BleepingComputer.com: Infected With Win32:adware-gen [adw]

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Infected With Win32:adware-gen [adw] and other similarly named viruses

#1 User is offline   danielle88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 27-October 07

Posted 27 October 2007 - 09:27 AM

I received warnings from Avast AV about virus infections and have tried deleting them but they keep coming back. I've also tried using Ad-aware, spybot and ATF cleaner, but the viruses keep coming back. Avast would repeatedly warn me about the same 4 viruses at 5 minute intervals, and I just can't seem to remove them. So I finally made a hijackthis scan and below are the results from Avast and the HJT log.

Here are the viruses:

File name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\main_uninstaller.exe
Malware name: Win32:Adware-gen [Adw]
Malware type: Adware
VPS version: 071026-0, 10/26/2007

File name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\msmdev.dll
Malware name: Win32:Agent-LTS [Trj]
Malware type: Trojan Horse
VPS version: 071026-0, 10/26/2007

File name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\nsduo.dll
Malware name: Win32:Trojan-gen {Other}
Malware type: Virus/Worm
VPS version: 071026-0, 10/26/2007

File name: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ac8zt2\rmv.exe
Malware name: Win32:Adware-gen [Adw]
Malware type: Adware
VPS version: 071026-0, 10/26/2007


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:59 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?

LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: MSVPS System - {6EB10F79-5E53-4F76-B146-409EFCDCB957} - C:\WINDOWS\movctrlfqd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12

\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program

Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: The nssfrch - {DF0ACE0C-4A3F-4A1F-8676-BA16DEB23C70} - C:\WINDOWS\nssfrch.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /RemAdvDef /Migration32 /SetPreload
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot

1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12

\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2

\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D8BD3D3-C910-416B-B1D7-DC9D2B22776C}: NameServer =

165.21.100.88,165.21.83.88
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12

\GR99D3~1.DLL
O21 - SSODL: bxsbang - {B00803C8-25C6-4508-A787-C25690FAEF40} - C:\WINDOWS\bxsbang.dll
O21 - SSODL: ocgrep - {15D8A361-E47D-441B-B996-76964F50F9CE} - C:\WINDOWS\ocgrep.dll (file missing)
O21 - SSODL: msmhost - {7C0CFA8B-D7AE-4FC8-AABF-49035AF09ED3} - C:\WINDOWS\msmhost.dll
O21 - SSODL: msmdev - {0BE99F39-1FAB-413D-9531-B11CB1773298} - C:\WINDOWS\msmdev.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4

\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. -

C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision

Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program

Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9948 bytes

#2 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 831
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 29 October 2007 - 09:35 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.


Please download SmitfraudFix
Extract the files to the Desktop

~~~~
Start the computer in Safe Mode :
  • When the machine reboots, tap the F8 key before Windows starts
  • You are presented with a Windows XP Advanced Options menu.
  • Select the option for Safe Mode using the arrow keys.
  • Press Enter to boot into Safe Mode.

~~~~
Open SmitfraudFix
  • Double-click smitfraudfix.cmd
  • Select Option 2 - Clean by typing 2 and press Enter (Deletes infected files)
  • You are prompted: Do you want to clean the registry? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool also checks if a relevant file, wininet.dll, is infected.
You may be prompted to replace the infected file (if found).
Replace infected file? Answer Y (yes) and hit Enter to restore a clean file.

When it is done, a log named rapport.txt is created, listing infected files (if present).

~~~~
Restart the computer to complete the removal process.

~~~~
Next, download ComboFix
Save it to the Desktop

Double-click combofix.exe to run the program
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to stall.)

When finished, a log, ComboFix.txt, is produced.

~~~~
Now, run HijackThis once again to obtain a new log.
However, it looks as if the HijackThis log text is using Word Wrap

Open the HijackThis log text in Notepad.
At the top, click: Format

If there is a check next to Word wrap, click on Word wrap to turn it off.
When you post your log, it will be easier to read!!

~~~~
Please post the SmitFraudFix report located at C:\rapport.txt , the new ComboFix.txt, and a new HijackThis log.
To do is to be - Socrates

#3 User is offline   danielle88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 27-October 07

Posted 31 October 2007 - 06:49 AM

Hi Aaflac! Thank you so much for responding and helping me with my problem. Here are the logs you requested.

~~~~
SmitFraudFix v2.245

Scan done at 19:35:54.73, 2007-10-31
Run from C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{8D8BD3D3-C910-416B-B1D7-DC9D2B22776C}: NameServer=165.21.100.88,165.21.83.88
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D8BD3D3-C910-416B-B1D7-DC9D2B22776C}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E6405112-9305-4259-9618-1B5B05216F88}: DhcpNameServer=218.186.1.38 202.156.1.68 218.186.1.58
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8D8BD3D3-C910-416B-B1D7-DC9D2B22776C}: NameServer=165.21.100.88,165.21.83.88
HKLM\SYSTEM\CS3\Services\Tcpip\..\{8D8BD3D3-C910-416B-B1D7-DC9D2B22776C}: NameServer=165.21.100.88,165.21.83.88
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

~~~~
ComboFix 07-10-30.5 - Administrator 2007-10-31 19:14:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.410 [GMT 8:00]
Running from: C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\_000003_.tmp.dll
C:\WINDOWS\system32\_000004_.tmp.dll
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000008_.tmp.dll
C:\WINDOWS\system32\_000013_.tmp.dll
C:\WINDOWS\system32\nvrssk.dll
C:\WINDOWS\system32\nvrssl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-31 19:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-31 19:03 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-31 19:03 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-31 19:03 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-31 19:03 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-31 19:03 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-31 19:03 2,710 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-27 22:08 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-19 23:01 <DIR> d-------- C:\Program Files\Panda Security
2007-10-02 21:30 <DIR> d-------- C:\Program Files\Valve
2007-09-28 20:29 3,037,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-27 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-19 13:33 <DIR> d-------- C:\Program Files\softnyx
2007-09-04 16:18 <DIR> d-------- C:\Program Files\iTunes
2007-09-04 16:18 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 11:23 17,962 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2007-10-31 11:21 37,664 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-31 11:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 11:11 5,112 ----a-w C:\WINDOWS\GPCIDrv.sys
2007-10-26 10:50 --------- d-----w C:\Program Files\mIRC
2007-10-26 10:21 --------- d-----w C:\Documents and Settings\Administrator\Application Data\MegauploadToolbar
2007-10-24 16:26 --------- d-----w C:\Program Files\Warcraft III
2007-10-23 13:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi
2007-10-18 16:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-10-10 17:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-07 09:39 --------- d-----w C:\Program Files\Azureus
2007-10-04 15:08 --------- d-----w C:\Program Files\WC3Banlist
2007-10-02 13:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-02 13:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 -c--a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-06 08:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-04-23 12:57 56 ----a-w C:\Documents and Settings\Administrator\dbghelp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-21 16:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-21 16:44]
"Smapp"="Smtray.exe" [2001-07-25 14:22 C:\WINDOWS\system32\SMTray.exe]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 17:44]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 16:50]
"nwiz"="nwiz.exe" [2004-07-12 16:50 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-12 16:50]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [2006-11-08 18:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 09:50 C:\WINDOWS\LOGI_MWX.EXE]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 18:06]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 02:31]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINDOWS\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINDOWS\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"C:\Program Files\DAP\DAP.EXE" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
R3 GPCIDrv;GPCIDrv;\??\C:\WINDOWS\GPCIDrv.sys
R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
R3 GVTDrv;GVTDrv;\??\C:\WINDOWS\system32\Drivers\GVTDrv.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea9e874c-567e-11db-87b3-0000e800ca29}]
Auto\command - RavMonE.exe e
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 09:31:57 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2007-09-04 02:43:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-31 19:23:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-31 19:26:40 - machine was rebooted
.
--- E O F ---

~~~~
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:46, on 2007-10-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /RemAdvDef /Migration32 /SetPreload
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D8BD3D3-C910-416B-B1D7-DC9D2B22776C}: NameServer = 165.21.100.88,165.21.83.88
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8624 bytes

~~~~

#4 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 831
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 31 October 2007 - 12:47 PM

Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
        Extended

    • Scan Options:
        Scan Archives
        Scan Mail Bases

  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed. There is no option to clean/disinfect, however, we need to analyze the information on the report.

Posted Image

Posted Image

To obtain the report:
Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

Please post the contents of the Kaspersky Online Scanner Report in your reply.


Kaspersky Online Scan Info:
http://www.techsupportforum.com/security-c...ne-scanner.html
To do is to be - Socrates

#5 User is offline   danielle88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 27-October 07

Posted 03 November 2007 - 08:25 AM

I've just run the scan over the weekend, here is the scan report.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, 03 November, 2007 09:23:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/11/2007
Kaspersky Anti-Virus database records: 450804
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 76319
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:10:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\dynan_ng@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\dynan_ng@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\dynan_ng@hotmail.com\SharingMetadata\Working\database_EEC4_5072_C450_3ED1\dfsr.db Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\dynan_ng@hotmail.com\SharingMetadata\Working\database_EEC4_5072_C450_3ED1\fsr.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\dynan_ng@hotmail.com\SharingMetadata\Working\database_EEC4_5072_C450_3ED1\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\dynan_ng@hotmail.com\SharingMetadata\Working\database_EEC4_5072_C450_3ED1\tmp.edb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\dynan_ng@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\dynan_ng@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\x4r8mzj7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007110320071104\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE1D.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFDE53.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF22B.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF2D9.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip/VideoAccessCodec.ocx Infected: Trojan.Win32.Agent.ckr skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BDA3E8A0-F18B-4193-AEB7-920C398EA47B}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7bc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
~~~~

#6 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 831
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 03 November 2007 - 10:35 PM

Are you still having malware problems?
To do is to be - Socrates

#7 User is offline   danielle88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 27-October 07

Posted 07 November 2007 - 09:09 AM

Nope. Does that mean I should ignore the results of KScan?

#8 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 831
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 07 November 2007 - 09:21 AM

The KScan is fine. Is Avast still giving you any notices?
To do is to be - Socrates

#9 User is offline   danielle88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 27-October 07

Posted 08 November 2007 - 06:11 AM

Not anymore. Thanks a lot for your help :thumbsup:

#10 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 831
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 08 November 2007 - 09:24 AM

If you are not having malware problems, you are good to go!

Please do the following to wrap up:
  • Go to Start, then select: Run
  • Type Combofix /u in the Open box, and click OK. (Notice the space before /u)
  • This command uninstalls ComboFix, implements some cleanup procedures, and resets System Restore points.
Posted Image

Also remove the following folder:
C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\SmitfraudFix

Some of the best suggestions and programs to remain malware free are contained in Tony Klein’s article:
How Did I Get Infected In The First Place

It is also a very good practice to perform an online virus scan on a regular basis.
Scanners do not have identical malware definitions, and what one misses, another one can catch.
Some of the scanners are:
BitDefender Online Scanner
ESET NOD32 Online Scanner
F-Secure Online Scanner
Panda ActiveScan
TrendMicro HouseCall

~~~~
If you have any questions or comments, post back. Otherwise...

Good luck, and safe journey through the Internet!!
To do is to be - Socrates

#11 User is offline   danielle88 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 27-October 07

Posted 09 November 2007 - 08:01 PM

Just got it done. Thanks a lot for your help :thumbsup:

#12 User is offline   Aaflac 

  • Doin' Dis 'n Dat...
  • PipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 831
  • Joined: 15-September 06
  • Gender:Not Telling
  • Location:USA

Posted 09 November 2007 - 10:53 PM

Glad to do so! :thumbsup:
To do is to be - Socrates

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users