Tech Support banner

Status
Not open for further replies.
1 - 11 of 11 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter #1
Hello everyone, thanks for any help!
I followed the sticky thread, "Please, read this before before posting a HJT log." I used KRC HijackThis Analyzer, but since I wasn't real sure about the fact that I don't see the O20 log at all in result.txt, I will post the original hijackthis.log following the result.txt.
Anyway, I'm running windows xp service pack 2. I download often and have to turn off my firewall. For the past couple weeks my computer has been incredibly slow, taking even 1 to 2 minutes to pull up my computer with no programs running! I have panda running all the time, and when I first scanned I didn't find a virus. Then I did find a two viruses the next time I did a day later. I then ran asquared, which found a trojan and some malwares. I just ran adaware before posing this, it found like 55 more malwares and something else (sorry I forget.) Anyway, is there still problems seen in these logs? My computer isn't as slow as it was since doing all of that, but it still runs some slow, takes some time to bring up my computer (never used to.)
THanks again... umpaloooooooo

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 8:21:06 AM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe


End of KRC HijackThis Analyzer Log.
====================================================================

and the original:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Windows\System32\Notepad.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
 

·
Registered
Joined
·
7 Posts
Discussion Starter #2
some other symptoms i forgot to add

The moniter turns black for 10-20 seconds in the middle of using it... doesn't seem to have anything to do w/ the cables.... does not happen often. When I Ctrl+Alt+Delete, the screen that pops up is running processess, but the box is missing the menu bar at the top that enables you to do the other options. ummm still thinking
 

·
Registered
Joined
·
1,462 Posts
Log is clean,
Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
7 Posts
Discussion Starter #5
trojans found

Here is what that scan came up with . . .

c:\\windows\system32\breqpiui.dll name: Trojan.Win32.Crypt.t
c:\\windows\system32\minedsvc.exe name: Trojan.Win32.Crypt.t

Anyway I can remove it?
Thanks for all your help . . .
 

·
Registered
Joined
·
1,462 Posts
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:
c:\windows\system32\breqpiui.dll
c:\windows\system32\minedsvc.exe
* If you received a message such as: "PendingFileRenameOperations registry data has been removed by external process", you have to restart Windows manually .

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


REBOOT NOW

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Please post the Log from Panda so that we can check if your system is clean.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #7
Hello again, sorry for the delay in posting, but I became so very busy.

I tried to use killbox to delete c:\windows\system32\breqpiui.dll
and c:\windows\system32\minedsvc.exe...
breqpiui.dll was not there... there was something named breapiui.dll though, I went ahead and killed it along with minedsvc.exe,
and panda activescan was clean after, but I ran Kaspersky again and it came up with some different matches, accidently shut down computer before they were dealt with though. Just ran it again and got these matches:

Infected Object Name - Virus Name
C:\Program Files\Microsoft AntiSpyware\Quarantine\BAFF0143-3431-4E38-81EC-C706D5\F4E66484-1FE1-4FC0-ACFD-49D776 Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d
C:\System Volume Information\_restore{222FA298-0008-4A98-93F2-0E8B5C1451BF}\RP287\A0031722.exe Infected: not-a-virus:AdWare.Win32.SurfAccuracy.d
C:\System Volume Information\_restore{222FA298-0008-4A98-93F2-0E8B5C1451BF}\RP290\A0032809.dll Infected: not-a-virus:AdWare.Win32.Comet.f
C:\System Volume Information\_restore{222FA298-0008-4A98-93F2-0E8B5C1451BF}\RP302\A0038013.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{222FA298-0008-4A98-93F2-0E8B5C1451BF}\RP302\A0038014.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{222FA298-0008-4A98-93F2-0E8B5C1451BF}\RP302\A0038049.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{222FA298-0008-4A98-93F2-0E8B5C1451BF}\RP302\A0038050.exe



I can't find C:\system volume information...
and do I need to delete the one in the quarantine?
I am running Panda again now, will post results soon.

Thanks again!
 

·
Registered
Joined
·
7 Posts
Discussion Starter #8
panda only found three: (can't figure out how to cut/paste results)

adware detected:adware/WUpd location: windows registry eliminated


spware detected: cookie/burstbeacon location: C:/.... cookies/
eliminated

syware detected: cookie/burstnet location: C:/..... cookies/
eliminated


BTW my windows task manager works right now. Is everything ok now?
 

·
Registered
Joined
·
1,462 Posts
If those scans are coming out clean it would appear so! :smile:
Lets try one more utility:
Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click Start Scan
  • After it's done scanning, click Scan Results
  • Make sure all items found have a check next to them, then click Clean Threats Now.
  • Click Exit.
Reboot your computer. In place of the TrendMicro icon will be a text file called Antispyware.log, please double-click that log and copy the entire contents and paste them here.
 

·
Registered
Joined
·
7 Posts
Discussion Starter #10
trend micro found about ten spyware cookies, among them burstnet.com and burstbeacon.com . . . but it also found three different 'parasites' that were not in internet cache folder, they are

edonkey.com (3 items)
HKLM\SOFTWARE\Classes\ed2k
HKLM\SOFTWARE\Classes\ed2k\DefaultIcon
HKLM\SOFTWARE\Classes\ed2k\shell\open\command

Spware Stormer Inc. (3 Items)
HKLM\SOFTWARE\Classes\Install.Install\
HKLM\SOFTWARE\Classes\Install.Install\CLSID\
HKLM\SOFTWARE\Classes\Install.Install\CurVer\

BHJK_COOLWEBSEARCH (1 item)
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38


the cleanup didn't seem to have any problems though....
 
1 - 11 of 11 Posts
Status
Not open for further replies.
Top