Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Append.dll


  • Please log in to reply
11 replies to this topic

#1 replica

replica

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 26 November 2007 - 06:08 PM

Hey good people, I have Spyware Doctor on my pc and lately it started reporting me about Adware.Agent.Bn infection which I find difficult to remove even with the help of mentioned tool. It says it fixes it but while the new scan is being run the same infection is always found again. It also reports that Spyware Doctor blocks an application svchost.exe attemtping to write to the registry: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS, APPINIT_D LLS="C:\WINDOWS\system32\append.dll"

Here's a hijacklog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:03, on 27.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\msdtc.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Закачать все при помощи FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Закачать при помощи FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Создание избранного на мобильном устройстве... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Справочные материалы - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/2.0..._instmodule.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/...owserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://my.foto.mail.ru/ImageUploader4.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F0320816-41D9-49DD-B2F3-8E7B0AE32796} (AFCStarter Control) - http://live.pdbox.co.kr:8057/AFCStarter.cab
O16 - DPF: {FAB8A8E6-219A-4C0A-AD91-BF4AB3947D6B} - http://ipodradio.ru/achat_default.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\append.dll
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11984 bytes

BC AdBot (Login to Remove)

 


#2 replica

replica
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 27 November 2007 - 03:02 AM

Anyone?

#3 LonnyRJones

LonnyRJones

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 29 November 2007 - 07:53 AM

Welcome to the forum
Download this file - combofix.exe to your desktop (dont run it yet)
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents
of the code box below into a new text file. (dont include the word code)
Save it as file name: cfscript.txt
rootkit::
c:\windows\system32\append.dll
registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"=""
http://users.pandora.be/bluepatchy/miekiem...es/CFScript.gif
As in the picture above drag and drop cfscript.txt onto combofix.exe
when it is finished a text will open, post it.

#4 replica

replica
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 29 November 2007 - 03:42 PM

No text was opened. I rather had the following window displayed (I waited like 20 minutes before posting this):
Posted Image

#5 LonnyRJones

LonnyRJones

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 30 November 2007 - 04:34 AM

Did it continue to next stages or have you closed the program ?

It might help to run it again after first restarting the PC and while disconnected from the internet turn off any protection programs.

#6 replica

replica
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 30 November 2007 - 06:30 AM

Hi, it worked this time around. I turned my internet connection off and did the same with Antivirus Spyware Doctor. Here's a combofix log:

ComboFix 07-11-19.4C - Administrator 2007-11-30 14:20:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1251.1.1033.18.602 [GMT 3:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\lyriboly.dll
C:\Documents and Settings\All Users\Application Data.\nefkvkrs.dll
C:\Documents and Settings\All Users\Application Data.\zuhwpgtc.dll
C:\WINDOWS\pack.epk
C:\WINDOWS\system32\append.dll
C:\WINDOWS\system32\cddcyhpfnd.dat
C:\WINDOWS\system32\cddcyhpfnd_nav.dat
C:\WINDOWS\system32\cddcyhpfnd_navps.dat
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\skuns.dat
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-29 00:06 21,000 --a------ C:\Documents and Settings\Administrator\Application Data\info.dat
2007-11-28 10:23 10,001 --a------ C:\WINDOWS\wsystmp_fuv.exe
2007-11-28 00:56 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2007-11-27 01:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-27 01:06 53 --a------ C:\WINDOWS\system32\Partizan.RRI
2007-11-27 01:02 <DIR> d-------- C:\RootkitNO
2007-11-27 00:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-11-26 23:45 C:\WINDOWS\(2) C:\ComboFix\winstart.bat
2007-11-26 10:57 <DIR> d-------- C:\Program Files\arzwnoat
2007-11-26 10:56 161,344 --a------ C:\Documents and Settings\Administrator\Application Data\trant.exe
2007-11-26 10:53 12,783 --a------ C:\WINDOWS\wsystmp_pze.exe
2007-11-23 22:42 17,628 --a------ C:\WINDOWS\wsystmp_nrk.exe
2007-11-23 21:50 15,872 --a------ C:\WINDOWS\windisk.dll
2007-11-22 11:25 289,280 --a------ C:\WINDOWS\system32\libcurl.dll
2007-11-21 12:20 41,984 --a------ C:\WINDOWS\ksacre.exe
2007-11-20 16:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-11 23:54 6,058,496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-11 23:54 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-11 23:54 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-11 23:54 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-11 23:54 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-11 23:54 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-11 23:54 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-11 23:54 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-11 23:54 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-11 15:02 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-11-10 14:01 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-05 00:20 <DIR> d-------- C:\Program Files\IDDK
2007-11-03 18:58 <DIR> d-------- C:\Program Files\TVAnts
2007-10-23 13:07 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\cld3-lookup
2007-10-23 13:03 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\EssentialGrammarInUse
2007-10-23 13:02 <DIR> dr-h----- C:\Documents and Settings\Guest\Application Data\SecuROM
2007-10-21 02:39 39,824 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-10-21 01:20 <DIR> d-------- C:\Program Files\uTorrent
2007-10-21 01:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\uTorrent
2007-10-19 01:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Teleca
2007-10-19 01:20 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-19 01:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2007-10-19 01:20 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-19 01:20 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-19 01:20 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-19 01:20 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-19 00:36 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-16 22:59 22,022 --a------ C:\WINDOWS\system32\Config.MPF
2007-10-14 23:14 <DIR> d-------- C:\Program Files\Real
2007-10-14 23:14 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-14 23:14 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-11 22:12 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ICAClient
2007-10-11 22:11 <DIR> d-------- C:\Program Files\Citrix
2007-10-10 11:37 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 22:43 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Skype
2007-11-26 22:45 --------- d-----w C:\Program Files\FlashGet
2007-11-20 13:38 --------- d--h--r C:\Documents and Settings\Administrator\Application Data\yahoo!
2007-11-20 12:44 --------- d-----w C:\Program Files\MSN Messenger
2007-11-20 12:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-11-20 12:36 --------- d-----w C:\Program Files\Yahoo!
2007-11-11 12:02 --------- d-----w C:\Program Files\Skype
2007-11-11 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-08 20:28 --------- d-----w C:\Program Files\ICQ6
2007-11-02 16:57 --------- d-----w C:\Program Files\Java
2007-10-20 23:47 --------- d-----w C:\Program Files\mIRC
2007-10-18 23:28 --------- d-----w C:\Program Files\Google
2007-10-18 22:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-18 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-16 16:16 --------- d-----w C:\Documents and Settings\Guest\Application Data\ICQ
2007-10-11 07:29 --------- d--h--r C:\Documents and Settings\Guest\Application Data\yahoo!
2007-09-29 09:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-09-29 01:00 --------- d-----w C:\Program Files\Logitech
2007-09-29 01:00 --------- d-----w C:\Program Files\Common Files\LogiShrd
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00]
"H/PC Connection Agent"="C:\PROGRA~1\MICROS~3\wcescomm.exe" [2006-06-21 18:29]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 11:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-05-07 00:06]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"PTHOSTTR"="C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.exe" [2006-02-14 21:56]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 09:11]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 21:04]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 15:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 15:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 15:17]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 20:49]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-03 01:39]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 18:03]
"Recguard"="C:\WINDOWS\Sminst\Recguard.exe" [2005-12-21 01:51]
"Scheduler"="C:\WINDOWS\SMINST\Scheduler.exe" [2006-02-16 01:43]
"WatchDog"="C:\Program Files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 22:59]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 11:00 C:\WINDOWS\system32\bthprops.cpl]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 17:49]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-07-15 12:48]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-14 23:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 08:05:26]
DVD Check.lnk - C:\Program Files\InterVideo\DVD Check\DVDCheck.exe [2007-01-10 00:34:14]
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-07-10 23:32:34]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

R1 AVZRK;AVZ-RK Kernel Driver;\??\C:\WINDOWS\system32\Drivers\uze1nzk0.sys
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe -k Cognizance
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance ASChannel

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 05:00:00 C:\WINDOWS\Tasks\Advanced Registry Optimizer.job"
- C:\Program Files\Advanced Registry Optimizer\ARO.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 14:24:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????e??????(?@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-30 14:26:00 - machine was rebooted
.
--- E O F ---

#7 LonnyRJones

LonnyRJones

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 30 November 2007 - 10:03 AM

Spyware doctor is an antispyware tool, why arent you running a antivirus program ?


C:\Documents and Settings\Administrator\Application Data\trant.exe < delete file
C:\WINDOWS\ksacre.exe < delete file

scan each of these filesand post back the information
C:\WINDOWS\wsystmp_fuv.exe
C:\WINDOWS\wsystmp_pze.exe
C:\WINDOWS\wsystmp_nrk.exe
C:\WINDOWS\windisk.dll
C:\WINDOWS\system32\Drivers\uze1nzk0.sys
http://www.virustotal.com/


C:\Program Files\arzwnoat < what is that program ? list the files inside for us unless you already know what it is.

#8 replica

replica
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 30 November 2007 - 12:41 PM

It is an anti-spyware tool indeed however when I purchased one there was an option "Add Antivirus" to it:
see there - http://www.pctools.com/spyware-doctor-antivirus/
So I guess it's kinda some built-in version of Antivirus in Spyware Doctor. And as it may appear everything that is being just an addition doesn't work well. What antivrus would you recommend then? And will I face any issues with compatibility of Spyware Doctor+Antivrus and this new Antivrus?

I deleted trant.exe and ksacre.exe as you requested. Also arzwnoat was an empty folder so I deleted it too. Have no idea what kind of program it was. Surely not something I installed.

As far as scan goes here are the results:

C:\WINDOWS\wsystmp_fuv.exe

AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.11.30 W32/LoadAdv.gen
Avast 4.7.1074.0 2007.11.29 Win32:Adloader-JX
AVG 7.5.0.503 2007.11.30 Small.2.BC
BitDefender 7.2 2007.11.30 Trojan.Downloader.LoadAdv.XXA
CAT-QuickHeal 9.00 2007.11.30 -
ClamAV 0.91.2 2007.11.30 Trojan.Small-3588
DrWeb 4.44.0.09170 2007.11.30 -
eSafe 7.0.15.0 2007.11.29 suspicious Trojan/Worm
eTrust-Vet 31.3.5338 2007.11.30 Win32/Harnig!generic
Ewido 4.0 2007.11.30 -
FileAdvisor 1 2007.11.30 -
Fortinet 3.14.0.0 2007.11.30 -
F-Prot 4.4.2.54 2007.11.29 W32/LoadAdv.gen
F-Secure 6.70.13030.0 2007.11.30 Trojan.Win32.Agent.bty
Ikarus T3.1.1.12 2007.11.30 Trojan-Downloader.LoadAdv.B
Kaspersky 7.0.0.125 2007.11.30 Trojan.Win32.Agent.bty
McAfee 5174 2007.11.29 Downloader-AWM.gen
Microsoft 1.3007 2007.11.30 TrojanDownloader:Win32/Small.AAAA
NOD32v2 2695 2007.11.30 Win32/TrojanDownloader.Small.NUS
Norman 5.80.02 2007.11.30 W32/Agent.DKEL
Panda 9.0.0.4 2007.11.29 -
Prevx1 V2 2007.11.30 -
Rising 20.20.40.00 2007.11.30 Trojan.DL.Win32.Agent.zxq
Sophos 4.23.0 2007.11.30 Mal/DowAdv-B
Sunbelt 2.2.907.0 2007.11.30 -
Symantec 10 2007.11.30 -
TheHacker 6.2.9.145 2007.11.30 -
VBA32 3.12.2.5 2007.11.30 -
VirusBuster 4.3.26:9 2007.11.30 Trojan.DL.Loadadv.Gen.2
Webwasher-Gateway 6.0.1 2007.11.30 Trojan.Crypt.XPACK.Gen

Additional Information:
File size: 10001 bytes
MD5: 6389b61068a08ed7ec1d79d914706c83
SHA1: 0c91cda27e4d01c4bedca517a7092e62915a097a
packers: UPX
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
------------------------------------------------------------------------------

C:\WINDOWS\wsystmp_nrk.exe

AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 WORM/Zhelatin.Gen
Authentium 4.93.8 2007.11.30 Possibly a new variant of W32/STZ_like!Generic
Avast 4.7.1074.0 2007.11.29 Win32:Tibser
AVG 7.5.0.503 2007.11.30 I-Worm/Nuwar.C
BitDefender 7.2 2007.11.30 Trojan.Peed.IOL
CAT-QuickHeal 9.00 2007.11.30 -
ClamAV 0.91.2 2007.11.30 -
DrWeb 4.44.0.09170 2007.11.30 Trojan.Packed.229
eSafe 7.0.15.0 2007.11.29 Suspicious File
eTrust-Vet 31.3.5338 2007.11.30 -
Ewido 4.0 2007.11.30 -
FileAdvisor 1 2007.11.30 -
Fortinet 3.14.0.0 2007.11.30 -
F-Prot 4.4.2.54 2007.11.29 W32/STZ_like!Generic
F-Secure 6.70.13030.0 2007.11.30 -
Ikarus T3.1.1.12 2007.11.30 Virus.Win32.Tibser
Kaspersky 7.0.0.125 2007.11.30 -
McAfee 5174 2007.11.29 -
Microsoft 1.3007 2007.11.30 Trojan:Win32/Tibs.FB
NOD32v2 2695 2007.11.30 probably unknown NewHeur_PE virus
Norman 5.80.02 2007.11.30 W32/Tibs.BDJT
Panda 9.0.0.4 2007.11.29 W32/Nuwar.KM.worm
Prevx1 V2 2007.11.30 TROJAN.PEED.AK
Rising 20.20.40.00 2007.11.30 Worm.Mail.Win32.Zhelatin.wos
Sophos 4.23.0 2007.11.30 Mal/Dorf-F
Sunbelt 2.2.907.0 2007.11.30 -
Symantec 10 2007.11.30 -
TheHacker 6.2.9.145 2007.11.30 -
VBA32 3.12.2.5 2007.11.30 -
VirusBuster 4.3.26:9 2007.11.30 -
Webwasher-Gateway 6.0.1 2007.11.30 Worm.Zhelatin.Gen
Additional Information
File size: 17628 bytes
MD5: d7f9fefa77520459df8f332072904224
SHA1: 24ed2b9bae4dbccec35e9f301513544b9bca6945
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...E1B80002EF49B05
--------------------------------------------------------------------------------------------------------------------------

C:\WINDOWS\wsystmp_pze.exe

AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 TR/Crypt.XPACK.Gen
Authentium 4.93.8 2007.11.30 -
Avast 4.7.1074.0 2007.11.29 Win32:Kbot-D
AVG 7.5.0.503 2007.11.30 Downloader.Obfuskated
BitDefender 7.2 2007.11.30 Trojan.AVKiller.AS
CAT-QuickHeal 9.00 2007.11.30 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.30 -
DrWeb 4.44.0.09170 2007.11.30 Trojan.MulDrop.8347
eSafe 7.0.15.0 2007.11.29 Suspicious File
eTrust-Vet 31.3.5338 2007.11.30 -
Ewido 4.0 2007.11.30 -
FileAdvisor 1 2007.11.30 -
Fortinet 3.14.0.0 2007.11.30 Basine.C!tr
F-Prot 4.4.2.54 2007.11.29 -
F-Secure 6.70.13030.0 2007.11.30 -
Ikarus T3.1.1.12 2007.11.30 Backdoor.Win32.Kbot.aq
Kaspersky 7.0.0.125 2007.11.30 -
McAfee 5174 2007.11.29 Tcad-Crypted
Microsoft 1.3007 2007.11.30 TrojanDownloader:Win32/Small.gen!AAM
NOD32v2 2695 2007.11.30 -
Norman 5.80.02 2007.11.30 -
Panda 9.0.0.4 2007.11.29 Suspicious file
Prevx1 V2 2007.11.30 Downloader.Obfuskated
Rising 20.20.40.00 2007.11.30 Trojan.DL.Win32.Small.fyn
Sophos 4.23.0 2007.11.30 Mal/Basine-C
Sunbelt 2.2.907.0 2007.11.30 -
Symantec 10 2007.11.30 -
TheHacker 6.2.9.145 2007.11.30 -
VBA32 3.12.2.5 2007.11.30 -
VirusBuster 4.3.26:9 2007.11.30 Trojan.DR.Dirat.Gen
Webwasher-Gateway 6.6.2 2007.11.30 Trojan.Crypt.XPACK.Gen
Additional information:
File size: 12783 bytes
MD5: a555e0dcff5c13254a8e41b19a66e2d3
SHA1: c92eb3f1e7476c2216507d89ff9c132e97ce0b6a
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5...C11F9007C3E442D
-----------------------------------------------------------------------------------------------------------------------

C:\WINDOWS\windisk.dll

AhnLab-V3 2007.12.1.0 2007.11.30 Win-Trojan/Behav.15872
AntiVir 7.6.0.34 2007.11.30 HEUR/Malware
Authentium 4.93.8 2007.11.30 -
Avast 4.7.1074.0 2007.11.29 -
AVG 7.5.0.503 2007.11.30 -
BitDefender 7.2 2007.11.30 -
CAT-QuickHeal 9.00 2007.11.30 -
ClamAV 0.91.2 2007.11.30 -
DrWeb 4.44.0.09170 2007.11.30 DLOADER.Trojan
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5338 2007.11.30 -
Ewido 4.0 2007.11.30 -
FileAdvisor 1 2007.11.30 -
Fortinet 3.14.0.0 2007.11.30 -
F-Prot 4.4.2.54 2007.11.29 W32/Heuristic-KPP!Eldorado
F-Secure 6.70.13030.0 2007.11.30 -
Ikarus T3.1.1.12 2007.11.30 -
Kaspersky 7.0.0.125 2007.11.30 -
McAfee 5174 2007.11.29 -
Microsoft 1.3007 2007.11.30 -
NOD32v2 2696 2007.11.30 -
Norman 5.80.02 2007.11.30 -
Panda 9.0.0.4 2007.11.29 -
Prevx1 V2 2007.11.30 -
Rising 20.20.40.00 2007.11.30 -
Sophos 4.23.0 2007.11.30 Mal/Emogen-G
Sunbelt 2.2.907.0 2007.11.30 -
Symantec 10 2007.11.30 -
TheHacker 6.2.9.145 2007.11.30 -
VBA32 3.12.2.5 2007.11.30 -
VirusBuster 4.3.26:9 2007.11.30 -
Webwasher-Gateway 6.6.2 2007.11.30 Heuristic.Malware
Additional Information
File size: 15872 bytes
MD5: 28beac0a00785c59cfecdc185c1ac183
SHA1: ab2c6143988b9f49b7c29adafcb2dfc3e02345d5
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX

-----------------------------------------------------------------------------------------------------------------------

C:\WINDOWS\system32\Drivers\uze1nzk0.sys

AhnLab-V3 2007.12.1.0 2007.11.30 -
AntiVir 7.6.0.34 2007.11.30 -
Authentium 4.93.8 2007.11.30 -
Avast 4.7.1074.0 2007.11.29 -
AVG 7.5.0.503 2007.11.30 -
BitDefender 7.2 2007.11.30 -
CAT-QuickHeal 9.00 2007.11.30 -
ClamAV 0.91.2 2007.11.30 -
DrWeb 4.44.0.09170 2007.11.30 -
eSafe 7.0.15.0 2007.11.29 -
eTrust-Vet 31.3.5338 2007.11.30 -
Ewido 4.0 2007.11.30 -
FileAdvisor 1 2007.11.30 -
Fortinet 3.14.0.0 2007.11.30 -
F-Prot 4.4.2.54 2007.11.29 -
F-Secure 6.70.13030.0 2007.11.30 -
Ikarus T3.1.1.12 2007.11.30 -
Kaspersky 7.0.0.125 2007.11.30 -
McAfee 5174 2007.11.29 -
Microsoft 1.3007 2007.11.30 -
NOD32v2 2696 2007.11.30 -
Norman 5.80.02 2007.11.30 -
Panda 9.0.0.4 2007.11.29 -
Prevx1 V2 2007.11.30 -
Rising 20.20.40.00 2007.11.30 -
Sophos 4.23.0 2007.11.30 -
Sunbelt 2.2.907.0 2007.11.30 -
Symantec 10 2007.11.30 -
TheHacker 6.2.9.145 2007.11.30 -
VBA32 3.12.2.5 2007.11.30 -
VirusBuster 4.3.26:9 2007.11.30 -
Webwasher-Gateway 6.6.2 2007.11.30 -
Additional information
File size: 11264 bytes
MD5: c935844f289b4521be054bb9d06a1bcc
SHA1: 189d6a59b95a5017c1e2e8465ce67e92e03ffbe1

Edited by replica, 30 November 2007 - 12:42 PM.


#9 LonnyRJones

LonnyRJones

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 30 November 2007 - 04:41 PM

Thanks. delete all but that sys file "uze1nzk0.sys"
I had assumed it belonged to rootkitno, check this files properties and see please ?

spywaredoctor, well be sure to back it up by getting a free online about twice a month

Id like to see a report from one now to

Dont depend on any one antivirus program go get preferably two free onlines
Now and weekly or bi-weekly

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Pess "scan your PC now" allow the active x to install (if prompted)
Do a full scan > Click the my computer button
After the scan click see report then Save the report and post it back here please.
If you have problems read the FAQ http://www.pandasoftware.com/activescan/ac...aq.asp?IdLang=2

Kaspersky Lab - Free Online scan:
Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#10 replica

replica
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 30 November 2007 - 11:18 PM

These are the results:

Panda Scan

Potentially unwanted tool:Application/NirCmd.A
Not disinfected
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A
Not disinfected
C:\Documents and Settings\Administrator\Desktop\ComboFix.exe[nircmd.cfexe]

Virus:Generic Trojan
Disinfected
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\lyriboly.dll.vir

Virus:Generic Trojan
Disinfected
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\nefkvkrs.dll.vir

Virus:Generic Trojan
Disinfected
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\zuhwpgtc.dll.vir

Adware:Adware/WinAntiVirus2007
Not disinfected
C:\qoobox\Quarantine\C\WINDOWS\system32\skuns.dat.vir

Potentially unwanted tool:Application/NirCmd.A
Not disinfected
C:\WINDOWS\NirCmd.exe

---------------------------------------------------------------------------------------------------------------

Kaspersky

I am attaching results in 2 notepad files (KScan1.txt and KScan2.txt) as it didn't let me to post archive (.rar) version of one big file (>512k)

Attached Files



#11 LonnyRJones

LonnyRJones

  • Members
  • 245 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:59 PM

Posted 01 December 2007 - 06:37 AM

Looks ok except for one leftover
C:\WINDOWS\system32\sol852.txt < delete that file

Go start run, type in
combofix /u
press enter or click ok
that will delete combofix, its backups (C:\qoobox) and clear the old system restore points



Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month


To help avoid reinfection see "So how did I get infected in the first place?"
http://castlecops.com/postlite7736-.html

#12 replica

replica
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 01 December 2007 - 08:49 AM

Thanks a lot for your help, man. It was both fast and straight forward. And very professional may I add. Appreciate your time really. Thanks again and all the best.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users