Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijack This Log - please help remove worm! [RESOLVED]

Started by rawfunk , Apr 29 2008 03:44 AM

This topic is locked

#1
rawfunk

Posted 29 April 2008 - 03:44 AM

Member

Member
31 posts

Hey G2G.

I recently reformatted my girlfriend's laptop, and set up anti-malware according to your guides. Unfortunately a worm got onto her USB drive from another PC. Please can you look at my HT log and see if you can disinfect it? There may be other stuff on there too of course.

All the apps you ask to run returned with 0 infections.

AVG finds: C:\autorun.inf - infected

And nothing else.

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:26, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cabe.org.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5752 bytes

Uninstall List

Adobe Reader 8.1.2
AVG 7.5
Google Gmail Notifier
HDAUDIO SoftV92 Data Fax Modem with SmartCP
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Intel® PROSet/Wireless Software
Java™ 6 Update 3
Java™ 6 Update 5
LAN-Express AS IEEE 802.11 Wireless LAN
Last.fm 1.4.2.59470
Malwarebytes' Anti-Malware
mCore
mDriver
mMHouse
Mozilla Firefox (2.0.0.14)
mPfMgr
mProSafe
MSXML 4.0 SP2 (KB936181)
mWlsSafe
mXML
OpenOffice.org 2.3
Real Alternative 1.7.5
Realtek High Definition Audio Driver
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
SmartFTP Client
SmartFTP Client 3.0 Setup Files (remove only)
Spybot - Search & Destroy
SpywareBlaster 4.0
SpywareGuard v2.2
SUPERAntiSpyware Free Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Winamp
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Wireless LAN Starter
ZoneAlarm
ZoneAlarm Spy Blocker

Any help most appreciated, as always.

Thanks...

#2
Rorschach112

Posted 29 April 2008 - 06:29 AM

Ralphie

Retired Staff
47,710 posts

Hello

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
Under Additional Scans check the boxes beside Reg - App Paths, Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg Mountpoints2 File Additional Folder Scans, File - Lop Check, and File - Purity Scan.
Under Drivers change it to Non-Microsoft.
Check the box beside Scan All User Accounts at the top
Under Files Created Within and Files Modified Within change it to 90 days.
Under Rootkit Search change it to Yes.
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.

Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

#3
rawfunk

Posted 29 April 2008 - 09:24 AM

Member

Topic Starter
Member
31 posts

Thanks very much for your swift reply Rorschach

Report attached.

Incidentally, ought I be performing these scans etc with the flash drive in?

Attached Files

OTScanIt.zip 45.48KB 297 downloads

#4
Rorschach112

Posted 29 April 2008 - 09:31 AM

Ralphie

Retired Staff
47,710 posts

No need to plug it in

Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Alcmtr -> %SystemRoot%\ALCMTR.EXE [ALCMTR.EXE]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1292428093-1326574676-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1292428093-1326574676-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 90 days]
NY -> AUTOEXEC.BAT -> %SystemDrive%\AUTOEXEC.BAT
NY -> autorun.inf -> %SystemDrive%\autorun.inf
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Reboot and do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#5
rawfunk

Posted 29 April 2008 - 09:44 AM

Member

Topic Starter
Member
31 posts

Okay here's the OldTimer fix report:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Alcmtr deleted successfully.
C:\WINDOWS\ALCMTR.EXE moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_USERS\S-1-5-21-1292428093-1326574676-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
[Files/Folders - Created Within 90 days]
C:\AUTOEXEC.BAT moved successfully.
C:\autorun.inf moved successfully.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\Jenois\Local Settings\Temp\~DF7ADB.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jenois\Local Settings\Temp\~DF8B5B.tmp scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Jenois\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT05f8a.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT06961.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.11.8 fix logfile created on 04292008_163742

Files moved on Reboot...
C:\Documents and Settings\Jenois\Local Settings\Temp\~DF7ADB.tmp moved successfully.
C:\Documents and Settings\Jenois\Local Settings\Temp\~DF8B5B.tmp moved successfully.
C:\Documents and Settings\Jenois\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\WINDOWS\temp\ZLT05f8a.TMP moved successfully.
C:\WINDOWS\temp\ZLT06961.TMP moved successfully.

--------------

I'll perform the other operations now.

#6
Rorschach112

Posted 29 April 2008 - 12:14 PM

Ralphie

Retired Staff
47,710 posts

Ok cool let me know how they go

#7
rawfunk

Posted 29 April 2008 - 03:38 PM

Member

Topic Starter
Member
31 posts

Sorry about the pause, had to get hold of her phone to make sure it was clean.

Here are the Deckard logs:

Deckard's System Scanner v20071014.68
Run by SYSTEM on 2008-04-29 22:32:06
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
96: 2008-04-29 21:32:18 UTC - RP96 - Deckard's System Scanner Restore Point
95: 2008-04-29 00:34:17 UTC - RP95 - Software Distribution Service 3.0
94: 2008-04-28 23:58:20 UTC - RP94 - System Checkpoint
93: 2008-04-27 23:21:36 UTC - RP93 - Software Distribution Service 3.0
92: 2008-04-27 22:18:12 UTC - RP92 - System Checkpoint

-- First Restore Point --
1: 2008-02-04 01:42:13 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis (run as SYSTEM.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:32:40, on 29/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jenois\Desktop\dss.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SYSTEM.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cabe.org.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5891 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_81B8104D&REV_04\3&61AAA01&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2592&SUBSYS_81B8104D&REV_04\3&61AAA01&0&10
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller
Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_81B8104D&REV_04\3&61AAA01&0&11
Manufacturer:
Name: Video Controller
PNP Device ID: PCI\VEN_8086&DEV_2792&SUBSYS_81B8104D&REV_04\3&61AAA01&0&11
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_8190104D&REV_00\4&2FA23535&0&1BF0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_AC8F&SUBSYS_8190104D&REV_00\4&2FA23535&0&1BF0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_1068&SUBSYS_81D0104D&REV_03\4&2FA23535&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_1068&SUBSYS_81D0104D&REV_03\4&2FA23535&0&40F0
Service:

-- Files created between 2008-03-29 and 2008-04-29 -----------------------------

2008-04-29 22:22:16 0 drahs---- C:\autorun.inf
2008-04-23 20:32:22 0 d-------- C:\Program Files\Trend Micro
2008-04-23 18:33:50 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-23 18:33:39 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-23 18:33:39 0 d-------- C:\Documents and Settings\Jenois\Application Data\SUPERAntiSpyware.com
2008-04-23 18:33:18 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 18:19:30 0 d-------- C:\Documents and Settings\Jenois\Application Data\Malwarebytes
2008-04-23 18:19:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-23 18:19:23 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-23 18:19:02 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-21 21:01:28 0 d-------- C:\ConvertTemp
2008-04-21 20:59:38 0 d-------- C:\Documents and Settings\Jenois\Application Data\Samsung
2008-04-21 20:53:42 174592 --a------ C:\WINDOWS\system32\framedyn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-21 20:51:58 0 d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-04-21 20:51:10 5632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-04-21 20:50:35 0 d-------- C:\Program Files\Samsung
2008-04-19 14:07:04 0 d-------- C:\WINDOWS\system32\LogFiles
2008-04-12 18:36:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-11 09:50:12 0 d-------- C:\WINDOWS\system32\appmgmt
2008-04-10 00:30:32 0 d-------- C:\WINDOWS\Sun
2008-04-10 00:23:35 0 dr-hs---- C:\Recycled
2008-04-09 18:51:40 0 d-------- C:\Documents and Settings\Jenois\Application Data\SmartFTP
2008-04-09 18:50:10 0 d-------- C:\Program Files\SmartFTP Client
2008-04-09 18:49:39 0 d-------- C:\Program Files\SmartFTP Client 3.0 Setup Files
2008-04-01 21:03:21 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

-- Find3M Report ---------------------------------------------------------------

2008-04-29 22:26:59 0 d-------- C:\Documents and Settings\Jenois\Application Data\OpenOffice.org2
2008-04-29 09:51:43 0 d-------- C:\Documents and Settings\Jenois\Application Data\AVG7
2008-04-23 18:33:18 0 d-------- C:\Program Files\Common Files
2008-04-21 20:50:34 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-11 09:05:05 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-04-01 20:58:28 0 d-------- C:\Documents and Settings\Jenois\Application Data\Winamp
2008-03-26 00:24:35 0 d-------- C:\Program Files\Messenger
2008-03-26 00:16:26 0 d-------- C:\Program Files\MSXML 4.0
2008-03-18 23:18:38 0 d-------- C:\Documents and Settings\Jenois\Application Data\Media Player Classic
2008-03-16 10:48:54 0 d-------- C:\Documents and Settings\Jenois\Application Data\MSN6
2008-03-15 02:21:35 0 d-------- C:\Documents and Settings\Jenois\Application Data\Real
2008-03-15 02:20:47 0 d-------- C:\Program Files\Real Alternative
2008-03-15 02:19:20 0 d-------- C:\Program Files\Java
2008-03-12 02:03:11 0 d-------- C:\Documents and Settings\Jenois\Application Data\Adobe
2008-03-12 02:01:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-12 01:22:56 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-11 23:45:54 0 d-------- C:\Program Files\OpenOffice.org 2.3
2008-03-11 23:45:03 0 d-------- C:\Program Files\SpywareGuard
2008-03-11 23:43:47 0 d-------- C:\Program Files\Common Files\Java
2008-03-11 23:41:04 0 d-------- C:\Documents and Settings\Jenois\Application Data\Sun
2008-03-11 22:54:59 0 d-------- C:\Program Files\Google
2008-03-11 22:40:55 0 d-------- C:\Program Files\Last.fm
2008-03-11 22:05:22 0 d-------- C:\Program Files\Winamp
2008-03-11 21:51:43 0 d-------- C:\Program Files\CONEXANT
2008-03-11 21:07:08 0 d-------- C:\Program Files\SpywareBlaster
2008-03-11 20:59:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-11 20:59:38 0 d-------- C:\Documents and Settings\Jenois\Application Data\Mozilla
2008-03-11 20:54:34 0 d-------- C:\Program Files\ZoneAlarmSB
2008-03-11 20:24:50 0 d-------- C:\Program Files\Movie Maker
2008-03-11 20:19:28 0 d-------- C:\Program Files\Windows NT
2008-02-04 02:32:50 0 -rahs---- C:\MSDOS.SYS
2008-02-04 02:32:50 0 -rahs---- C:\IO.SYS
2008-02-04 02:32:50 0 --a------ C:\CONFIG.SYS
2008-02-04 02:28:30 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-04 02:14:30 62 --ahs---- C:\Documents and Settings\Jenois\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
11/03/2008 20:54 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [11/03/2008 20:54 262144]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [29/04/2005 07:56]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [19/04/2008 10:00]
"RTHDCPL"="RTHDCPL.EXE" [29/06/2005 06:25 C:\WINDOWS\RTHDCPL.EXE]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [15/01/2008 23:54]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [15/07/2005 22:48]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [29/04/2008 22:25]

C:\Documents and Settings\Jenois\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [11/03/2008 22:40:50]
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [17/08/2007 22:57:56]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 20:05:35]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 29/04/2008 22:25 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - SASDIFSV

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-04-29 22:33:42 ------------

extra.txt 10.41KB 174 downloads

Thanks again...

#8
Rorschach112

Posted 29 April 2008 - 04:01 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Also tell me how your PC is running

#9
rawfunk

Posted 30 April 2008 - 02:33 AM

Member

Topic Starter
Member
31 posts

Hello Rorschach

Here's the Kapersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 30, 2008 9:28:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 731993
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 43476
Number of viruses found: 6
Number of infected objects: 16
Number of suspicious objects: 2
Duration of the scan process: 01:15:43

Infected Object Name / Virus Name / Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinVBaqt.zip/ctfmon.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinVBaqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Jenois\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-29-2008( 22-26-38 ).LOG Object is locked skipped
C:\Documents and Settings\Jenois\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\Application Data\Last.fm\Client\LastFmHelper.log Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\Temp\~DF77BC.tmp Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\Temp\~DFB2EE.tmp Object is locked skipped
C:\Documents and Settings\Jenois\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jenois\My Documents\Anti-Malware\Download_mbam-setup.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\Documents and Settings\Jenois\My Documents\Anti-Malware\OTScanIt\MovedFiles\04292008_163742\C_\autorun.inf Infected: Worm.Win32.VB.fi skipped
C:\Documents and Settings\Jenois\My Documents\Waz[bleep]'s Shite\adware and stuff\setupxv.exe/RegistrySmart/RegistrySmart.exe Infected: not-a-virus:FraudTool.Win32.RegistrySmart.a skipped
C:\Documents and Settings\Jenois\My Documents\Waz[bleep]'s Shite\adware and stuff\setupxv.exe 7-Zip: infected - 1 skipped
C:\Documents and Settings\Jenois\My Documents\Waz[bleep]'s Shite\adware and stuff\setupxv.exe UPX: infected - 1 skipped
C:\Documents and Settings\Jenois\My Documents\Waz[bleep]'s Shite\adware and stuff\setupxv.exe PE_Patch.UPX: infected - 1 skipped
C:\Documents and Settings\Jenois\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jenois\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Recycled\ctfmon.exe Infected: Trojan.Win32.VB.aqt skipped
C:\Recycled\Recycled\ctfmon.exe Infected: Trojan.Win32.VB.aqt skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP62\A0022211.rbf Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP62\A0022225.exe/AdwareAlert/SpyCleaner.dll Infected: not-a-virus:FraudTool.Win32.SpywareStop.b skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP62\A0022225.exe 7-Zip: infected - 1 skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP62\A0022225.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP62\A0022225.exe PE_Patch.UPX: infected - 1 skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP65\A0023336.exe Infected: Trojan.Win32.VB.aqt skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP96\A0026826.exe Infected: not-a-virus:Downloader.Win32.WinFixer.fs skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP96\A0026833.inf Infected: Worm.Win32.VB.fi skipped
C:\System Volume Information\_restore{A7C18A97-0E05-4571-9BE6-75FD9B91DA79}\RP96\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WAZMAN.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT02127.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0212a.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

---

The PC seems to be running fine. There's a possibility it takes longer to start up than usual, but I can't say I was concerned about performance to be honest

#10
Rorschach112

Posted 30 April 2008 - 06:10 AM

Ralphie

Retired Staff
47,710 posts

Hello

Delete this file in bold

C:\Documents and Settings\Jenois\My Documents\Waz[bleep]'s Shite\adware and stuff\setupxv.exe/RegistrySmart/RegistrySmart.exe

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Let me know how that goes

#11
rawfunk

Posted 30 April 2008 - 07:23 AM

Member

Topic Starter
Member
31 posts

Okay I've done that, seemed to go smoothly

I had to delete the entire setupxv.exe, as I couldn't access the RegistrySmart.exe within it.

Edited by rawfunk, 30 April 2008 - 07:25 AM.

#12
Rorschach112

Posted 30 April 2008 - 07:28 AM

Ralphie

Retired Staff
47,710 posts

Your logs are clean ! We need to do a few things

Make sure you have an Internet Connection.
Double-click OTScanIt.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
Click on the CleanUp! button
A list of tool components used in the Cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
Click Yes to beging the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#13
rawfunk

Posted 02 May 2008 - 04:28 AM

Member

Topic Starter
Member
31 posts

Hi Rorschach

Umm... AVG is still detecting it!

No flash drives have been used, all my girlfriend did was use Firefox to send an email. This morning, AVG ran an autoscan and the little bugger's still there.

I was about to come on and wrap this thread up too...

Any ideas?

#14
Rorschach112

Posted 02 May 2008 - 04:32 AM

Ralphie

Retired Staff
47,710 posts

I wouldn't worry about it, we have nuked the infection

One of the tools we ran has put this file autorun.inf on your PC, it will prevent USB worms from infecting you in the future

Any other questions ?