Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Possible Malware? - Hijack This™ Log [RESOLVED]

Started by fisheyness , Jul 12 2008 12:07 AM

  • This topic is locked This topic is locked

#1
fisheyness
Posted 12 July 2008 - 12:07 AM

fisheyness

    Member

  • Member
  • PipPip
  • 12 posts
GOOD DAY!

You might be wondering what the MS Excel malfunction is well here it is: After a few minutes or hours of use, when you click on a certain cell everything gets highlighted and you can't even click to close or save. It takes a press of Ctrl+Alt+Del in order to quit and all the data input is lost.

So here's my Hijack This™ Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:43:04 PM, on 7/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\RFCYBER\bin\rfcreader.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\PROGRA~1\RFCYBER\bin\readermgr.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HyperTechnologies\Deep Freeze\_$Df\FrzState.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ping.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://aa.rd.yahoo.c...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asia.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://aa.rd.yahoo.c...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aa.rd.yahoo.c...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://aa.rd.yahoo.c...arch.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [RFCyber ReaderMgr] C:\PROGRA~1\RFCYBER\bin\readermgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [EPSON Stylus C90 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZP.EXE /FU "C:\WINDOWS\TEMP\E_S146.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Auto EPSON Stylus C90 Series on JONEX] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBZP.EXE /FU "C:\WINDOWS\TEMP\E_S972.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: ERM
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{91F43563-9062-4EE9-B33B-D58E39A90D71}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: DFServEx - Hyper Technologies Inc. - C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: RFCyberOne - RFCyber Corp. - C:\PROGRA~1\RFCYBER\bin\rfcreader.exe

--
End of file - 6144 bytes
  • 0

Advertisements

#2
Ltangelic
Posted 12 July 2008 - 12:11 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey fisheyness,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. :)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT
  • 0

#3
fisheyness
Posted 12 July 2008 - 12:37 AM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thank you very much ^_^.
Don't worry I'll be very patient :)
  • 0

#4
Ltangelic
Posted 12 July 2008 - 01:46 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey fisheyness,

Your logs seem fine to me. We'll run a deeper scan to see what we get. :)

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
fisheyness
Posted 13 July 2008 - 09:32 PM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hey there!
Deckard's System Scanner (DSS) doesn't seem to work it always stops after a while.
What should I do now?
  • 0

#6
Ltangelic
Posted 14 July 2008 - 09:45 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey,

Please try running DSS in safe mode.
  • 0

#7
fisheyness
Posted 15 July 2008 - 03:39 AM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is main.txt:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-15 17:42:53
Computer is in Safe Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
9: 2008-07-15 14:24:25 UTC - RP32 - Software Distribution Service 3.0
8: 2008-07-15 02:10:15 UTC - RP31 - Software Distribution Service 3.0
7: 2008-07-14 18:23:26 UTC - RP30 - Deckard's System Scanner Restore Point
6: 2008-07-14 15:42:24 UTC - RP29 - System Checkpoint
5: 2008-07-12 01:50:36 UTC - RP28 - Installed SUPERAntiSpyware Free Edition


-- First Restore Point --
1: 2008-05-22 18:58:32 UTC - RP24 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:24 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
G:\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://asia.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://aa.rd.yahoo.c...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://aa.rd.yahoo.c...arch.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [RFCyber ReaderMgr] C:\PROGRA~1\RFCYBER\bin\readermgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{91F43563-9062-4EE9-B33B-D58E39A90D71}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: DFServEx - Hyper Technologies Inc. - C:\Program Files\HyperTechnologies\Deep Freeze\DfServEx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: RFCyberOne - RFCyber Corp. - C:\PROGRA~1\RFCYBER\bin\rfcreader.exe

--
End of file - 4502 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 DepFrzHi - c:\windows\system32\drivers\depfrzhi.sys <Not Verified; HyperTechnologies Inc.; Deep Freeze>
R0 DepFrzLo - c:\windows\system32\drivers\depfrzlo.sys <Not Verified; Hyper Technologies Inc.; Deep Freeze>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 DFServEx - c:\program files\hypertechnologies\deep freeze\dfservex.exe <Not Verified; Hyper Technologies Inc.; Deep Freeze>
S2 RFCyberOne - c:\progra~1\rfcyber\bin\rfcreader.exe <Not Verified; RFCyber Corp.; RFCyberOne>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_2668&SUBSYS_818F1043&REV_05\3&11583659&0&D8
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_2668&SUBSYS_818F1043&REV_05\3&11583659&0&D8
Service:


-- Files created between 2008-06-15 and 2008-07-15 -----------------------------

2008-07-15 17:42:33 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-07-15 17:42:33 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-07-15 17:42:33 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-07-15 17:42:33 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-07-15 17:42:33 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-07-15 17:42:33 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-07-15 17:42:33 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-07-15 17:42:33 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-07-15 17:42:33 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-07-15 17:42:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-07-15 17:42:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-07-15 17:42:32 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-07-15 17:42:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-07-15 11:53:32 19552 --a------ C:\Documents and Settings\PATET\Application Data\GDIPFONTCACHEV1.DAT
2008-07-15 07:24:29 0 d-------- C:\WINDOWS\LastGood
2008-07-14 19:10:20 0 d-------- C:\WINDOWS\system32\PreInstall
2008-07-14 19:10:18 0 d--h----- C:\WINDOWS\$hf_mig$
2008-07-14 18:37:45 0 d-------- C:\Documents and Settings\PATET\Application Data\U3
2008-07-14 07:17:44 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-07-11 19:26:05 0 d-------- C:\Program Files\Trend Micro
2008-07-11 18:50:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-11 18:50:36 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-07-11 18:50:36 0 d-------- C:\Documents and Settings\PATET\Application Data\SUPERAntiSpyware.com
2008-07-11 18:50:19 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-11 18:37:43 0 d-------- C:\Documents and Settings\PATET\Application Data\Malwarebytes
2008-07-11 18:37:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-11 18:37:39 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-11 18:28:07 0 d-------- C:\Program Files\Panda Security
2008-07-11 18:26:01 0 d-------- C:\Program Files\Common Files\Download Manager
2008-07-11 10:10:49 352 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-07-11 10:09:53 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET


-- Find3M Report ---------------------------------------------------------------

2008-05-22 13:16:54 0 d-------- C:\Program Files\BitLord


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [04/04/2005 11:22 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [04/04/2005 11:19 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [04/04/2005 11:23 PM]
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [03/18/2005 04:18 AM]
"RFCyber ReaderMgr"="C:\PROGRA~1\RFCYBER\bin\readermgr.exe" [02/06/2007 09:05 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0\bin\jusched.exe" [04/28/2007 11:50 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [12/21/2007 08:21 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NofolderOptions"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [07/12/2008 02:11 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 07/12/2008 02:11 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DfLogon]
LogonDll.dll 09/20/2002 05:30 AM 49152 C:\WINDOWS\system32\LogonDll.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^PATET^Start Menu^Programs^Startup^ERM4csv.lnk]
path=C:\Documents and Settings\PATET\Start Menu\Programs\Startup\ERM4csv.lnk
backup=C:\WINDOWS\pss\ERM4csv.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
AutoRun\command- F:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-07-15 17:43:49 ------------
  • 0

#8
fisheyness
Posted 15 July 2008 - 03:40 AM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
This is extra.txt:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 21%
Physical Memory (total/avail): 503.23 MiB / 394.44 MiB
Pagefile Memory (total/avail): 1230.27 MiB / 1165.96 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.78 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 18.63 GiB total, 14.2 GiB free.
D: is Fixed (FAT32) - 18.61 GiB total, 15.9 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)
G: is Removable (FAT)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 18.64 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 18.62 GiB - D:

\\.\PHYSICALDRIVE1 - EMTEC U3 Smart Drive USB Device - 1961.06 MiB - 1 partition
\PARTITION0 (bootable) - Win95 w/Extended Int 13 - 1961.73 MiB - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=INDHAY
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\INDHAY
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0403
ProgramFiles=C:\Program Files
PROMPT=$P$G
SAFEBOOT_OPTION=MINIMAL
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=INDHAY
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

PATET (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Camera RAW Plug-In for EPSON Creativity Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8DAC1AE4-33D1-4A78-8A42-00E09EDECC3E}\SETUP.EXE" -l0x9 UNINST
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D893565C-10EA-45AF-AFDA-0514B0DC0AE2}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}\Setup.exe" -l0x9 UNINST
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Stylus C90_91_D92 Manual --> C:\Program Files\EPSON\TPMANUAL\ESC90 91 D92\ENG\USE_G\DOCUNINS.EXE
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
erm4csv --> MsiExec.exe /I{9A6BF295-567A-4767-8EF9-01105C9F9C63}
ESET NOD32 Antivirus --> MsiExec.exe /I{57ECFB4D-FE11-491A-9AA0-0AF7C3ABC51D}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Java™ SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LaserJet 1020 series --> C:\Program Files\Zenographics\{4B481CD8-6BA5-4ABA-BD16-D1CC48311AF4}\setup.exe -u "HPLJInstaller.dll=Hplj1020.inf"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft Visual FoxPro 9.0 Professional - English --> C:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
myGlobe IM (3.0.48) --> C:\PROGRA~1\CHIKKA\UNWISE.EXE C:\PROGRA~1\CHIKKA\INSTALL.LOG
NOD32 FiX --> "C:\Program Files\Eset\unins000.exe"
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050) --> "C:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe"
OrderReminder HP LaserJet 1020 --> "C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1020
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
RFCyberOne 2.1.0.10 (with Login2Go v1.2.4) --> C:\PROGRA~1\RFCYBER\UNWISE.EXE C:\PROGRA~1\RFCYBER\INSTALL.LOG
Skype 3.1 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Yahoo! Extras --> C:\PROGRA~1\YAHOO!\COMMON\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\YAHOO!\COMMON\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type286 / Error
Event Submitted/Written: 07/15/2008 05:43:35 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type285 / Error
Event Submitted/Written: 07/15/2008 05:43:34 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type284 / Error
Event Submitted/Written: 07/15/2008 05:43:34 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Event Record #/Type283 / Error
Event Submitted/Written: 07/15/2008 05:43:34 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The server name or address could not be resolved

Event Record #/Type282 / Error
Event Submitted/Written: 07/15/2008 05:41:42 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f29.
Processing media-specific event for [dss.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type874 / Error
Event Submitted/Written: 07/15/2008 05:43:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type873 / Error
Event Submitted/Written: 07/15/2008 05:42:40 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type872 / Error
Event Submitted/Written: 07/15/2008 05:42:27 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type871 / Error
Event Submitted/Written: 07/15/2008 05:41:36 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
easdrv
epfwtdir
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
pavboot
RasAcd
Rdbss
SASDIFSV
SASKUTIL
Tcpip
Tcpip6

Event Record #/Type870 / Error
Event Submitted/Written: 07/15/2008 05:41:36 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-07-15 17:43:49 ------------
  • 0

#9
fisheyness
Posted 15 July 2008 - 03:44 AM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I noticed some things while I was doing the scan with DSS in safe mode.
Here it is:
1) Two accounts appear in the login screen.
2) I had to login in the account ADMINISTRATOR which is not my main account name in order to make DSS work.
Is this some sort of malware/virus?
  • 0

#10
Ltangelic
Posted 16 July 2008 - 04:53 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey fisheyness,

To answer your questions:

1. Don't worry, you should have at least two accounts on your computer. One is an admin account, and another is a user account or guest account.

2. DSS does require you to run in administrator account, it is not caused by malware or virus.

Your logs are not showing much. We'll run an online scan to see if there are leftovers. Please tell me how your PC is running after performing the steps below.

1) Do a registry edit

Before doing that, please backup your registry.

  • Go to Start>Run and type regedit and then Enter.
  • On the left hand side of the window, ensure that My Computer is highlighted.
  • Click on File>Export and make sure that Export Range is set to All.
  • Save the file as backup.reg in C drive.
Next

Please open notepad, and copy/paste the following text in the codebox (including REGEDIT4) into the notepad window. 

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

Save the file above as fixreg.bat.
Double click on fixreg.bat. A window will open and close. Do not worry as it is normal.
Reboot your computer.

2) Update Java
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")
3) Update Adobe Reader

Your version of Adobe Reader is outdated. Please remove the current version you have, download and install the latest version here.

4) Update Mozilla Firefox

From the DSS log, you are running an outdated version of Mozilla. Please visit here to download and install the latest version of Firefox.

5) Run an online scan with Kaspersky

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Next reply (please include):

Kaspersky scan log
  • 0

#11
fisheyness
Posted 18 July 2008 - 07:18 PM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Kaspersky Online Scanner Log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 19, 2008 9:26:20 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/07/2008
Kaspersky Anti-Virus database records: 970595
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 37542
Number of viruses found: 1
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 00:32:55

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\Temp\HTT49A.tmp Object is locked skipped
C:\WINDOWS\Temp\HTT4BD.tmp Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\PATET\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\PATET\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Temp\~DF1051.tmp Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Temp\etilqs_LtrS08z1gm8wIuhOSi4m Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Temp\Perflib_Perfdata_e18.dat Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\History\History.IE5\MSHist012008071820080719\index.dat Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\History\History.IE5\MSHist012008071920080720\index.dat Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\PATET\Local Settings\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\urlclassifier3.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\parent.lock Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\cert8.db Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\key3.db Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\places.sqlite-journal Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\permissions.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\places.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\formhistory.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\cookies.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\content-prefs.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\downloads.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\Mozilla\Firefox\Profiles\7g7ofkyo.default\search.sqlite Object is locked skipped
C:\Documents and Settings\PATET\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-7-19-2008( 8-47-45 ).LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\ypager.log Object is locked skipped
C:\System Volume Information\_restore{91F3D1F2-D8B1-46DC-BF50-05221D49BD7F}\RP38\change.log Object is locked skipped
C:\Persi0.sys Object is locked skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft DVD to Zune Converter.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft DVD to iPhone Converter Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft DVD to iPod Converter.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft iPod Video Converter + DVD to iPod Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft Ultimate DVD + Video Converter Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft DVD to iPhone Converter.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Ninpo ONLY\Cucusoft MPEG AVI to DVD VCD SVCD Converter Pro Full Version\Cucusoft PSP Video Converter + DVD to PSP Suite.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g skipped
D:\Report of Collection\2008\July 2008.xls Object is locked skipped

Scan process completed.
  • 0

#12
Ltangelic
Posted 19 July 2008 - 05:07 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey fisheyness,

Important! From your log, you seem to have cracking applications running. Please note that GeekU does NOT allow the students to use cracking softwares as it is illegal. Besides, it is very likely that you got all your infections from downloading these crack applications.

Please go to Add or Remove Programs in Control Panel, and remove the following cracking applications:

NOD32 FiX
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)

Reboot your computer.

Next

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]
C:\Program Files\Eset
D:\Ninpo ONLY
purity
emptytemp
[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Finally

Please download MGADiag.exe to your desktop.

Double-click MGADiag.exe and click Continue in the bottom right of the window to run the tool.

Click the [Copy] button to copy the info to your clipboard.

Then come back here and paste the info in your next reply please.

Edited by Ltangelic, 19 July 2008 - 05:08 AM.

  • 0

#13
fisheyness
Posted 21 July 2008 - 03:40 AM

fisheyness

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
OTMove Timer Log:

Explorer killed successfully
File/Folder C:\Program Files\Eset not found.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobePhotoshop10en_US moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobePDFSettingsNAEU moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobePDFL8All moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeLinguisticsAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeHelpViewerAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeFontsAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeExtendScriptToolKitAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeDeviceCentralAll\oem\Adobe Device Central CS3 moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeDeviceCentralAll\oem moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeDeviceCentralAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeDefaultLanguageCS3All moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeColorPhotoshopAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeColorNA_RecommendedAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeColorJA_ExtraSettingsAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeColorEU_ExtraSettingsAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeColorCommonSetAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeCMapsAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeCameraRaw4.0All moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeBridge2All moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeAUM5.1All moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeAssetServices3All moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads\AdobeALMAnchorServiceAll moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\payloads moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack\Crack moved successfully.
D:\Ninpo ONLY\Adobe Photoshop CS3 + Crack moved successfully.
D:\Ninpo ONLY\[sasuxnaru]TheSun moved successfully.
D:\Ninpo ONLY\MindFields moved successfully.
D:\Ninpo ONLY\New Folder moved successfully.
D:\Ninpo ONLY\tongitsv1.1-win32_installer moved successfully.
D:\Ninpo ONLY\Loveless moved successfully.
D:\Ninpo ONLY\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz\dat moved successfully.
D:\Ninpo ONLY\KILL.[TA].TAGA.LIPA.NOOB.KILLER.by.Leerz moved successfully.
D:\Ninpo ONLY\csnpwdto moved successfully.
D:\Ninpo ONLY\0ddcl10 moved successfully.
D:\Ninpo ONLY moved successfully.
< purity >
< emptytemp >
File delete failed. C:\DOCUME~1\PATET\LOCALS~1\Temp\fla6.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\PATET\LOCALS~1\Temp\etilqs_owHvJb71ibAuP0k2jo2j scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07212008_173725

Files moved on Reboot...
File C:\DOCUME~1\PATET\LOCALS~1\Temp\fla6.tmp not found!
File C:\DOCUME~1\PATET\LOCALS~1\Temp\etilqs_owHvJb71ibAuP0k2jo2j not found!

MGADiag Log:
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Invalid Product Key
Validation Code: 8
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-PXMXV-DBQXM-3C7V6
Windows Product Key Hash: CU1uVJjXzRyASB5wSyCNeIru9lY=
Windows Product ID: 55274-643-9411904-23395
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.2.0.pro
CSVLK Server: N/A
CSVLK PID: N/A
ID: {5CFA0066-F30B-4C81-A969-9DF48E9A0753}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 114 Blocked VLK 2
Microsoft Office XP Professional with FrontPage - 114 Blocked VLK 2
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{5CFA0066-F30B-4C81-A969-9DF48E9A0753}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010100.2.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-3C7V6</PKey><PID>55274-643-9411904-23395</PID><PIDType>1</PIDType><SID>S-1-5-21-2052111302-746137067-725345543</SID><SYSTEM><Manufacturer>System manufacturer</Manufacturer><Model>System Product Name</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>0302 </Version><SMBIOSVersion major="2" minor="3"/><Date>20050711000000.000000+000</Date></BIOS><HWID>970A30470184405D</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Pacific Standard Time(GMT-08:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>114</Result><Products><Product GUID="{90280409-6000-11D3-8CFE-0050048383C9}"><LegitResult>114</LegitResult><Name>Microsoft Office XP Professional with FrontPage</Name><Ver>10</Ver><Val>39476F84C4B4004</Val><Hash>4iCnywwNW1w4s9ukTIwGMGxyGic=</Hash><Pid>54185-640-0000025-17412</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="10" Result="114"/><App Id="16" Version="10" Result="114"/><App Id="17" Version="10" Result="114"/><App Id="18" Version="10" Result="114"/><App Id="1A" Version="10" Result="114"/><App Id="1B" Version="10" Result="114"/></Applications></Office></Software></GenuineResults>
  • 0

#14
Ltangelic
Posted 21 July 2008 - 07:38 AM

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey fisheyness,

I regret to inform you that your version of Windows is not genuine and we cannot assist you furthur in your computer problems. If you want to receive any more assistance, please ensure that you install a valid version of Windows.

The topic will be closed by a staff shortly.
  • 0

#15
Rorschach112
Posted 21 July 2008 - 07:40 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP