Malware: PSGuard [CLOSED]

Hi ekstacy and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.


Please print these instructions out for use in Safe Mode.

1. Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to extract the files
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning.
  It should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

• At this point press enter one time.
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  
  • C:\WINDOWS\system32\sstut.dll
  
  
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

• At this point please type the following file path (make sure to enter it exactly as below!):
  
  
  C:\WINDOWS\system32\tutss.*
  
  
• Press Enter to continue with the fix.
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  
  
  O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
  O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\sstut.dll
  O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
  O20 - Winlogon Notify: sstut - C:\WINDOWS\System32\sstut.dll
  O20 - Winlogon Notify: st3 - C:\WINDOWS\q324666.dll (file missing)
  
  
  
  
• After you have fixed these items, close Hijackthis.
• Press enter to exit the program then manually reboot your computer.
• Once your machine reboots please continue with the instructions below.

2. Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

3. Then, please run this online virus scan: ActiveScan

4. Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Regards,

Trevuren

From the looks of it, I might not have done something right.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:35 PM, on 12/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\PROGRA~1\COMMON~1\AOL\113154~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\113154~1\EE\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\abc\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\sstut.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131541680\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.tbcode.co...ysb_regular.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133654646174
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loade...ad/ccaccess.cab
O20 - Winlogon Notify: sstut - C:\WINDOWS\System32\sstut.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\q324666.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe




Here is the vundofix log:


VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

ReadMe.txt
killvundo.bat
process.exe
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\sstut.dll

The second filepath entered was C:\WINDOWS\system32\tutss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 124 'smss.exe'

Killing PID 696 'explorer.exe'
Killing PID 696 'explorer.exe'


Killing PID 200 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\sstut.dll Deleted sucessfully.
C:\WINDOWS\system32\tutss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Here is the active scan log:



Incident Status Location

Virus:Trj/Shutdown.J Not disinfected C:\WINDOWS\system32\csrssa.exe
Virus:W32/Gaobot.JSS.worm Not disinfected C:\WINDOWS\system32\cmss.exe
Virus:W32/Bagle.FD.worm Not disinfected C:\WINDOWS\system32\noat.exe
Spyware:spyware/smitfraud Not disinfected C:\WINDOWS\system32\oleext.dll
Adware:adware/miamore Not disinfected C:\WINDOWS\system32\st3.dll
Virus:W32/Smitfraud.D Not disinfected C:\WINDOWS\system32\wininet.dll
Virus:W32/Bagle.FD.worm Not disinfected C:\WINDOWS\system32\forõ.exe
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\system32\i
Virus:W32/Sdbot.DIR.worm Not disinfected C:\WINDOWS\system32\TFTP844
Virus:W32/Sdbot.DIR.worm Not disinfected C:\WINDOWS\system32\TFTP1868
Virus:W32/Bagle.gen.worm Not disinfected C:\WINDOWS\831105.exe
Virus:W32/Bagle.gen.worm Not disinfected C:\WINDOWS\928244.exe
Dialer:dialer.cso Not disinfected C:\WINDOWS\Downloaded Program Files\ccaccess.inf
Adware:Adware/Miamore Not disinfected C:\WINDOWS\__delete_on_reboot__q324666.dll
Virus:W32/Bagle.EE.worm Not disinfected C:\WINDOWS\firewall_anti.exe.dll
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.087\FILE0002.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.087\FILE0003.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.051\FILE0000.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.051\FILE0001.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.069\FILE0002.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.088\FILE0002.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.088\FILE0003.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.089\FILE0024.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.089\FILE0025.CHK


What next?

Everything is as planned. You did it all right. You have many infections going on at once and we are getting rid of the bigger ones first:

1. Download the following self-extracting file smitRem.exe and save the file to your DESKTOP.

• Double click the Smitrem.exe icon on your Desktop.
• Then click Run>Start and a Smitrem folder will apear on your desktop also.

2. Place a shortcut to Panda ActiveScan on your desktop.


3. Download the trial version of Ewido Security Suite

• Please read Ewido Setup Instructions
• Install the program
• Update the definitions to the newest files.
• DO NOT RUN IT YET

4. Install Ad-Aware SE 1.06, follow these download and setup instructions.

• Ad-Aware SE Setup
• Update the definitions
• DO NOT RUN IT YET

5. REBOOT your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

6. Now open HJT, click SCAN and place a checkmark next to each of the following items:

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\sstut.dll (file missing)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.tbcode.co...ysb_regular.cab
O16 - DPF: {E53458D2-5A83-4BD1-8DE2-EEEBE73BAB49} - http://content-loade...ad/ccaccess.cab
O20 - Winlogon Notify: sstut - C:\WINDOWS\System32\sstut.dll (file missing)



7. Click the Fix Checked box and EXIT HJT


8. Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

C:\WINDOWS\system32\csrssa.exe
C:\WINDOWS\system32\cmss.exe
C:\WINDOWS\system32\noat.exe
C:\WINDOWS\system32\st3.dll
C:\WINDOWS\system32\forõ.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\TFTP844
C:\WINDOWS\system32\TFTP1868
C:\WINDOWS\831105.exe
C:\WINDOWS\928244.exe
C:\WINDOWS\Downloaded Program Files\ccaccess.inf
C:\WINDOWS\firewall_anti.exe.dll



9. Open the smitRem folder

• Double click the RunThis.bat file to start the tool.
• Follow the prompts on screen.
• Wait for the tool to complete and disk cleanup to finish.

• NOTE:The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
• Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Let ir remove all it finds.


11. Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop
• Close Ewido

12. Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.


13. REBOOT back into Normal Mode


14. Click the Panda ActiveScan shortcut

• Do a full system scan.
• Make sure the autoclean box is checked!

15. Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know if any problems persist.

Regards,

Trevuren

In the activescan, I cannot see an "Auto Clean" box. Where is it at? Have a screenshot?

That element is no longer available. Just scan your system and post the log. That gives me the info I require.

Regards,

Trevuren

Ok went through it all. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:27 AM, on 12/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\PROGRA~1\COMMON~1\AOL\113154~1\EE\AOLHOS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\113154~1\EE\AOLServiceHost.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\abc\Desktop\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131541680\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133654646174
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe



Here is the ewido log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:05:52 AM, 12/10/2005
+ Report-Checksum: 57264082

+ Scan result:

C:\WINDOWS\__delete_on_reboot__q324666.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286273.exe -> Worm.Bagle.ep : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286274.exe -> Worm.Bagle.ep : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286275.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286276.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286277.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286278.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286279.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286280.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286241.exe -> Trojan.LowZones.df : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286242.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286243.exe -> Worm.Bagle.ep : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286244.dll -> Dialer.Generic : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286245.exe -> Worm.Bagle.cm : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286246.exe -> Worm.Bagle.cl : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286247.exe/(-).cpl -> Worm.Bagle.cr : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286248.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286249.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286250.exe -> Worm.Bagle.dw : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286251.exe -> Worm.Bagle.pac : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286252.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286253.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286254.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286255.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286256.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286257.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286258.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286259.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286260.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286261.dll -> Logger.Agent.hn : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286262.exe -> Worm.Bagle.pac : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286263.exe -> Worm.Bagle.dw : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286264.exe -> Worm.Bagle.dw : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286265.exe -> Worm.Bagle.pac : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286266.exe -> Worm.Bagle.pac : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286267.exe -> Worm.Bagle.pac : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286268.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286269.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286270.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286271.exe -> Worm.Bagle.ep : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286272.exe -> Worm.Bagle.ep : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286281.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286282.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286283.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286284.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286285.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286286.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286287.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286288.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286289.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286290.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286291.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286292.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286293.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286294.dll -> Downloader.Delf.zu : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286295.exe -> Dropper.Agent.ki : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286296.sys -> Trojan.Rootkit.h : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286297.exe -> Trojan.LowZones.df : Cleaned with backup
C:\System Volume Information\_restore{9D8240D8-67BD-4EC0-BBCA-87A18B37768A}\RP73\A0286327.dll -> Spyware.Virtumonde : Cleaned with backup


::Report End


Here is the activescan log:


Incident Status Location

Dialer:dialer.cso Not disinfected HKEY_CLASSES_ROOT\CCACCESS.CHECKCONTROL
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.087\FILE0002.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.087\FILE0003.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.051\FILE0000.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.051\FILE0001.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.069\FILE0002.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.088\FILE0002.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.088\FILE0003.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.089\FILE0024.CHK
Virus:W32/Bagle.FD.worm Not disinfected C:\FOUND.089\FILE0025.CHK



Looks like there is something left.

I also need the smitfiles.txt log as requested in para 15 of my Smitrem Fix


Trevuren

Sorry about the. Here is the log:



smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 12/10/2005
The current time is: 1:50:17.46

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 676 'explorer.exe'
Killing PID 676 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~

1. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select
  • "Delete on Reboot
  • then Click on the "All Files" button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
  
  C:\FOUND.087\FILE0002.CHK
  C:\FOUND.087\FILE0003.CHK
  C:\FOUND.051\FILE0000.CHK
  C:\FOUND.051\FILE0001.CHK
  C:\FOUND.069\FILE0002.CHK
  C:\FOUND.088\FILE0002.CHK
  C:\FOUND.088\FILE0003.CHK
  C:\FOUND.089\FILE0024.CHK
  C:\FOUND.089\FILE0025.CHK
  
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.


2. Please post a fresh HJT log for review.

Regards,

Trevuren

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.