Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not sure what's wrong, but I think I've got something...


  • Please log in to reply

#16
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
When I try to do the comlog step, I get the following error message:

The service 'comlog' is enabled and/or running. Disable it first, using Hijack This itself (from the scan results) or the Services.msc window.

I can try to do this myself but I thought I'd better ask you first. :whistling:
  • 0

Advertisements


#17
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Ah,I didnt think it would still be running.

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O23 - Service: COM+ Event log (comlog) - Unknown owner - C:\WINNT\system32\catroot\svchost.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Click Start-> Run-> Type in Services.msc and Click OK

Scroll that list and locate this entry

comlog

Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled

Click Apply-> OK and Exit the Services Page


Now try the Delete and NT Service.


Have you tried the Online Scanner yet?
  • 0

#18
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
OK, I got it all done.






1 Scanning Report
1.1 Tuesday, November 14, 2006 23:23:34 - 07:27:50
Computer name: SARAH-498413221
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

1.2 Result: 4 malware found
Backdoor.Win32.ServU-based (virus)
· C:\WINNT\SYSTEM32\SCVHOSTA.EXE (Renamed & Submitted)
Tracking Cookie (spyware)
· System (Disinfected)
· System
· System

1.3 Statistics
Scanned:
· Files: 42199
· System: 5206
· Not scanned: 2
Actions:
· Disinfected: 1
· Renamed: 1
· Deleted: 0
· None: 2
· Submitted: 1
Files not scanned:
· C:\PAGEFILE.SYS
· C:\WINNT\SYSTEM32\CONFIG\DEFAULT

1.4 Options
Scanning engines:
· F-Secure AVP: 7.0.171, 2006-11-15
· F-Secure Blacklight: 1.0.31, 0000-00-00
· F-Secure Draco: 1.0.35, 0260-02-44
· F-Secure Libra: 2.4.2, 2006-11-14
· F-Secure Orion: 1.2.37, 2006-11-14
· F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
· Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
· Use Advanced heuristics
  • 0

#19
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Better results than I was expecting. :whistling:

Since F-Secure renamed that file,search for and delete:

C:\WINNT\SYSTEM32\SCVHOSTA.0XE

Be sure to match the name exactly as I have it spelled.


Please download Combofix to your desktop.
http://download.blee...Bs/combofix.exe

Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply along with a fresh HijackThis log.
  • 0

#20
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi,

I did what you asked, but my roommate got on the internet on my machine while i was out last night, before I had a chance to perform the tasks in your last reply. Now it sounds like the internet connection is running all the time again, when there is no reason to.

Here are the logs.

S.

Sarah Leedy - Thu 11/16/2006 7:15:20.81 Service Pack 4
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Sarah Leedy\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-16 to 2006-11-16 ))))))))))))))))))))))))))))))))))


2006-10-23 21:23 24,528 --a------ C:\WINNT\system32\drivers\kbdclass.sys
2006-10-23 21:23 13,744 --a------ C:\WINNT\system32\drivers\kbdhid.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-06 18:45 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-06 07:45 -------- d-------- C:\Program Files\Ad-Aware SE Plus
2006-11-05 05:13 -------- d-------- C:\Program Files\Winamp
2006-11-04 15:35 -------- d-a------ C:\Program Files\Common Files
2006-11-04 15:12 -------- d-------- C:\Program Files\Shockwave.com
2006-11-04 15:12 -------- d-------- C:\Program Files\ReadMagic
2006-11-04 15:10 -------- d-------- C:\Program Files\Common Files\Ahead
2006-11-04 14:32 -------- d-------- C:\Program Files\Citrix
2006-11-04 14:30 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Aim
2006-11-04 14:23 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-23 23:52 -------- d-------- C:\Program Files\eMule
2006-10-14 00:39 -------- d-a------ C:\Program Files\ewido anti-spyware 4.0
2006-10-09 19:19 -------- d-a------ C:\Program Files\Common Files\Microsoft Shared
2006-10-04 22:13 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Adobe
2006-09-28 04:48 778656 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-09-27 01:00 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\AdobeUM
2006-09-22 23:53 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\Google
2006-09-22 23:49 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-09-22 23:09 -------- d-------- C:\Program Files\Google
2006-09-19 07:35 -------- d-------- C:\Documents and Settings\Sarah Leedy\Application Data\TrojanHunter
2006-09-19 06:24 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-19 05:35 -------- d-------- C:\Program Files\Common Files\Sandlot Shared
2006-09-17 20:45 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-17 20:44 -------- d-------- C:\Program Files\ArtisanDVDPlayer
2006-09-17 20:36 -------- d-------- C:\Program Files\CleanUp!
2006-09-14 13:38 16896 --a------ C:\WINNT\system32\kill.exe
2006-09-13 08:43 114688 --a------ C:\WINNT\system32\fport.exe
2006-09-12 03:48 1713536 --------- C:\WINNT\system32\NTKRNLPA.EXE
2006-09-12 03:48 1690880 --------- C:\WINNT\system32\NTOSKRNL.EXE
2006-09-05 20:58 1110528 --a------ C:\WINNT\system32\msxml3.dll
2006-08-28 00:44 530192 --a------ C:\WINNT\system32\comctl32.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"DadApp"="C:\\Program Files\\Dell\\AccessDirect\\dadapp.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"SigmaTel StacMon"="C:\\Program Files\\SigmaTel\\SigmaTel AC97 Audio Drivers\\stacmon.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BJCFD"="C:\\Program Files\\BellSouth\\Client Foundation\\CFD.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
@=""
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e4,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"="C:\\PROGRA~1\\SYMNET~1\\SNDWarn.exe"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcwmplayer
Completion time: Thu 2006-11-16 7:17:42.96
C:\ComboFix.txt ... 06-11-16 07:17



Logfile of HijackThis v1.99.1
Scan saved at 7:25:55 AM, on 11/16/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\acs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Wiperaser 2004\WiperaserSvc.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BellSouth\Client Foundation\CFD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Sarah Leedy\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O15 - Trusted Zone: *.real.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec.../ols3/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - Unknown owner - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Wiperaser Secure Deletion Service (Wiperaser) - Liveye - C:\Program Files\Wiperaser 2004\WiperaserSvc.exe
  • 0

#21
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Click Start--> Click Run--> Type in regedit and Click OK.

Look in the smaller left hand pane and find the key--> HKEY_USERS

Right Click and Select Export--> Select the Desktop as the destination to save the file.

File Name--> Backup

Save as type--> Registration File (*.reg)



Next,Copy&Paste all the text in the Code Box below to Notepad and Save it to the Desktop with the name Fix.reg


REGEDIT4

[-HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\svcwmplayer]


Double Click Fix.reg and allow it to merge into the registry.


Please run the Bit Defender Online Scan
http://www.bitdefend...m/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here
  • 0

#22
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I did them both, but in the middle of the bit defender scan, microsoft did an automatic update!

Anyway I didn't repeat the registry step, but I started the bit defender scan over...here's the report.

Thanks again for all of your help.

S.


BitDefender Online Scanner


Scan report generated at: Fri, Nov 17, 2006 - 10:14:06



Scan path: C:\;D:\;





Statistics
Time
02:45:10
Files
777591
Folders
6675
Boot Sectors
2
Archives
4772
Packed Files
112688



Results
Identified Viruses
5
Infected Files
5
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
3



Engines Info
Virus Definitions
316623
Engine build
AVCORE v1.0 (build 2355) (i386) (Sep 25 2006 13:46:24)
Scan plugins
13
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1



Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions

Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes




Scanned File
Status
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Infected with: Dropped:Application.Adware.NewDotNet.A
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Disinfection failed
C:\setup.exe=>(Instyler o)=>(Instyler Module 23)
Deleted
C:\setup.exe=>(Instyler o)
Update failed
C:\System Volume Information\Speedtest\HideRun.exe
Infected with: Trojan.HideRun.A
C:\System Volume Information\Speedtest\HideRun.exe
Disinfection failed
C:\System Volume Information\Speedtest\HideRun.exe
Delete failed
C:\System Volume Information\Speedtest\samdump.dll
Infected with: Trojan.Hacktool.Pwdump.A
C:\System Volume Information\Speedtest\samdump.dll
Disinfection failed
C:\System Volume Information\Speedtest\samdump.dll
Delete failed
C:\WINNT\cluster\log\radmin.reg
Infected with: Trojan.Reg.Radmin.A
C:\WINNT\cluster\log\radmin.reg
Disinfection failed
C:\WINNT\cluster\log\radmin.reg
Deleted
C:\WINNT\system32\svcwmplayer.ini
Infected with: Generic.Hacdef.INI.7884FF57
C:\WINNT\system32\svcwmplayer.ini
Disinfection failed
C:\WINNT\system32\svcwmplayer.ini
Deleted
  • 0

#23
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
This next step I may have to ask you to repeat a time or 2,I have to get into my 2000 machine and double check some things.


Create a new folder on the desktop.
Copy the contents of this next code box to Notepad.
Name the file inspect.bat
Save as Type: All files
Save in that new folder on the desktop.

Double click on inspect.bat and let it run.
When finished it will open a file in Notepad.
That file will be named lsa.txt
Please post the contents of lsa.txt into your next reply here.


If not exist Files MkDir Files


regedit /a /e files\2.txt HKEY_CURRENT_USER\Software\Microsoft\OLE
regedit /a /e files\3.txt HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa
regedit /a /e files\4.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
regedit /a /e files\5.txt HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
regedit /e /a files\6.txt HKEY_USERS\DEFAULT\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA
regedit /a /e files\7.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center"
regedit /a /e files\8.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center"
Regedit /a /e files\9.txt HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\10.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
Regedit /a /e files\11.txt HKEY_LOCAL_MACHINE\SOFTWARE\Policies\WindowsFirewall
Regedit /a /e files\12.txt HKEY_CURRENT_USER\SOFTWARE\Policies\WindowsFirewall
regedit /a /e files\13.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters
regedit /a /e files\14.txt HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess


Copy files\*.txt = lsa.txt
rmdir /s /q files
Start Notepad lsa.txt

  • 0

#24
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here ya go...I should be able to get your instructions done a bit quicker now that it's the weekend! Thanks for sticking with me.

Should I avoid using the machine on the Net altogether until we are done? I've been assuming I should.

S.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
69,00,70,00,6e,00,61,00,74,00,68,00,6c,00,70,00,2e,00,64,00,6c,00,6c,00,00,\
00

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\OLE]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"DefaultLaunchPermission"=hex:01,00,04,80,64,00,00,00,80,00,00,00,00,00,00,00,\
14,00,00,00,02,00,50,00,03,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,\
00,00,05,12,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,01,00,00,00,00,\
00,05,04,00,00,00,00,00,00,00,00,00,18,00,01,00,00,00,01,02,00,00,00,00,00,\
05,20,00,00,00,20,02,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,5f,84,1f,\
5e,2e,6b,49,ce,12,03,03,f4,01,00,00,01,05,00,00,00,00,00,05,15,00,00,00,a0,\
5f,84,1f,5e,2e,6b,49,ce,12,03,03,f4,01,00,00
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\NONREDIST]
"System.EnterpriseServices.Thunk.dll"="Y"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,00,00
"LsaPid"=dword:000000f8
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"fullprivilegeauditing"=hex:00
"lmcompatibilitylevel"=dword:00000000
"restrictanonymous"=dword:00000000
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"SecureLsaInterfaceSupport"=dword:00000001
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:de,bb,d5,59,d7,ae,d9,58,9e,ec,66,c2,ac,7f,f4,7e,32,61,65,34,62,\
39,36,64,00,fd,06,00,01,00,00,00,b0,00,00,00,bc,00,00,00,58,fa,06,00,65,82,\
5a,78,04,00,00,00,b4,fd,06,00,ac,fd,06,00,15,40,18,51

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:a3,fe,60,83,db,f4,cd,56,00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:c4,8a,38,be,24,d6

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:f8,56,e0,7b,01,78,db,5e,6a,06,6d,a5,2b,f6,55,9a

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:10,22,16,96,6d,97,c4,01

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,43,8a,cc,78,41,c3,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,d6,3a,b0,79,41,c3,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:80,69,17,c5,79,41,c3,01
"Type"=dword:00000031

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
  • 0

#25
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Amazing,nothing appears changed so far! :whistling:


One more scan then you can put the PC back to the Internet so we can test things.

Tell me what Firewall and Antivirus you have installed and is it up to date?


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post along woth a fresh HijackThis log.

  • 0

Advertisements


#26
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here you go...

Re: your firewall and virus scanner question, I'm embarrassed to say I don't have a firewall. Can you recommend one?

I use Spybot Search and Destroy, Ad-Aware Plus, and AVG. I was using Trojan Hunter till the demo period ran out.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 19, 2006 3:44:09 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/11/2006
Kaspersky Anti-Virus database records: 242905
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 80845
Number of viruses found: 10
Number of infected objects: 24 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:28:04

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/bka/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/rahide.reg Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip/avenger/bka/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP/WINNT/system32/security/bka/rahide.reg Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip/avenger/bka/ZipOfAllFiles_11-08-06.ZIP Infected: Backdoor.Win32.RA-based.z skipped
C:\avenger\backup.zip ZIP: infected - 9 skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe//Disk1/ieatgpc.dll Infected: not-a-virus:AdWare.Win32.WebEx.b skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe CAB: infected - 1 skipped
C:\Documents and Settings\Sarah Leedy\Desktop\Clean off desktop 10-8-06\Old Desktop Items DO NOT ERASE\All RUP Stuff\IBM RUP Tutorial\webex_player.exe InstallShield: infected - 1 skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\Acr314E.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF2BE7.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF2D29.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF30F7.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DF885.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~DFD36D.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Sarah Leedy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Sarah Leedy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Sarah Leedy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Microsoft Office\Office\Startup\PDFMaker.dot Object is locked skipped
C:\Program Files\TechSmith\SnagIt 8\SnagIt Add-in.dot Object is locked skipped
C:\Program Files\Wiperaser 2004\language.set Object is locked skipped
C:\setup.exe/data0013 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.j skipped
C:\setup.exe/data0021/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0021/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0021 Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\setup.exe/data0024 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\setup.exe Inno: infected - 5 skipped
C:\System Volume Information\Speedtest\HideRun.exe Infected: not-a-virus:RiskTool.Win32.HideRun skipped
C:\System Volume Information\Speedtest\samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\WINNT\cluster\log\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\cluster\log\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\PCHEALTH\helpctr\logs\logging\staubi\Scan\SCANXXX.exe Infected: not-a-virus:NetTool.Win32.DFind skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#27
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets get rid of these items first.

C:\setup.exe<-- File

C:\avenger<-- Folder

C:\WINNT\cluster<-- Folder


Free Firewall I think you find most user friendly of the 3 free ones I know off.

ZoneAlarm Free


Get that installed,then Update AVG and do a full System Scan.

Post back and let me know how the computer is acting and if AVG found anything?
  • 0

#28
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I've deleted the files, I'm installing ZoneAlarm now and I'll run the AVG scan while I'm at work today.

Do you feel Zone Alarm is enough, or should I buy a hardware firewall too? I'm certainly willing after all this happening. Let me know what you think.

Thanks again, I'll let you know if AVG finds anything.

S.
  • 0

#29
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Tell me a little more about the machine and its usage?

Is it a desktop or laptop?

How many people have access?

How does it connect to the Internet?


I am pretty confident with AVG and Zone Alarm.
  • 0

#30
freespirit_90210

freespirit_90210

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
It's a laptop, only my roommate and I have access and she's cool. It's connected to a Cable DSL modem.

It was better after the first couple of cleanups you had me do, but now it seems slow again and that the modem is transmitting something all the time, even when I'm not doing anything. Is that necessarily a problem? Maybe it isn't and I'm just paranoid.

Here's what AVG found...

Partition table (MBR) - OK - Quick checked
Boot sector of disk C: - OK - Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
System registry inffile\shell\open\command Scanned
System registry vbsfile\shell\open\command Scanned
System registry vbefile\shell\open\command Scanned
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe - OK - Quick checked
C:\Program Files\BellSouth\Client Foundation\CFD.exe - OK - Quick checked
C:\Program Files\Dell\AccessDirect\DadApp.exe - OK - Quick checked
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe - OK - Quick checked
C:\Program Files\Internet Explorer\IEXPLORE.EXE - OK - Quick checked
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe - OK - Quick checked
C:\Program Files\Microsoft IntelliType Pro\type32.exe - OK - Quick checked
C:\Program Files\Microsoft Office\Office\WINWORD.EXE - OK - Quick checked
C:\Program Files\QuickTime\qttask.exe - OK - Quick checked
C:\Program Files\Real\RealPlayer\realplay.exe - OK - Quick checked
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe - OK - Quick checked
C:\Program Files\Support.com\BellSouth\hcenter.exe - OK - Quick checked
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe - OK - Quick checked
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe - OK - Quick checked
C:\Program Files\TrojanHunter 4.6\THGuard.exe - OK - Quick checked
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe - OK - Quick checked
C:\Program Files\iTunes\iTunesHelper.exe - OK - Quick checked
C:\WINNT\BCMSMMSG.exe - OK - Quick checked
C:\WINNT\regedit.exe - OK - Quick checked
C:\WINNT\system32\CTFMON.EXE - OK - Quick checked
C:\WINNT\system32\SHELL32.DLL - OK - Quick checked
C:\WINNT\system32\hkcmd.exe - OK - Quick checked
C:\WINNT\system32\igfxtray.exe - OK - Quick checked
C:\WINNT\system32\mobsync.exe - OK - Quick checked
C:\WINNT\system32\mshta.exe - OK - Quick checked
C:\WINNT\system32\rundll32.exe - OK - Quick checked
C:\WINNT\system32\kernel32.dll Change Changed
C:\WINNT\system32\wsock32.dll - OK - Quick checked
C:\WINNT\system32\user32.dll Change Changed
C:\WINNT\system32\shell32.dll Change Changed
C:\WINNT\system32\ntoskrnl.exe Change Changed
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP