Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible Win32/PolyCrypt infection

Started by AnnJS , Apr 05 2008 08:51 AM

  • Please log in to reply

#1
AnnJS
Posted 05 April 2008 - 08:51 AM

AnnJS

    Member

  • Member
  • PipPipPip
  • 100 posts
...Well, seems like I got some malware again :)

AVG suddenly popped up and told me it had detected a threat: C:\WINDOWS\system32\kdguf.exe - Virus found Win32/PolyCrypt

I told AVG to it move to the vault, but then I got an error saying "Requested action is not available for this object. Access to the file has been denied." I then tried rebooting in failsafe mode, but when I ran AVG again to detect and (hopefully) remove the file this time, it couldn't be found! Rebooted normally, and ZoneAlarm then popped up and asked me if I wanted to allow svchost.exe to act as a server. I denied it, but it kept asking for that as well as allowing svchost.exe to access the internet.

I just ran a HijackThis check, and there is indeed a lot of new stuff that I don't recognize -- i.e. malware most probably. Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:49:19, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\drivers\svchost.exe
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122684707296
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00BBF88A-22C0-4BED-AF48-C6830BE14AC0}: NameServer = 85.255.116.138,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{82861110-944C-46F4-AA6B-14ADCF3F9EA6}: NameServer = 85.255.116.138,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{AD91D19E-129D-4C0E-864C-B5F4D55C2D7B}: NameServer = 85.255.116.138,85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.138 85.255.112.77
O17 - HKLM\System\CS1\Services\Tcpip\..\{00BBF88A-22C0-4BED-AF48-C6830BE14AC0}: NameServer = 85.255.116.138,85.255.112.77
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.138 85.255.112.77
O17 - HKLM\System\CS2\Services\Tcpip\..\{00BBF88A-22C0-4BED-AF48-C6830BE14AC0}: NameServer = 85.255.116.138,85.255.112.77
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.138 85.255.112.77
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5819 bytes

It's all the O17 listings that are new, everything else I recognize (except for all the seemingly new listings -- I apparently had an outdated version of HijackThis). Everything seems to load slower too, but perhaps that's just my imagination. Thanks in advance, guys!

Edited by AnnJS, 05 April 2008 - 08:53 AM.

  • 0

Advertisements

#2
Tal
Posted 05 April 2008 - 01:57 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello AnnJS , welcome to GeeksToGo! :)

My name is Tal, and I will be assisting you in the process of removing malware from your computer. I am going through your logs now, and I'll be back soon with instructions on how to proceed.

As I'm still in training, my replies to you have to be approved before posting, so please excuse delays between replies.

Tal.
  • 0

#3
Tal
Posted 05 April 2008 - 02:27 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello AnnJS ,

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:
  • Please don't be afraid to ask questions! :) No question is considered dumb here. It's better to be safe than sorry!
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you witness a certain entry or program you're unsure about, please don't hesitate to ask! :)

You did good by blocking the svchost.exe process from accessing the internet - it might have downloaded more spyware to your PC. Actually, svchost.exe is a legit process, when located in the C:\Windows\System32 folder. However, this is a trojan specifically placed in a different folder to fool you.

Besides that process, you have the Wareout infection, which is the O17s you see. We're going to deal with these both :)

Step1 : Correcting entries with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\System32\drivers\svchost.exe


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Step2 : Deleting file in Safe Mode

First, let's make Windows show hidden files and folders. Hidden files and folders are usually systems files and they are hidden to prevent users from accidentally deleting them. However, malware often uses hidden files and folders to prevent its deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Please save the following instructions in a notepad file on your desktop as you will not be able to access this website during this stage of the fix.

Restart your computer and as soon as it start booting up, continuously press F8. A menu will show up. Choose Safe Mode using the enter keys and press enter. Note that Safe Mode might take some time to load, so please be patient.

After the computer has entered Safe Mode, navigate to the following folders, and delete the following file marked in bold:

C:\WINDOWS\System32\drivers\svchost.exe

Restart your computer. It will reboot back automatically into Normal Mode.

Step2 : Running FixWareout

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

In your next reply, please include report.txt and a new HijackThis log.

Regards,

Tal :)
  • 0

#4
AnnJS
Posted 05 April 2008 - 03:32 PM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Hi there Tal, nice to meet you! Thank you for helping me :)

Everything seems to have gone smoothly from what I can tell, the fake svchost hasn't popped up or anything. Here are the logs:

Username "Annette" - 2008-04-05 23:24:51 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.138 85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{00BBF88A-22C0-4BED-AF48-C6830BE14AC0}
"nameserver"="85.255.116.138,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{82861110-944C-46F4-AA6B-14ADCF3F9EA6}
"nameserver"="85.255.116.138,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AD91D19E-129D-4C0E-864C-B5F4D55C2D7B}
"nameserver"="85.255.116.138,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{00BBF88A-22C0-4BED-AF48-C6830BE14AC0}
"DhcpNameServer"="85.255.116.138,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{76F0869F-1067-4260-A613-9277ADD3939A}
"DhcpNameServer"="85.255.116.138,85.255.112.77" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{AD91D19E-129D-4C0E-864C-B5F4D55C2D7B}
"DhcpNameServer"="85.255.116.138,85.255.112.77" <Value cleared.

DNS-matcharens cacheminne har rensats.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdguf.exe"
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SoundMan"="SOUNDMAN.EXE"
"ZoneAlarm Client"="\"C:\\Program\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"RoxioEngineUtility"="\"C:\\Program\\Delade filer\\Roxio Shared\\System\\EngUtil.exe\""
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"AVG7_CC"="C:\\Program\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:00, on 2008-04-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122684707296
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4855 bytes
  • 0

#5
AnnJS
Posted 06 April 2008 - 06:34 AM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Just a quick update... The computer ran fine all night yesterday, but today -- maybe five minutes after I first turned it on -- AVG popped up again about kdguf.exe. This time it had no problem moving it to the vault though, and I don't think it seems like it had time to do any new damage (the HijackThis log has none of those O17 thingies). Well, anyway, just thought I'd let you know! :)
  • 0

#6
Tal
Posted 06 April 2008 - 11:19 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello AnnJS,

We'll find out about that file right away :)

Step1 : Online Anti Virus scan with Kaspersky

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step2 : Scanning with DSS

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. Note: It's likely that the two logs won't fit into one post. If so, please post extra.txt in a separate post.

  • 0

#7
AnnJS
Posted 06 April 2008 - 03:45 PM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Doing the Kaspersky scan right now, but that's gonna take quite some time I think... I've been running it for a good 20 minutes, and it's still only at 1%. So, sorry for the wait! Would you like me to go ahead and do the other scan meanwhile and post those results?

In any case, AVG just popped up with yet another detected threat. This time it was "C:\Documents and Settings\Annette\admin.exe Trojan horse Downloader.Generic7.DTF". I told AVG to move it to the vault, and it did so seemingly without any problems.

Edited by AnnJS, 06 April 2008 - 03:46 PM.

  • 0

#8
Tal
Posted 07 April 2008 - 07:26 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi AnnJS,

Please let the scan run as long as it needs, then post back the log :)

Edited by landlord, 07 April 2008 - 07:26 AM.

  • 0

#9
AnnJS
Posted 07 April 2008 - 12:38 PM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Here we go, done at last :) Sorry for the wait!

The Kaspersky result:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 07, 2008 4:28:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/04/2008
Kaspersky Anti-Virus database records: 687153
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 137139
Number of viruses found: 2
Number of infected objects: 1
Number of suspicious objects: 1
Duration of the scan process: 05:37:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Annette\admin.exe Object is locked skipped
C:\Documents and Settings\Annette\Application Data\AVG7\l_000509.log Object is locked skipped
C:\Documents and Settings\Annette\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Temp\Perflib_Perfdata_dac.dat Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Temp\~DFC93D.tmp Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Temp\~DFEAE5.tmp Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Temp\~PST5391.tmp Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annette\Lokala inställningar\Tidigare\History.IE5\MSHist012008040620080407\index.dat Object is locked skipped
C:\Documents and Settings\Annette\ntuser.dat Object is locked skipped
C:\Documents and Settings\Annette\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program\backups\backup-20080101-200155-595 Suspicious: Exploit.HTML.Mht skipped
C:\Program\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BRAINY.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\ZLT03c2e.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03c31.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

The DSS result (it only gave me a main.txt, not an extra.txt -- I've run this program before, and as I recall it the only time it popped up with the extra.txt file was the very first time :) ):

Deckard's System Scanner v20071014.68
Run by Annette on 2008-04-07 20:26:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.97 GiB (less than 15%) free.


-- HijackThis (run as Annette.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:26:57, on 2008-04-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Documents and Settings\Annette\Skrivbord\Ny mapp\dss.exe
C:\Program\TRENDM~1\HIJACK~1\Annette.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122684707296
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4791 bytes

-- Files created between 2008-03-07 and 2008-04-07 -----------------------------

2008-04-05 16:49:13 0 d-------- C:\Program\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-04-07 19:37:49 0 d-------- C:\Documents and Settings\Annette\Application Data\AVG7
2008-04-06 23:34:31 0 d-------- C:\Program\SpeedFan
2008-04-06 01:23:04 4151 --a------ C:\Program\hijackthis.log
2008-04-02 02:08:11 0 d-------- C:\Documents and Settings\Annette\Application Data\Adobe
2008-04-01 23:20:15 0 d-------- C:\Program\DC++
2008-03-31 23:52:15 0 d-------- C:\Program\mIRC
2008-03-30 16:00:04 315006 --a------ C:\WINDOWS\System32\perfh041.dat
2008-03-30 16:00:04 384024 --a------ C:\WINDOWS\System32\perfh01D.dat
2008-03-30 16:00:04 47784 --a------ C:\WINDOWS\System32\perfc041.dat
2008-03-30 16:00:04 62960 --a------ C:\WINDOWS\System32\perfc01D.dat
2008-03-20 13:33:47 0 d-------- C:\Program\Media Player Classic
2008-03-20 13:28:12 0 d-------- C:\Program\DivX
2008-03-20 02:00:23 0 d-------- C:\Documents and Settings\Annette\Application Data\Roxio
2008-03-10 17:11:10 0 d-------- C:\Documents and Settings\Annette\Application Data\.BitTornado
2008-02-21 04:05:44 3596288 --a------ C:\WINDOWS\System32\qt-dx331.dll
2008-02-21 04:04:16 196608 --a------ C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 04:04:16 81920 --a------ C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 04:04:04 802816 --a------ C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 04:04:04 823296 --a------ C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 04:04:04 823296 --a------ C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 04:04:04 682496 --a------ C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 04:03:24 12288 --a------ C:\WINDOWS\System32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 21:20 C:\WINDOWS\SOUNDMAN.EXE]
"ZoneAlarm Client"="C:\Program\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"RoxioEngineUtility"="C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe" [2003-02-27 06:31]
"NvCplDaemon"="NvQTwk" []
"AVG7_CC"="C:\Program\Grisoft\AVG7\avgcc.exe" [2008-01-05 20:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-09 16:08]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Annette\Start-meny\Program\Autostart\
SpywareGuard.lnk - C:\Program\SpywareGuard\sgmain.exe [2003-08-29 20:05:35]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.exe.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 03:23:32]
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 03:23:32]
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdguf.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=




-- End of Deckard's System Scanner: finished at 2008-04-07 20:27:23 ------------
  • 0

#10
Tal
Posted 10 April 2008 - 10:55 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hello AnnJS,

The DSS result (it only gave me a main.txt, not an extra.txt -- I've run this program before, and as I recall it the only time it popped up with the extra.txt file was the very first time

This is totally normal :) I didn't know you've run DSS before, otherwise I'd have let you know. DSS only produces an extra.txt log in the first time it is run, because it contains information that usually doesn't change. Nevertheless, the important information is in the main.txt log, so don't worry about it :)

Step1 : Running ATF cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu

Step2 : Registry Fix

Before we start the registry fix, we need to backup the registry in case anything goes wrong. This is a very simple and quick process :)


  • Please go to Start > Run
  • Paste in the following line: regedit /e c:\registrybackup.reg
  • Click OK. It won't appear to be doing anything, that's normal.
  • Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.

Please open a new Notepad document (Note: Other text editors will not work) and paste the following code into it, starting from REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=-

Now, click File > Save As... > Change the File Type to All Files > Name the file RegFix1.reg > Save it on your desktop.

Once you've saved it, please double click it. A window should pop up - Click Yes to merge the information with the registry.

Step3 : FindAWF

Let's check to see if a certain infection is still there.


* Click here to download FindAWF.exe and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Please include a new HijackThis log in your next reply and the AWF.txt, along with a report on how the system is running :)
  • 0

Advertisements

#11
AnnJS
Posted 10 April 2008 - 11:33 AM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Hi again!

Aha, I got it. That's good to know about DSS, for the next time I run it and wonder "but where's the extra.txt?!" :)

The first two steps were done without problem, but when I ran the FindAWF program I had a problem... After I clicked a random key, it didn't start scanning -- it instead gave me a list of options to choose from ("scan for bak folders", "restore files from bak folders", and so forth). It didn't create a AWF.txt file either; just two files called locate.com and Process.exe -- no clue what either of those are, as I didn't have the guts to click them :) Sorry if it's a mistake on my part and I'm just missing something really obvious, but I wanted to ask you for safety's sake before randomly choosing one of the given options or something.
  • 0

#12
Tal
Posted 10 April 2008 - 02:12 PM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi,

Please click the Scan for bak folders options :) Proceed with the rest please :)
  • 0

#13
AnnJS
Posted 10 April 2008 - 03:01 PM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
Gotcha! Thanks for clarifying :)

Here's the AWF log:


Find AWF report by noahdfear ©2006
Version 1.40



bak folders found
~~~~~~~~~~~



Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

Aaaand here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:57:25, on 2008-04-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122684707296
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4900 bytes

I think the computer is running just fine. It had a random moment yesterday, when I first turned it on, where it didn't seem to boot up properly and finally just hung. But it was just that one time; I've had no other problems (at least not any that I've noticed).
  • 0

#14
Tal
Posted 13 April 2008 - 08:22 AM

Tal

    Trusted Helper

  • Retired Staff
  • 2,138 posts
Hi AnnJS,

Almost done :)

Step1 : Correcting entry with HijackThis

Please re-open HijackThis and click Scan. Put a check next to the following entries presented in the window: (Do NOT click Fix yet!)
O20 - AppInit_DLLs:


Now, close all other windows but HijackThis, including Explorer windows (folders) and this window, and click Fix. Note: It is vital you close all other windows, otherwise the fix will not succeed.

Restart your computer.

Step2 : Scanning with DSS

Please scan with DSS which we have used earlier and include a new log in your next reply :)

Regards

Tal
  • 0

#15
AnnJS
Posted 13 April 2008 - 10:53 AM

AnnJS

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 100 posts
First step done without any problems! And here's the new log:

Deckard's System Scanner v20071014.68
Run by Annette on 2008-04-13 18:50:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.97 GiB (less than 15%) free.


-- HijackThis (run as Annette.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:03, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Annette\Skrivbord\Ny mapp\dss.exe
C:\Program\TRENDM~1\HIJACK~1\Annette.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\Program\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122684707296
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4895 bytes

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-10 19:23:56 81601406 --a------ C:\registrybackup.reg
2008-04-05 16:49:13 0 d-------- C:\Program\Trend Micro


-- Find3M Report ---------------------------------------------------------------

2008-04-13 14:33:53 0 d-------- C:\Documents and Settings\Annette\Application Data\AVG7
2008-04-09 14:38:33 0 d-------- C:\Documents and Settings\Annette\Application Data\Adobe
2008-04-08 01:22:29 0 d-------- C:\Program\mIRC
2008-04-06 23:34:31 0 d-------- C:\Program\SpeedFan
2008-04-06 01:23:04 4151 --a------ C:\Program\hijackthis.log
2008-04-01 23:20:15 0 d-------- C:\Program\DC++
2008-03-30 16:00:04 315006 --a------ C:\WINDOWS\System32\perfh041.dat
2008-03-30 16:00:04 384024 --a------ C:\WINDOWS\System32\perfh01D.dat
2008-03-30 16:00:04 47784 --a------ C:\WINDOWS\System32\perfc041.dat
2008-03-30 16:00:04 62960 --a------ C:\WINDOWS\System32\perfc01D.dat
2008-03-20 13:33:47 0 d-------- C:\Program\Media Player Classic
2008-03-20 13:28:12 0 d-------- C:\Program\DivX
2008-03-20 02:00:23 0 d-------- C:\Documents and Settings\Annette\Application Data\Roxio
2008-03-10 17:11:10 0 d-------- C:\Documents and Settings\Annette\Application Data\.BitTornado
2008-02-21 04:05:44 3596288 --a------ C:\WINDOWS\System32\qt-dx331.dll
2008-02-21 04:04:16 196608 --a------ C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 04:04:16 81920 --a------ C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 04:04:04 802816 --a------ C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 04:04:04 823296 --a------ C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 04:04:04 823296 --a------ C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 04:04:04 682496 --a------ C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 04:03:24 12288 --a------ C:\WINDOWS\System32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2005-03-24 21:20 C:\WINDOWS\SOUNDMAN.EXE]
"ZoneAlarm Client"="C:\Program\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"RoxioEngineUtility"="C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe" [2003-02-27 06:31]
"NvCplDaemon"="NvQTwk" []
"AVG7_CC"="C:\Program\Grisoft\AVG7\avgcc.exe" [2008-01-05 20:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-09-09 16:08]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

C:\Documents and Settings\Annette\Start-meny\Program\Autostart\
SpywareGuard.lnk - C:\Program\SpywareGuard\sgmain.exe [2003-08-29 20:05:35]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Adobe Gamma Loader.exe.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 03:23:32]
Adobe Gamma Loader.lnk - C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe [2005-04-26 03:23:32]
Adobe Reader Speed Launch.lnk - C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
Microsoft Office.lnk - C:\Program\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]




-- End of Deckard's System Scanner: finished at 2008-04-13 18:51:34 ------------
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP