Friends laptop has malware (I think) I found seekmo installed

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Friends laptop has malware (I think) I found seekmo installed, I need help locating and deleting potential threats please.

Options

Pazma View Member Profile	Jan 7 2009, 11:09 AM Post #1
New Member Group: Members Posts: 9 Joined: 7-January 09 Member No.: 279,473	I've uninstalled Seekmo but I don't know how to get rid of the reg files and any other possible threats, any help would be great. DDS (Ver_09-01-07.01) - NTFSx86 Run by mick at 15:15:50.66 on Wed 01/07/2009 Internet Explorer: 6.0.2600.0000 Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.511.385 [GMT 0:00] ============== Running Processes =============== C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k rpcss C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ieupdates.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\mick\Desktop\dds.scr ============== Pseudo HJT Report =============== BHO: &Research: {037c7b8a-151a-49e6-baed-cc05fcb50328} - c:\windows\system32\winsrc.dll TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background uRun: [ieupdate] "c:\windows\system32\ieupdates.exe" mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe mRun: [ATIModeChange] Ati2mdxx.exe mRun: [Microsoft security adviser] c:\program files\microsoft security adviser\mssadv.exe mRun: [msctrl.exe] c:\program files\microsoft security adviser\msctrl.exe mRun: [msavsc.exe] c:\program files\microsoft security adviser\msavsc.exe mRun: [msscan.exe] c:\program files\microsoft security adviser\msscan.exe mRun: [msiemon.exe] c:\program files\microsoft security adviser\msiemon.exe mRun: [msfw.exe] c:\program files\microsoft security adviser\msfw.exe mRun: [mssadv.exe] IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL ============= SERVICES / DRIVERS =============== =============== Created Last 30 ================ 2009-01-07 14:42 <DIR> --d----- c:\docume~1\mick\applic~1\AVG7 ==================== Find3M ==================== ============= FINISH: 15:16:06.23 =============== This post has been edited by Pazma: Jan 7 2009, 11:44 AM

ourwilly View Member Profile	Jan 8 2009, 12:44 PM Post #2
Distinguished Member Group: HJT Team Posts: 921 Joined: 6-January 05 Member No.: 8,815	Hello Pazma, Please download MalwareBytes Anti-malware (MBAM) from one of the following links: http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html http://www.besttechie.net/tools/mbam-setup.exe Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform full scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\*log-date.txt* Reboot your system, then re-scan with HijackThis.. Please post the new HijackThis log and the MalwareBytes results.

Pazma View Member Profile	Jan 10 2009, 05:03 AM Post #3
New Member Group: Members Posts: 9 Joined: 7-January 09 Member No.: 279,473	Thanks, here they are. Malwarebytes' Anti-Malware 1.32 Database version: 1637 Windows 5.1.2600 1/10/2009 9:57:39 AM mbam-log-2009-01-10 (09-57-24).txt Scan type: Full Scan (C:\\|) Objects scanned: 73088 Time elapsed: 20 minute(s), 28 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 8 Registry Data Items Infected: 0 Folders Infected: 9 Files Infected: 40 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> No action taken. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Downloader) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft security adviser (Trojan.Agent) -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> No action taken. C:\Program Files\Starware381 (Adware.Starware) -> No action taken. C:\Program Files\Starware408 (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381 (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\contexts (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408 (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\contexts (Adware.Starware) -> No action taken. Files Infected: C:\Documents and Settings\mick\Local Settings\Temporary Internet Files\Content.IE5\9RFJPX8E\AV2009Install_77013601[1].exe (Rogue.Installer) -> No action taken. C:\RECYCLER\S-1-5-21-1547161642-1580818891-1343024091-1005\Dc2.exe (Rogue.Installer) -> No action taken. C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Downloader) -> No action taken. C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Downloader) -> No action taken. C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Downloader) -> No action taken. C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Downloader) -> No action taken. C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Downloader) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_def.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_over.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1317_button_1b_def.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindIt.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindItHot.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\findithotxp.png (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\finditxp.png (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logo.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logoxp.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\contexts\error.xml (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\contexts\related.xml (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware381\contexts\travel.xml (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_def.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_over.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_def.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_over.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindIt.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindItHot.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\findithotxp.png (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\finditxp.png (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logo.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logoxp.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\Weather.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\WeatherHot.bmp (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherhotxp.png (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherxp.png (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\contexts\error.xml (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\contexts\related.xml (Adware.Starware) -> No action taken. C:\Documents and Settings\All Users\Application Data\Starware408\contexts\travel.xml (Adware.Starware) -> No action taken. C:\WINDOWS\msscan.dll (Trojan.Clicker) -> No action taken. C:\WINDOWS\msiemon.dll (Trojan.Clicker) -> No action taken. C:\WINDOWS\msfw.dll (Trojan.Clicker) -> No action taken. C:\WINDOWS\msctrl.dll (Trojan.Clicker) -> No action taken. ------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:06:55 AM, on 1/10/2009 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\WgaTray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\System32\wuauclt.exe O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 2157 bytes ------------------------------------------------------------------------------------------------------------------------------------------------ I've just updated xp to sp2, do I need to run the tests again? This post has been edited by Pazma: Jan 10 2009, 07:34 AM

ourwilly View Member Profile	Jan 10 2009, 07:59 AM Post #4
Distinguished Member Group: HJT Team Posts: 921 Joined: 6-January 05 Member No.: 8,815	Hello Pazma, Thank you for doing that for me, for now can you please just follow these instuctions... Please note - I can see No action taken showing in the Malwarebytes scan, can you please run through the Malwarebyte's Anti-Malware instructions again. When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. Click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs' quarantine. Once you have done that.... Please download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Reboot your computer and enter Safe Mode (tap the F8 key just before Windows starts to load, then select Safe Mode). Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt Please rescan with HijackThis and post the new log, the new Malwarebytes log and the SDFix Report.

Pazma View Member Profile	Jan 11 2009, 04:45 PM Post #5
New Member Group: Members Posts: 9 Joined: 7-January 09 Member No.: 279,473	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:40:09 PM, on 1/11/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wuauclt.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- End of file - 1544 bytes ----------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------- Malwarebytes' Anti-Malware 1.32 Database version: 1637 Windows 5.1.2600 Service Pack 2 1/11/2009 8:35:12 PM mbam-log-2009-01-11 (20-35-12).txt Scan type: Full Scan (C:\\|) Objects scanned: 81918 Time elapsed: 2 hour(s), 33 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 8 Registry Data Items Infected: 0 Folders Infected: 9 Files Infected: 40 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft security adviser (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Starware381 (Adware.Starware) -> Quarantined and deleted successfully. C:\Program Files\Starware408 (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381 (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\contexts (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408 (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\contexts (Adware.Starware) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\mick\Local Settings\Temporary Internet Files\Content.IE5\9RFJPX8E\AV2009Install_77013601[1].exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\RECYCLER\S-1-5-21-1547161642-1580818891-1343024091-1005\Dc2.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1317_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware381\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\WeatherHot.bmp (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Starware408\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully. C:\WINDOWS\msscan.dll (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\msiemon.dll (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\msfw.dll (Trojan.Clicker) -> Quarantined and deleted successfully. C:\WINDOWS\msctrl.dll (Trojan.Clicker) -> Quarantined and deleted successfully. ----------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------- SDFix: Version 1.240 Run by mick on Sun 01/11/2009 at 09:11 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Default Security Values Restoring Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\msavsc.dll - Deleted C:\WINDOWS\system32\winsrc.dll.tmp - Deleted Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-11 21:20:52 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000000 "ujdew"=hex:51,1a,0d,c0,81,ff,a8,e5,2e,51,f7,60,b0,fe,39,61,f1,ef,b8,2d,c7,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000000 "ujdew"=hex:51,1a,0d,c0,81,ff,a8,e5,2e,51,f7,60,b0,fe,39,61,f1,ef,b8,2d,c7,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] "p0"="C:\Program Files\Alcohol Soft\Alcohol 120\" "h0"=dword:00000000 "ujdew"=hex:51,1a,0d,c0,81,ff,a8,e5,2e,51,f7,60,b0,fe,39,61,f1,ef,b8,2d,c7,.. scanning hidden registry entries ... scanning hidden files ... C:\WINDOWS\KB944338-v2.log 3812 bytes C:\WINDOWS\KB956802.log 2927 bytes C:\WINDOWS\LastGood C:\WINDOWS\LastGood\INF C:\WINDOWS\LastGood\INF\oem11.inf 0 bytes C:\WINDOWS\LastGood\INF\oem11.PNF 0 bytes scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 6 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 19 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 19 Dec 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0044c05f784f01d2208480e0d7e7d170\BIT20.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\158e67e5edd92c78c30c06dd18cea563\BIT1C.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1741e6217a93d36aaaaa3cead0913a10\BIT19.tmp" Sun 11 Jan 2009 1,465,384 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1abb4643eccf67e5ec8b2a16ba5befb7\BIT16.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\28bfc9e6560577a89aed6b0c726eb7e6\BIT1E.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30176d767e46d7fcf2d00c8f50c9758e\BIT1B.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40e9dcb66532a7d0904f24c869fdfd7e\BIT1D.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BITB.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\588786e399909bbe558853aada5a75c8\BIT17.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\74a19a19cc31989be4bb0df6ac36d839\BIT18.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7684fcdc5c1747eb53ef3c2d202add11\BIT13.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\db250b969298d4b9909ab53611417a5a\BIT1F.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ede23652b16ac5041616fd3bd72c6048\BIT1A.tmp" Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a37ea2d49e8a7659886ac76c226cad7d\download\BIT21.tmp" Finished!

ourwilly View Member Profile	Jan 12 2009, 12:09 PM Post #6
Distinguished Member Group: HJT Team Posts: 921 Joined: 6-January 05 Member No.: 8,815	Hello Pazma, QUOTE Quarantined and deleted successfully Thats great... Your log is showing that you do not have a third party firewall installed. Please note that using a firewall on your computer is very important. Without one your computer is susceptible to being hacked and taken over. I strongly recommend that you now install one of these free versions of a commercial firewall onto your system. Anyone of these will protect your system and will give you full control over everything that requests Internet access. Comodo OutPost Firewall Free Kerio Personal Firewall It is also really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one. avast!. AntiVir AVG Free 8.0 Please re-scan with HijackThis and post the new log and can you let me know how your system is running now.

Pazma View Member Profile	Jan 12 2009, 09:18 PM Post #7
New Member Group: Members Posts: 9 Joined: 7-January 09 Member No.: 279,473	Hi, I've installed AVG Free 8.0 for him since but he's taken the laptop back so I can't post the HijackThis log. Thanks for all your help, you've been great. It seems to be running smoothly now.

ourwilly View Member Profile	Jan 13 2009, 11:49 AM Post #8
Distinguished Member Group: HJT Team Posts: 921 Joined: 6-January 05 Member No.: 8,815	Hello Pazma, Thank you for letting me know. Since this issue appears to be resolved this Topic has been closed. Glad we could help. If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List \| Virus Removal Guides
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides Archive