Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I found a trojen and can't remove it. [RESOLVED]

Started by excygz , Feb 05 2008 06:22 PM

  • This topic is locked This topic is locked

#1
excygz
Posted 05 February 2008 - 06:22 PM

excygz

    New Member

  • Member
  • Pip
  • 6 posts
I have followed your instrutions on other thread, when I found this "Trojan-gen(Other)", impossible to remove, inside of:

C:\Documents and Settings\ECG\Definições locais\Application Data\{167B9073-5929-4AAD-AE87-68A9BEB3D796}\Pando.msi\Data1.cab\oovooinst.exe


1 - download Deckard's System Scanner (DSS) and save it to your Desktop (my results in 2 attachements )

2 - do an online scan with Kaspersky WebScanner (my results above)

3 - download AVG Anti Rootkit and save it to your desktop. (no installed rootkits found on my computer)

Please, can you tell me how to remove this Trojan?

Tank you.




**********************************************************

KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 05, 2008 8:41:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/02/2008
Kaspersky Anti-Virus database records: 550073


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 81001
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 01:49:29

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\AWProcessesLog.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware 2007\logs\CoreEngineCommunicationLog.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12062006-171243.log Object is locked skipped

C:\Documents and Settings\ECG\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\cert8.db Object is locked skipped

C:\Documents and Settings\ECG\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\history.dat Object is locked skipped

C:\Documents and Settings\ECG\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\key3.db Object is locked skipped

C:\Documents and Settings\ECG\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\parent.lock Object is locked skipped

C:\Documents and Settings\ECG\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\search.sqlite Object is locked skipped

C:\Documents and Settings\ECG\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\ECG\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Microsoft\Windows Defender\FileTracker\{532789C4-C75D-49F7-A8B9-BB6928A26826} Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Application Data\Mozilla\Firefox\Profiles\reivdxkl.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\ECG\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\ECG\ntuser.dat Object is locked skipped

C:\Documents and Settings\ECG\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Programas\Enigma Software Group\SpyHunter\SpyHunterInstance.lock Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{667AE83C-E1EE-42D9-9742-DCEEBAF1CF73}\RP1\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{AA7C7264-F683-4E0C-80E9-1DFE8F3E0035}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_48c.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Attached Files


  • 0

Advertisements

#2
miekiemoes
Posted 06 February 2008 - 02:49 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I have followed your instrutions on other thread, when I found this "Trojan-gen(Other)", impossible to remove, inside of:

C:\Documents and Settings\ECG\Definições locais\Application Data\{167B9073-5929-4AAD-AE87-68A9BEB3D796}\Pando.msi\Data1.cab\oovooinst.exe

This is a false positive. Your scanner sees the bundled program oovoo that came with Pando Pro as infected.
Pando Pro has already removed this bundled program from its installation, so that file is not needed either. Deleting that file won't affect your Pando Pro.
You can delete this file easily..

To do this, Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Then, navigate to and delete next file:

C:\Documents and Settings\ECG\Definições locais\Application Data\{167B9073-5929-4AAD-AE87-68A9BEB3D796}\Pando.msi <== that's the Pando installer

I however do have some notes here...
I see you have Spyware Terminator and SpyHunter installed. I do not recommend both programs, since they have a questionable reputation.
Also, Spyware Terminator comes bundled with starware, which has a questionable reputation.
http://www.symantec....-050313-4341-99

That's why I suggest you uninstall Spyware Terminator + SpyHunter via software > add/remove programs.

Reboot afterwards.

After reboot,

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
  • 0

#3
excygz
Posted 06 February 2008 - 11:23 AM

excygz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi,

I have followed your instrutions on other thread, when I found this "Trojan-gen(Other)", impossible to remove, inside of:

C:\Documents and Settings\ECG\Definições locais\Application Data\{167B9073-5929-4AAD-AE87-68A9BEB3D796}\Pando.msi\Data1.cab\oovooinst.exe

This is a false positive. Your scanner sees the bundled program oovoo that came with Pando Pro as infected.
Pando Pro has already removed this bundled program from its installation, so that file is not needed either. Deleting that file won't affect your Pando Pro.
You can delete this file easily..

To do this, Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

Then, navigate to and delete next file:

C:\Documents and Settings\ECG\Definições locais\Application Data\{167B9073-5929-4AAD-AE87-68A9BEB3D796}\Pando.msi <== that's the Pando installer

I however do have some notes here...
I see you have Spyware Terminator and SpyHunter installed. I do not recommend both programs, since they have a questionable reputation.
Also, Spyware Terminator comes bundled with starware, which has a questionable reputation.
http://www.symantec....-050313-4341-99

That's why I suggest you uninstall Spyware Terminator + SpyHunter via software > add/remove programs.

Reboot afterwards.

After reboot,

* Download Trend Micro Hijack This™
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.



Hi,

Thanks for your good answer. I appreciate very much your explanation.

The file is deleted, also programs you refer, my PC is running well :) .

Here, log of HijackThis.

Thank you very much.

Best regards!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:47, on 03-02-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\Programas\Spyware Doctor\pctsAuxs.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Programas\Google\Gmail Notifier\gnotify.exe
C:\Programas\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programas\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\alg.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://acesso.clix.pt/free/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 102.54.94.97 rino.acme.com # servidor de origem
O1 - Hosts: 38.25.63.10 x.acme.com # anfitrião de cliente x
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Programas\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ad-Watch] C:\Programas\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Programas\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISTray] "C:\Programas\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.clix.pt
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06DF2878-B8C5-4753-9C7A-ED35CAEB57A0}: NameServer = 10.0.0.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{793B74FF-742B-47B3-A192-1E8E407358DF}: NameServer = 195.23.129.126 194.79.69.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{06DF2878-B8C5-4753-9C7A-ED35CAEB57A0}: NameServer = 10.0.0.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{06DF2878-B8C5-4753-9C7A-ED35CAEB57A0}: NameServer = 10.0.0.138
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programas\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programas\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programas\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9448 bytes
  • 0

#4
miekiemoes
Posted 06 February 2008 - 12:09 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
The rest looks OK. :)

Let me know how things are now.
  • 0

#5
excygz
Posted 06 February 2008 - 07:11 PM

excygz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 4".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.
The rest looks OK. :)

Let me know how things are now.



Hi!

Let me tell you how grateful I am for the help and recommendations.
Indeed occasionally had problems with Java.
Thank you again.
Everything seems to be working well now. :)


Best regards!
  • 0

#6
miekiemoes
Posted 07 February 2008 - 12:03 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#7
excygz
Posted 07 February 2008 - 05:43 PM

excygz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!


Hi!

Be sure I will see your "Prevention Page" and all your sugestions here exposed.

Certainly I have home work :) doing update of some programs, which I have already seen outdated, but I am very grateful for these fundamental suggestions.

I apologize that my English is not to good, and subject to automatic translation. Even so, it is possible to understand me what makes me happy.

Thank you :)
  • 0

#8
miekiemoes
Posted 07 February 2008 - 06:27 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

I apologize that my English is not to good, and subject to automatic translation. Even so, it is possible to understand me what makes me happy.

I actually never noticed that - so your English is excellent! :)

And glad I could help :)
  • 0

#9
miekiemoes
Posted 10 February 2008 - 12:50 PM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP