Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Brave Sentry infected - HJT log attached [RESOLVED]


  • Please log in to reply

#1
goassen

goassen

    Member

  • Member
  • PipPip
  • 17 posts
Hi,
My computer is infected with Brave Sentry.

When starting my computer, I get the option of choosing to run in safe mode. If I don't choose safe mode, I get a blue screen appearing for half a second, and then the computer restarts.

The blue screen says:

"A problem has been detected and windows has been shut down to prevent damage to your computer.
...
Technical information:
*** STOP: 0x0000007F (0x00000008, 0x80042000, 0x00000000, 0x00000000)
Beginning dump of physical memory
...
"

I have tried to fix the problem with following the instructions on the following link:
http://www.schrockin...bravesentry.php

As adviced here, I also installed and ran the program smitrem.exe.

The website also adviced me to search for some files and delete them. I found xpupdate.exe, which I deleted.
I also found services.exe, but this file could not be deleted.
(I got the following message: "Cannot delete services. It is being used by another person or program. Close any programs that might be using the file and try again")

Except for the failed deletion of services.exe, I did everything the website said..., except of following the last step, which adviced me to install the "FREE Google Pack", which also included "Adaware Personal Edition".

I also tried installing Spysweeper (Webroot) which did a "free scan" of my computer, and it found a lot. But I haven't bought the full version of the program, so it didn't fix anything.

My computer is still infected, and I have no clue what to do. I downloaded HJT, and have attached a log file beneath.

Can anyone out there please help me?


My HJT log file:
-------

Logfile of HijackThis v1.99.1
Scan saved at 13:57:15, on 01.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmer\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernelwind32.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [tmp5681109] cmd /Q /C "C:\WINDOWS\tmp5681058.bat"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: RSeQBs - {2CCFACCC-8665-0666-CD3D-57585FFDD938} - C:\WINDOWS\system32\aae.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\vdrsys.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hello goassen and welocme
Sorry for the delay


Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
I need to see a fresh HJT log as well please
Warning : running option #2 on a non infected computer will remove your Desktop background.
  • 0

#3
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi and thanks a lot for your reply!

I forgot to mention that I can not run Normal Windows, so I have to use Safe Mode. Rigth now I am using "Safe Mode With Networking".

Here are the SmitfraudFix report and the HJT Log:

------------------------------------------------------------------
SMITFRAUDFIX
------------------------------------------------------------
SmitFraudFix v2.210

Scan done at 19:00:22,41, 08.08.2007
Run from C:\Documents and Settings\Administrator\Desktop\smitfraud\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B20509}"="DCOM Server 20509"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
@="C:\WINDOWS\system32\vdrsys.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
@="C:\WINDOWS\system32\vdrsys.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost
127.0.0.1 www.trendmicro.com
127.0.0.1 rads.mcafee.com
127.0.0.1 customer.symantec.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 updates.symantec.com
127.0.0.1 www.nai.com
127.0.0.1 secure.nai.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 mast.mcafee.com
127.0.0.1 ca.com
127.0.0.1 www.ca.com
127.0.0.1 networkassociates.com
127.0.0.1 www.networkassociates.com
127.0.0.1 avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 www.avp.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 www.f-secure.com
127.0.0.1 viruslist.com
127.0.0.1 www.viruslist.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.mcafee.com
127.0.0.1 sophos.com
127.0.0.1 www.sophos.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 www.symantec.com

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{70EB635C-10EB-4140-BCBC-C952C0F7FD38}: DhcpNameServer=81.167.36.3 81.167.36.11
HKLM\SYSTEM\CS1\Services\Tcpip\..\{70EB635C-10EB-4140-BCBC-C952C0F7FD38}: DhcpNameServer=81.167.36.3 81.167.36.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{70EB635C-10EB-4140-BCBC-C952C0F7FD38}: DhcpNameServer=81.167.36.3 81.167.36.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=81.167.36.3 81.167.36.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=81.167.36.3 81.167.36.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=81.167.36.3 81.167.36.11


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304B20509}"="DCOM Server 20509"

[HKEY_CLASSES_ROOT\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
@="C:\WINDOWS\system32\vdrsys.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B20509}\InProcServer32]
@="C:\WINDOWS\system32\vdrsys.dll"



»»»»»»»»»»»»»»»»»»»»»»»» End

------------------------------------------------------------------------------
HIJACKTHIS LOG
----------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 19:40:40, on 08.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmer\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\system32\rpcc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [tmp5681109] cmd /Q /C "C:\WINDOWS\tmp5681058.bat"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: RSeQBs - {2CCFACCC-8665-0666-CD3D-57585FFDD938} - C:\WINDOWS\system32\aae.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - C:\WINDOWS\system32\vdrsys.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

I forgot to mention that I can not run Normal Windows, so I have to use Safe Mode. Rigth now I am using "Safe Mode With Networking".

Please limit your online time as surfing from safe mode with net working your online with 0 protection

Download the HostsXpert 3.7 - Hosts File Manager.
  • Unzip HostsXpert 3.7 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.7 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Next
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#5
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks again!

Here is the Combofix log and the new HJT log:

--------------------------
COMBOFIX
--------------------------

ComboFix 07-08-09.3 - "Administrator" 2007-08-10 22:55:17.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.552 [GMT 2:00]

ADS removed - svchost.exe: deleted 52224 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1.\microsoft\internet explorer\Desktop.htt
C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft\20509.dat
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs.\Brave-Sentry
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs.\Brave-Sentry\BraveSentry.lnk
C:\DOCUME~1\ADMINI~1\STARTM~1\Programs.\Brave-Sentry\Uninstall.lnk
C:\WINDOWS\system32\2_exception.nls
C:\WINDOWS\system32\dllh8jkd1q1.exe
C:\WINDOWS\system32\dllh8jkd1q2.exe
C:\WINDOWS\system32\dllh8jkd1q5.exe
C:\WINDOWS\system32\dllh8jkd1q6.exe
C:\WINDOWS\system32\dllh8jkd1q7.exe
C:\WINDOWS\system32\dllh8jkd1q8.exe
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\gmc.exe.exe
C:\WINDOWS\system32\kernelwind32.exe
C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\system32\vdrsys.dll
C:\WINDOWS\system32\vedxg3am1et3.exe
C:\WINDOWS\system32\vedxg4am1et2.exe
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\system32\vedxga1me4t1.exe
C:\WINDOWS\system32\vedxga3me2.exe
C:\WINDOWS\system32\vedxga4m1et4.exe
C:\WINDOWS\system32\vedxga4me1.exe
C:\WINDOWS\system32\vedxga5me3.exe
C:\WINDOWS\system32\vx.tll
C:\WINDOWS\system32\windev-5127-2f8a.sys
C:\WINDOWS\system32\windev-peers.ini


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ICF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\ICF
-------\runtime


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-10 22:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-10 22:49 <DIR> d-------- C:\HostsXpert
2007-08-08 19:00 3,686 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-01 12:23 218,112 --a------ C:\Program Files\HijackThis.exe
2007-07-12 01:01 <DIR> d--h----- C:\WINDOWS\PIF


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 19:40 5517 --a------ C:\Program Files\hijackthis.log
2007-07-07 15:43 5818392 --a------ C:\Program Files\Firefox Setup 2.0.0.4.exe
2007-07-07 15:43 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-05 18:03 --------- d-------- C:\Program Files\Webroot
2007-07-05 18:03 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Webroot
2007-07-05 17:57 164 --a------ C:\install.dat
2007-07-05 17:55 13425184 --a------ C:\Program Files\ssftrialsnrsetup1_2000776302.exe
2007-07-05 01:27 33536 --a------ C:\WINDOWS\system32\drivers\runtime2.sys
2007-07-05 01:26 17408 --a------ C:\WINDOWS\system32\svchost.exe
2007-07-05 01:24 11571 --a------ C:\xx1232255.exe
2007-07-04 01:09 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent
2007-06-21 18:57 1520952 --a------ C:\WINDOWS\WRSetup.dll
2007-06-21 18:43 23864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-21 18:43 21816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-21 18:43 20280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-06-21 18:43 160056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-10 20:54 --------- d-------- C:\Program Files\GPLGS
2007-06-10 20:52 --------- d-------- C:\Program Files\Acro Software
2007-06-10 20:51 1622736 --a------ C:\Program Files\CuteWriter.exe
2007-06-10 19:40 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-08 09:07 87808 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2007-06-04 19:44 177152 --a------ C:\Program Files\utorrent.exe
2007-04-16 19:41 2228534 --a------ C:\Program Files\audacity-win-1.2.6.exe
2006-12-15 22:28 21376 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-04-15 04:00 C:\WINDOWS\system32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-23 00:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-23 01:06]
"ATIModeChange"="Ati2mdxx.exe" [2002-08-16 02:18 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-08-14 18:29]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 14:50]
"TV Now"="C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" [2003-01-30 11:34]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 07:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-10-03 21:07]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2005-09-19 10:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 04:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"iTunesHelper"="D:\Programmer\Itunes\iTunesHelper.exe" [2007-03-14 19:05]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-07-29 20:33]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:06]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2006-11-24 16:40:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"RSeQBs"= {2CCFACCC-8665-0666-CD3D-57585FFDD938} - C:\WINDOWS\system32\aae.dll [2004-08-04 00:56 32768]

R0 SSFS0BB8;Spy Sweeper File System Filer Driver: 0BB8;C:\WINDOWS\system32\Drivers\SSFS0BB8.SYS
R0 SSHRMD;Spy Sweeper Hookrack MiniDriver;C:\WINDOWS\system32\Drivers\SSHRMD.SYS
R0 SSIDRV;Spy Sweeper Interdiction Driver;C:\WINDOWS\system32\Drivers\SSIDRV.SYS
R1 LUMDriver;LUMDriver;\??\C:\WINDOWS\system32\drivers\LUMDriver.sys
R2 BackWeb Client - 7681197;F-Secure BackWeb;C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems Inc. IPSec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys
R2 FSpm;F-Secure Policy Manager;\??\C:\Program Files\F-Secure\Common\FSPM.SYS
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
R3 HSFHWALI;HSFHWALI;C:\WINDOWS\system32\DRIVERS\HSFHWALI.sys
R3 SSKBFD;Webroot Spy Sweeper Keylogger Shield Keyboard Filter;C:\WINDOWS\system32\Drivers\sskbfd.sys
S2 windev-5127-2f8a;windev-5127-2f8a;\??\C:\WINDOWS\system32\windev-5127-2f8a.sys
S3 aliadwdm;ALi Audio Accelerator WDM driver;C:\WINDOWS\system32\drivers\ac97ali.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
S3 ICDUSB;Sony IC Recorder;C:\WINDOWS\system32\Drivers\ICDUSB.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - SSFS0BB8
*Newly Created Service* - SSHRMD
*Newly Created Service* - SSIDRV

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-10 22:58:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\\xff\xff\b\xabV\2\1]
"DisplayName"=""
"DeviceDesc"=""
"ProviderName"=""
"MFG"="\x435c\x6e6f\x7274\x6c6f\x435c\x616c\x7373\x85c\4"
"ReinstallString"="\xb973\x7792"
"DeviceInstanceIds"=str(7):"cx_06126.inf"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FSAA]
"ImagePath"="\"C:\Program Files\F-Secure\Common\FSAA.EXE\""

Completion time: 2007-08-10 23:02:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-10 23:01

--- E O F ---


----------------------------------------
HJT LOG
-------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:15:24, on 10.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
D:\Programmer\Itunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [TV Now] "C:\Program Files\HPQ\Notebook Utilities\TvNow.exe" /RK
O4 - HKLM\..\Run: [Display Settings] "C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" /s
O4 - HKLM\..\Run: [QT4HPOT] "C:\Program Files\HPQ\One-Touch\OneTouch.EXE"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programmer\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: RSeQBs - {2CCFACCC-8665-0666-CD3D-57585FFDD938} - C:\WINDOWS\system32\aae.dll
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
That cleared out a good bit of garbage

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\drivers\runtime2.sys
    C:\xx1232255.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Let me know if your able to get online in safe mode

Need you to run an online scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#7
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here are the MoveIT and Kaspersky reports:

(I got online through "Safe mode with networking". I did not manage to get online through regular "Safe mode". I did not try to get on the internet through "normal Windows".)

------------------------------
OT Move IT report
-------------------------------

C:\WINDOWS\system32\drivers\runtime2.sys moved successfully.
C:\xx1232255.exe moved successfully.

Created on 08.11.2007 02:04:51

------------------------------------
Kaspersky online sncanner report
--------------------------------

KASPERSKY ONLINE SCANNER REPORT
Saturday, August 11, 2007 11:45:16 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/08/2007
Kaspersky Anti-Virus database records: 378448


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 28225
Number of viruses found 18
Number of infected objects 24
Number of suspicious objects 0
Duration of the scan process 00:44:20

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Desktop\smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllh8jkd1q1.exe.vir Infected: Trojan-Downloader.Win32.Small.cxx skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllh8jkd1q2.exe.vir Infected: not-virus:Hoax.Win32.Renos.hl skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllh8jkd1q5.exe.vir Infected: Trojan-Downloader.Win32.Small.cwj skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllh8jkd1q6.exe.vir Infected: Trojan-Downloader.Win32.Agent.bil skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\dllh8jkd1q7.exe.vir Infected: Trojan-Downloader.Win32.Agent.bil skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir Infected: Rootkit.Win32.Agent.dp skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\gmc.exe.exe.vir Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\kernelwind32.exe.vir Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\rpcc.exe.vir Infected: Trojan-Proxy.Win32.Dlena.ad skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vdrsys.dll.vir Infected: Backdoor.Win32.Agent.adr skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg3am1et3.exe.vir Infected: Email-Worm.Win32.Zhelatin.gm skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg4am1et2.exe.vir Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxg6ame4.exe.vir Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga1me4t1.exe.vir Infected: Email-Worm.Win32.Zhelatin.ee skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga3me2.exe.vir Infected: Trojan-Downloader.Win32.Small.cxx skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga4m1et4.exe.vir Infected: Trojan-Downloader.Win32.Tibs.mq skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga4me1.exe.vir Infected: Trojan-Proxy.Win32.Xorpix.bc skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vedxga5me3.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\windev-5127-2f8a.sys.vir Infected: Packed.Win32.Tibs.ab skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\CSC000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\spoolsv.exe Infected: Trojan.Win32.Patched.aa skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\_OTMoveIt\MovedFiles\WINDOWS\system32\drivers\runtime2.sys Infected: Rootkit.Win32.Agent.ey skipped

C:\_OTMoveIt\MovedFiles\xx1232255.exe Infected: Email-Worm.Win32.Zhelatin.fm skipped

D:\Musikk\Top of Charts - 2004.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looking much better :whistling: I would rather have you go onliner in normal mode going online in safe mode with networking is putting you at risk you have 0 protection

Open notepad, copy and paste next content (bold) in it:

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit


Save this as look.bat ,choose to save as *all files and save it to your desktop.
Doubleclick on it and notepad will open with a long list of all the files present in your system32-folder.
Copy and paste the first 20-30 lines of that log in your next reply.


Next

  • Please go to Jotti's malware scan
  • Copy and paste the following file path C:\WINDOWS\system32\spoolsv.exe

    into the box on the top of the page:

  • Click on the submit button
  • Please post the results in your next reply.

  • 0

#9
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I did not manage to do the Jotti's malware scan. When using internet explorer and clicking on the submit button, I receive the message: "The page cannot be displayed"

I also tried using Mozilla Firefox, and then it says: "Status: Uploading file, please wait...". But that status didn't change during the 5 hours I was waiting. Is there any other site I should try instead?


Here are the results from look.bat:

-------------------------------
look.bat
---------------------------------

Volume in drive C has no label.
Volume Serial Number is 2CCF-ACCB

Directory of C:\WINDOWS\system32

12.08.2007 03:57 2ÿ206 wpa.dbl
08.08.2007 19:00 0 tmp.txt
08.08.2007 19:00 3ÿ686 tmp.reg
22.07.2007 18:39 279ÿ552 swreg.exe
05.07.2007 01:26 17ÿ408 svchost.exe
05.07.2007 01:25 10 kr_done1
21.06.2007 18:43 26ÿ424 wrlzma.dll
21.06.2007 18:43 219ÿ448 WRLogonNtf.dll
21.06.2007 18:43 16ÿ184 ssiefr.EXE
08.06.2007 09:07 87ÿ808 cpwmon2k.dll
26.03.2007 11:28 380ÿ548 perfh009.dat
26.03.2007 11:28 52ÿ962 perfc009.dat
26.03.2007 11:28 439ÿ552 PerfStringBackup.INI
16.02.2007 10:54 65ÿ536 QuickTimeVR.qtx
16.02.2007 10:54 49ÿ152 QuickTime.qts
02.01.2007 20:32 8ÿ312 jupdate-1.5.0_08-b03.log
14.12.2006 10:11 127ÿ704 FNTCACHE.DAT
01.12.2006 05:20 212ÿ480 swxcacls.exe
29.11.2006 17:21 370ÿ688 swsc.exe
27.11.2006 02:34 49ÿ152 vfind.exe
21.11.2006 18:02 0 h323log.txt
21.11.2006 17:23 261 $winnt$.inf
21.11.2006 17:15 2ÿ577 CONFIG.NT
21.11.2006 17:12 488 logonui.exe.manifest
21.11.2006 17:12 488 WindowsLogon.manifest
21.11.2006 17:12 749 cdplayer.exe.manifest
21.11.2006 17:12 749 nwc.cpl.manifest
21.11.2006 17:12 749 sapi.cpl.manifest
21.11.2006 17:12 749 wuaucpl.cpl.manifest
21.11.2006 17:12 749 ncpa.cpl.manifest
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Thats fine looks like a false possitive anyway

So your able to go online in normal mode again ?

Lest do some clean up. Running this will remove all the tools we used and the associated logs
Please double-click OTMoveIt.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot,


How is it running ?
Please use the following suggestion to help prevent reinfection
  • Download the following program, For keeping crap off your system to begin with
    Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
    Download
    Spyware Blaster
    Spyware Guard
    IE-Spyad


  • Online scan
    For an added check run an online virus scan, you can use one of the 2 below,
    TrendMicro's HouseCall
    ActiveScan


  • Clean out Temp Folders
    Be sure and give the Temp folders a cleaning out now and then as well, A handy tool to do this
    Please download ATF Cleaner by Atribune.
    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browserClick Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browserClick Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.


  • Updating Java and Clearing Cache:
    • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
    • It will say "Java Plug-in" under the icon.
      Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
    • If you are unable to update you can manually update by going Here
    • After the reboot, go back into the Control Panel and double-click the Java Icon.
    • Under Temporary Internet Files, click the Delete Files button.
    • There are three options in the window to clear the cache - Leave ALL 3 Checked
      • Downloaded Applets
        Downloaded Applications
        Other Files
    • Click OK on Delete Temporary Files Window

      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Java Control Panel.

  • Windows Updates
    Remeber to Check Windows for updates


  • Flush System Restore
    Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    2. Restart your computer.

    3. Turn ON System Restore.On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.
System Restore will now be active again.


To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
[/list]
  • 0

Advertisements


#11
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Yes I am able to go online in normal windows mode again.

Now I have done the OTMoveit clean up and installed the Spyware Blaster and Spyware Guard (but not the IE-Spyad). I have also run the ATF Cleaner.

BUT... when doing the online scan (Trend Micro's Housecall) it found several greywares/spywares and vulnerabilities. I did not push the "Clean now" button. Should I do that? Should I post some kind of a new log/report?

Webroot spysweeper with antivirus did also find a lot of infected files...

I did not do the "updating java and clearing cache", "windows update" and "flush system restore". Should I do that? Or should I do something with the findings from the scan first?
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets have a look at another online scan then



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#13
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hmmm, this doesn't look good. I ran the test, but when I got back to the computer my father had taken out the internet cable from the computer. I don't know if that mattered, because the test was finished anyway. Though, During the same time the webroot spyseeker had also found some viruses. It said something about the file: "c:\windows\temp\asheuristic\aee.dll" and that it should be deleted!! I tried to minimize the warning, to be able to find the report from the Panda virusscan so that I could post it. I also got a message that I should insert the Windows XP SP2 cd, because some Windows file had been changed and that it could cause damage.... I ignored it and closed the window. But the toolbar at the bottom of the page didn't show. So I waited for a while, and finally I restarted the computer. Now I can't start it with safe mode or normal mode. It is just looping. I can see the windows logo, but then it restarts.
What should I do?
Format everything?
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets try using Last Known Good Configuration feature
  • To start your computer by using the Last Known Good Configuration feature, follow these steps:
  • Start your computer.
  • When you see the "Please select the operating system to start" message, press the F8 key.
  • When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.
  • If you are running other operating systems on your computer, use the ARROW keys to select Microsoft Windows XP, and then press ENTER.

  • 0

#15
goassen

goassen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I tried that also. It is still looping...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP