-20 06:09 249,856 ------w C:\WINDOWS\Setup1.exe 2007-11-12 01:18 --------- d-----w C:\Program Files\Java 2007-11-01 02:21 --------- d-----w C:\Program Files\Common Files\NSV 2007-10-29 00:34 --------- d-----w C:\Program Files\Common Files\Macromedia 2007-10-29 00:28 --------- d-----w C:\Program Files\Macromedia 2007-10-10 02:53 --------- d-----w C:\Program Files\Mozilla Thunderbird 2007-10-08 01:21 --------- d-----w C:\Program Files\Common Files\Adobe 2007-10-08 01:17 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-08 01:16 --------- d-----w C:\Program Files\PSCS2Updater 2007-10-08 01:10 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared 2007-10-08 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems 2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-27 16:14] "avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-10-11 08:30] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-26 09:43] "kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 18:09] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-26 09:43] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner] C:\Program Files\CCleaner\ccleaner.exe /AUTO [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k] C:\Program Files\Glass2k\Glass2k.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UTSCSI"=2 (0x2) "Nakido"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) "Adobe LM Service"=3 (0x3) R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe R2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe S2 XAMPP;XAMPP Service;C:\Program Files\xampp\service.exe S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fbf5f0-6fcc-11db-bd80-005056c00008}] \Shell\AutoRun\command - E:\idstick.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b4d1570-d378-11db-aaef-005056c00008}] \Shell\Auto\command - boot.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-04 09:22:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-04 9:24:42 - machine was rebooted . --- E O F --- I have 3 antivirus installed because I thought that if one antivirus can't detect the virus, then another one can. For your information, while the combofix is running, my kapersky antivirus detected that dss.exe is a trojan program so kapersky deleted it. Then while my pc is re-booting, the kapersky once again detected that there's a virus in the system but I have forgotten where, but it's a dll file.It said the program can't be accessed because access is denied and can't be deleted or disinfected, so kapersky didn't give me any other choice than the skip button for the file. Last edited by tena_79; 12-03-2007 at 05:34 PM. |
|
|
|
|
12-03-2007, 05:44 PM
|
#7 (permalink) | |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
DDS and combofix contain tools that some antivirus alert about
they call them potentialy unwanted tools, ignore that. Quote:
Uninstall all but one antivirus program please Once thats done update and do a full system scan. I suggest you keep kaspersky Afterwards Post a Panda ActiveScan-Free online scanner report http://www.pandasoftware.com/products/activescan.htm Pess "scan your PC now" allow the active x to install (if prompted) Do a full scan > Click the my computer button After the scan click see report then Save the report and post it back here please. If you have problems read the FAQ http://www.pandasoftware.com/actives...q.asp?IdLang=2 |
|
|
|
|
|
12-04-2007, 06:38 PM
|
#8 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
I already done what you've said and the panda scan hasn't produce any report or button to push. It just said that "No viruses or other malicious software have been found!" How do I retrieve that report actually?
I already uninstalled other 2 antivirus and leave only kapersky. |
|
|
|
|
12-04-2007, 07:41 PM
|
#9 (permalink) | |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
If nothing was found in the panda scan the report isnt needed
Have you done a full scan with Kaspersky while your usb stick or sticks are pluged in ? If not you should do so. Let us know if any files were detected and the outcome. (mention there locations and file names) From your event log Quote:
what is in the ptk_kuching_24-280907_era folder ? Last edited by LonnyRJones; 12-04-2007 at 07:49 PM. |
|
|
|
|
|
12-04-2007, 09:33 PM
|
#10 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
While the kapersky's antivirus is running the scan until now, there is a trojan program detected in the system restore folder, which is Trojan-Downloader.Win32.AutoIt.aa in the C:\Sytem Volume Information\_restore{71256E6B-F4E8-4F6D-9EE5-59BBD8BF0ACD}\RP1\A0000045.exe and another one in C:\System Volume Information\_restore{71256E6B-F4E8-4F6D-9EE5-59BBD8BF0ACD}\RP1\A0000046.exe Kapersky asked me whether to delete it or skip because it couldn't be disinfected, so I deleted it.
I already deleted the ptk_kuching_24-280907_era folder. It was only containing a text file which was the backup file for my system's data at my workplace. Last edited by tena_79; 12-04-2007 at 10:02 PM. |
|
|
|
|
12-05-2007, 05:38 AM
|
#11 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
Not to worry about items in C:\Sytem Volume Information (system restore)
This is a work PC ? You should warn others not to share usb stick's until that are confirmed clean.. and all the pcs they were used on to. Every pc that used the stick will most likely be infected Did you scan while it/they were pluged in ? |
|
|
|
|
12-05-2007, 06:28 PM
|
#12 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
Yes this is a work pc. I already scan the usb stick together and found nothing infected. I was just about to feel relieve the virus has gone then it got infected again in one of my share folder at my desktop and straight through my documents.It created the exe file again and my kapersky detected them and deleted them but it keeps coming back again.
I realized the virus/trojan was coming from one of my colleague's pc when I looked into his pc and found the same virus which attacked my pc. What am I going to do now? My kapersky detected the virus/trojan as "Trojan program Trojan-Downloader.Win32.AutoIt.aa" and "Trojan program Trojan.Win32.AutoRun.a". Do I have to do the whole process again from the DSS scan thing? |
|
|
|
|
12-06-2007, 05:25 AM
|
#13 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
Plug all your usb sticks in or run this tool once for each stick if you cannot plug all of them in at the same time
http://www.techsupportforum.com/sect...isinfector.exe It shall only take seconds to run. also: while the sticks are in using the windows search feature search for boot.exe and idstick.exe are they present on any of your syicks or removable media ? If so submit them here please and leave a kink back to this thread http://www.bleepingcomputer.com/subm....php?channel=4 Then run combofix once again and post its log You should have each of your colleages start a thread of there own and post DDS and panda logs (to start) Last edited by LonnyRJones; 12-06-2007 at 05:31 AM. |
|
|
|
|
12-06-2007, 06:35 PM
|
#14 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
I did the search thing and the boot.exe and idstick.exe are not found in my pc. This is my combofix report.
ComboFix 07-12-02.7 - Yakansang 2007-12-07 9:39:44.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.137 [GMT 8:00] Running from: C:\Documents and Settings\Yakansang\desktop\combofix.exe Command switches used :: /KillAll . ((((((((((((((((((((((((( Files Created from 2007-11-07 to 2007-12-07 ))))))))))))))))))))))))))))))) . 2007-11-30 16:51 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-11-30 16:51 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-11-30 10:19 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys 2007-11-30 10:18 . 2001-08-17 12:48 281,600 --a--c--- C:\WINDOWS\system32\dllcache\atimtai.sys 2007-11-30 10:17 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll 2007-11-30 10:16 . 2001-08-17 14:07 56,960 --a--c--- C:\WINDOWS\system32\dllcache\aic78xx.sys 2007-11-30 10:16 . 2001-08-17 14:07 55,168 --a--c--- C:\WINDOWS\system32\dllcache\aic78u2.sys 2007-11-30 10:16 . 2001-08-17 12:11 27,678 --a--c--- C:\WINDOWS\system32\dllcache\ali5261.sys 2007-11-30 10:16 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\alifir.sys 2007-11-30 10:16 . 2001-08-17 13:52 12,800 --a--c--- C:\WINDOWS\system32\dllcache\aha154x.sys 2007-11-30 10:16 . 2001-08-17 13:51 5,248 --a--c--- C:\WINDOWS\system32\dllcache\aliide.sys 2007-11-30 10:14 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys 2007-11-30 10:14 . 2001-08-17 14:55 689,216 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvs.dll 2007-11-30 10:14 . 2001-08-17 22:36 462,848 --a--c--- C:\WINDOWS\system32\dllcache\a3dapi.dll 2007-11-30 10:14 . 2001-08-17 12:48 148,352 --a--c--- C:\WINDOWS\system32\dllcache\3dfxvsm.sys 2007-11-30 10:14 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll 2007-11-30 10:14 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys 2007-11-30 10:14 . 2004-08-03 23:10 48,128 --a--c--- C:\WINDOWS\system32\dllcache\61883.sys 2007-11-30 10:14 . 2001-08-17 14:55 38,400 --a--c--- C:\WINDOWS\system32\dllcache\8514a.dll 2007-11-30 10:14 . 2001-08-17 13:52 23,552 --a--c--- C:\WINDOWS\system32\dllcache\abp480n5.sys 2007-11-30 10:14 . 2004-08-03 23:00 12,288 --a--c--- C:\WINDOWS\system32\dllcache\4mmdat.sys 2007-11-30 10:14 . 2001-08-17 14:06 11,264 --a--c--- C:\WINDOWS\system32\dllcache\1394vdbg.sys 2007-11-30 10:12 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll 2007-11-27 16:16 . 2007-11-27 16:16 138,752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys 2007-11-27 16:06 . 2007-11-27 16:07 <DIR> d-------- C:\Program Files\Crawler 2007-11-27 16:05 . 2007-12-06 11:45 <DIR> d-------- C:\Program Files\Spyware Terminator 2007-11-27 16:05 . 2007-12-06 11:00 <DIR> d-------- C:\Documents and Settings\Yakansang\Application Data\Spyware Terminator 2007-11-27 16:05 . 2007-12-06 11:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator 2007-11-26 16:26 . 2007-11-26 16:32 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-11-26 16:26 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX 2007-11-26 11:59 . 2007-12-06 08:42 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-11-26 11:59 . 2007-12-06 08:35 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-11-26 11:59 . 2007-12-06 08:35 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-11-26 11:59 . 2007-12-06 08:35 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-11-26 10:46 . 2007-11-26 10:46 <DIR> d-------- C:\Deckard 2007-11-26 10:21 . 2007-11-26 10:21 <DIR> d-------- C:\Program Files\Trend Micro 2007-11-23 08:58 . 2007-12-07 09:41 <DIR> d-------- C:\Program Files\Kaspersky Lab 2007-11-23 08:58 . 2007-11-23 08:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2007-11-23 08:58 . 2007-12-07 09:47 6,003,232 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-11-23 08:58 . 2007-12-07 09:48 73,760 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-11-23 08:58 . 2007-12-07 09:47 72,860 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx 2007-11-23 08:58 . 2007-12-07 09:47 7,964 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx 2007-11-20 10:36 . 2007-11-20 10:36 <DIR> d-------- C:\WINDOWS\system32\upft 2007-11-20 09:19 . 2007-11-23 10:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2007-11-20 09:19 . 2007-11-20 09:19 1,409 --a------ C:\WINDOWS\QTFont.for . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-07 01:49 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware 2007-12-07 01:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware 2007-12-05 09:13 --------- d-----w C:\Documents and Settings\Yakansang\Application Data\MySQL 2007-12-05 02:05 --------- d-----w C:\Program Files\prjJtksm_WC 2007-11-29 09:11 --------- d-----w C:\Program Files\Common Files\Ahead 2007-11-29 09:11 --------- d-----w C:\Program Files\Ahead 2007-11-26 06:53 --------- d-----w C:\Program Files\PC Connectivity Solution 2007-11-20 06:09 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE 2007-11-20 06:09 249,856 ------w C:\WINDOWS\Setup1.exe 2007-11-12 01:18 --------- d-----w C:\Program Files\Java 2007-11-01 02:21 --------- d-----w C:\Program Files\Common Files\NSV 2007-10-29 00:34 --------- d-----w C:\Program Files\Common Files\Macromedia 2007-10-29 00:28 --------- d-----w C:\Program Files\Macromedia 2007-10-10 02:53 --------- d-----w C:\Program Files\Mozilla Thunderbird 2007-10-08 01:21 --------- d-----w C:\Program Files\Common Files\Adobe 2007-10-08 01:17 --------- d--h--w C:\Program Files\InstallShield Installation Information 2007-10-08 01:16 --------- d-----w C:\Program Files\PSCS2Updater 2007-10-08 01:10 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared 2007-10-08 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems 2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . ((((((((((((((((((((((((((((( snapshot@2007-12-04_ 9.22.51.81 ))))))))))))))))))))))))))))))))))))))))) . - 2007-11-23 03:11:42 82,061 ----a-w C:\WINDOWS\system32\drivers\klick.sys + 2007-12-07 00:04:56 85,860 ----a-w C:\WINDOWS\system32\drivers\klick.sys - 2007-11-23 03:11:43 81,549 ----a-w C:\WINDOWS\system32\drivers\klin.sys + 2007-12-07 00:04:56 90,980 ----a-w C:\WINDOWS\system32\drivers\klin.sys - 2007-12-04 01:21:19 216,770 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin + 2007-12-07 01:49:12 216,769 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-11-27 16:14] "kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 18:09] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner] C:\Program Files\CCleaner\ccleaner.exe /AUTO [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2004-08-04 00:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Glass2k] C:\Program Files\Glass2k\Glass2k.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL] sm56hlpr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] 2007-09-25 01:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -quiet [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UTSCSI"=2 (0x2) "Nakido"=2 (0x2) "AVG Anti-Spyware Guard"=2 (0x2) "Adobe LM Service"=3 (0x3) R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE Start Pending2 vmserverdWin32;VMware Registration Service;C:\Program Files\VMware\VMware Server\vmserverdWin32.exe Stop Pending2 XAMPP;XAMPP Service;C:\Program Files\xampp\service.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fbf5f0-6fcc-11db-bd80-005056c00008}] \Shell\AutoRun\command - E:\idstick.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b4d1570-d378-11db-aaef-005056c00008}] \Shell\Auto\command - boot.exe \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL boot.exe . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-07 09:49:46 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-07 9:51:55 - machine was rebooted C:\ComboFix2.txt ... 2007-12-04 09:24 . --- E O F --- Kapersky also detected there was a Trojan program "Trojan.Win32.Inject.mf" found in C:\DOCUME~1\YAKANS~1\LOCALS~1\Temp\igvnodyk.dll. I try to delete it but failed because then Kapersky detected it couldn't be found in the system. You told me not to worry about the viruses in the system restore, but today Kapersky found another 3 viruses in it. What if something happened and I need to restore my pc back, do those viruses infect my pc again? Last edited by tena_79; 12-06-2007 at 06:38 PM. |
|
|
|
|
12-07-2007, 06:31 AM
|
#15 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
Yes if you use system restore to go back a few days or more the pc will be infected although if an antivirus deleted anything there they will not work.
After we Analise logs from your colleagues and clear the virus/trojans as a last step we will clear system restore but turning it off then back on again. It would be best if all the PCs on the network were disconnected and obviously don't share removable media Let me know when they post logs How many colleagues are there ? Using explorer look in each usb stick for a file named boot.exe and idstick.exe, if found submit it to the URL i posted please |
|
|
|
|
12-09-2007, 04:31 PM
|
#16 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
Sorry for the late reply.
My usb stick is already broken I guess since when I plugged in, my pc said my usb needs to be formatted. So I can't open it and search for the boot.exe or idstick.exe.  I already unshared all my folders coz I scared that the virus would attack my pc again. I only have one colleague and he has posted here. I already done a combofix check, DSS and Panda scan in his pc before he posted here. Sorry if I did it without your advice *sweat*. He posted his DSS and Panda scan report and also the combofix report, but one of your analyst ask him to download the combofix again and use it, so he's quite confuse on what to do. |
|
|
|
|
12-09-2007, 05:35 PM
|
#17 (permalink) |
|
Expert Analyst, Moderator, Security Team
Join Date: Sep 2006
Posts: 1,541
OS: xp
|
Re: Antivirus pop up message-W32/Dzan.a attack
Im glad he posted, have him take Pancake 's advice re-download and run Combofix, post another log.
One more task for you Launch Notepad (not wordpad or other text editor), and copy and paste the contents of the code box below into a new text file. Save it as file name: "fixme.reg" (not including the word code). Save as file type: All files (*.*) and save it on your Desktop. Code:
REGEDIT4
;
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23fbf5f0-6fcc-11db-bd80-005056c00008}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b4d1570-d378-11db-aaef-005056c00008}]
;
Restart your PC. Also: Uninstall combofix, go start run type in combofix /u hit ok or press enter Post back if you need to Last edited by LonnyRJones; 12-09-2007 at 05:39 PM. |
|
|
|
|
12-11-2007, 09:32 PM
|
#20 (permalink) |
|
Registered User
Join Date: Nov 2007
Posts: 14
OS: XP SP2
|
Re: Antivirus pop up message-W32/Dzan.a attack
Yes and I already formatted my usb stick. So there is nothing in there anymore. :)
My colleague is still having virus/malware in his pc so I will wait for him to fix them all with the help of your analyst member. I'm still disabling all my share folders. |
|
|
|
| Thread Tools | |
|
|
