Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trouble with lsass.exe, ddccy.dll [RESOLVED]


  • This topic is locked This topic is locked

#16
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Sooo now I'm a tad suspicious of that Panda scan.

i can assure you that panda scan is absolutely safe, i use it all the time :)

could you re-run it and let those files through.

in your next reply could i see:
1. the Totalscan log
2. some idea of how your machine is running now

andrewuk
  • 0

Advertisements


#17
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
So I had to entirely disable Avast in order to run TotalScan. Also... that scan just finds the items, but I can't disinfect them without paying? But you'll probably know what to do. :)

My computer seems to be running pretty well at this point. Thanks so much for all your help thus far.

Here's the log:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-03-26 14:38:13
PROTECTIONS: 1
MALWARE: 27
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
avast! antivirus 4.7.1098 [VPS 080326-2] 4.7.1098 No Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00047660 adware/sqwire Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.atdmt.com/]
00139535 Application/Processor HackTools No 0 Yes No C:\Download\Process.exe
00139535 Application/Processor HackTools No 0 Yes No C:\Deckard\System Scanner\backup\DOCUME~1\ADMINI~2.TYL\LOCALS~1\Temp\Temporary Directory 1 for processkiller203.zip\Process.exe
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.247realmedia.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.tribalfusion.com/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.toplist.cz/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[ad.yieldmanager.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.burstnet.com/]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[www.burstbeacon.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adtech.de/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.advertising.com/]
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.ads.pointroll.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.realmedia.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator.TYLERSPRO2\Application Data\Mozilla\Firefox\Profiles\r9s2ey5y.default\cookies.txt[.adrevolver.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Tyler\Application Data\Mozilla\Firefox\Profiles\9udwfsng.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Tyler\Application Data\Mozilla\Firefox\Profiles\9udwfsng.default\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Tyler\Application Data\Mozilla\Firefox\Profiles\9udwfsng.default\cookies.txt[.did-it.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5tf4j9mv.default\cookies.txt[.atwola.com/]
00320977 Cookie/Winantivirus TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5tf4j9mv.default\cookies.txt[.www.winantivirus.com/]
00320977 Cookie/Winantivirus TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5tf4j9mv.default\cookies.txt[.www.winantivirus.com/]
00320977 Cookie/Winantivirus TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5tf4j9mv.default\cookies.txt[.www.winantivirus.com/]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP93\A0048733.EXE
02684897 Application/AVSystemCare HackTools No 0 Yes No C:\Deckard\System Scanner\backup\WINDOWS.1\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{B4749A99-455C-4E77-801A-1917A77DD9FA}\RP93\A0048727.sys
02893893 Trj/Bancos.RQ Virus/Trojan No 0 No No C:\Documents and Settings\Administrator.TYLERSPRO2\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
02907595 Spyware/Virtumonde Spyware No 1 Yes No C:\_OTMoveIt\MovedFiles\03252008_120945\WINDOWS.1\system32\lpgtsydt.dll
02908066 Spyware/Virtumonde Spyware No 1 Yes No C:\_OTMoveIt\MovedFiles\03252008_120945\WINDOWS.1\system32\ijuhurvv.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

#18
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

So I had to entirely disable Avast in order to run TotalScan. Also... that scan just finds the items, but I can't disinfect them without paying? But you'll probably know what to do.

i use those online scans to highlight potential infections, we can remove them ourselves.

in this case the scan found 7 infectioned entries, though 5 are already safely quarantined leaving us with 2 to remove. and, all being successful we can hopefully give the all clear in the next post.


Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Download\Process.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    purity
    hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa
  • Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


In your next reply could i see:
1. the OTMoveIT log
2. a new hijackthis log

andrewuk
  • 0

#19
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Upon re-enabling Avast, it again is telling me that part of the Panda scan is a Trojan Horse:

C:\Program Files\Panda Security\NanoScan\Engine\psnflg.dll
Win32:Agent-TOS [Trj]
Trojan Horse

Any idea why?



OTMoveIt Log:

C:\Download\Process.exe moved successfully.
[Custom Input]
< purity >
< hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa >
Registry key hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\tsa\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03262008_171957


========================================================


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:13 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS.1\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.1\system32\AvastSS.scr
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4670 bytes
  • 0

#20
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Upon re-enabling Avast, it again is telling me that part of the Panda scan is a Trojan Horse:

C:\Program Files\Panda Security\NanoScan\Engine\psnflg.dll
Win32:Agent-TOS [Trj]
Trojan Horse

Any idea why?

yes, they are false positives which i beleive are in the process of being addressed by the vendors. given you downloaded the AVAST and the Panda Scan from the links provided, i know they are good. if you delete the Pandascan then that will solve the issue.

just one more thing to do before the all clear - we need to update your Java.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    Downloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

and, can i see one final hijackthis log please.

andrewuk
  • 0

#21
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
There were just a couple things that didn't match your instructions when I updated Java, so I just want to mention them to make sure its ok. First, it didn't ask me to reboot (so I just did it myself). Then, under Temporary Internet Files, I first had to click settings before I could see the delete option. Lastly, when I clicked delete, I didn't see three options, there were just two: Applications and Applets, and Trace and Log Files (I deleted those). Probably doesn't matter much. But here's hopefully the last Hijackthis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:08 PM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.1\System32\smss.exe
C:\WINDOWS.1\system32\winlogon.exe
C:\WINDOWS.1\system32\services.exe
C:\WINDOWS.1\system32\lsass.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\WINDOWS.1\system32\svchost.exe
C:\WINDOWS.1\System32\svchost.exe
C:\WINDOWS.1\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS.1\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS.1\system32\taskswitch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS.1\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS.1\system32\taskswitch.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS.1\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS.1\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft [Pro2]\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 4564 bytes
  • 0

#22
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Hi Revolution660

congratulations, your logs are clean :)

There were just a couple things that didn't match your instructions when I updated Java, so I just want to mention them to make sure its ok. First, it didn't ask me to reboot (so I just did it myself). Then, under Temporary Internet Files, I first had to click settings before I could see the delete option. Lastly, when I clicked delete, I didn't see three options, there were just two: Applications and Applets, and Trace and Log Files (I deleted those).

your java seems to have installed ok, so no problems there :)

in this post we will clear away the fix tools, reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.


====STEP 1====
clearing away the fix tools and resetting your restore points

Click START then RUN
  • Now type Combofix /u in the runbox and click OK


    • Posted Image

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.
If you have trouble with this, let me know and we will clear away the fix tools and reset your restore points another way

you can clear away any other fix tools we used.



====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein


andrewuk
  • 0

#23
Revolution660

Revolution660

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Woohoo! :)

and Thank You andrewuk! :)

I already had SpybotSD and Ad-Aware, and now I've added SpywareGuard and SpywareBlaster.

When I try to update SpywareGuard, it says the server may be temporarily unavailable, or there may be a conflict with firewall software installed on your pc. I tried it yesterday and today.
  • 0

#24
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

When I try to update SpywareGuard, it says the server may be temporarily unavailable, or there may be a conflict with firewall software installed on your pc. I tried it yesterday and today.

keep on trying - it may indeed be the server.

also, try disabling your firewall and other security programs to see if that helps. SpywareGuard does not get updated that often, it relies on other methods to block infections, so there is no hurry to update it.

andrewuk
  • 0

#25
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP