Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Service


  • Please log in to reply
9 replies to this topic

#1 igonuts2

igonuts2

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:09:01 AM

Posted 13 January 2008 - 12:09 AM

i just removed symantec and installed avg and za. to get familiar with the proccesses i did a hjt and ckd the log against older logs and the online analizer. i found this,

O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

i googled and nothing. dont surf in muddy waters. did bit dfender online scan, ran all my av in safe before loosing symantec.

i am miffed, as i usualy am. any one know this?

pc is faster as expected. no abnormal issues. no problems doing anything. za and netstat doesnt show any unusual connections either.

Edited by igonuts2, 13 January 2008 - 12:12 AM.

Why work when you can play!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 13 January 2008 - 09:03 AM

Its a backdoor Trojan. They often add themselves as services and attempt to hide in various places. Did you check that file path on your system for the file in question? It may not be actually missing depending on what version of HijackThis your using.

Some other examples are:
O23 - Service: Server Management Service - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Windows Kernel - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Windows Configuration Backup Service (CfgBackupSvc) - Unknown owner - C:\WINDOWS\config\svchost.exe
O23 - Service: Windows Configuration Manager (ConfigMgr) - Unknown owner - C:\WINDOWS\system\svchost.exe
O23 - Service: Windows Smrss Service - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Windows Network Mapping Service (NetMap) - Unknown owner - C:\WINDOWS\system\svchost.exe

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?" and "Reformatting the computer or troubleshooting; which is best?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:09:01 AM

Posted 13 January 2008 - 06:56 PM

thx sir,

no other suspect services. av, camara, fire wall, and printer stuff are it for 023 entries

i had ckd the path and couldnt see it ( all files are not hidden). using trend micro version of hjt. i did bit defender online, after the incident (log below), but (NIS, spybot, adaware, SAS, ms.windefender in safe and normal mode), nothing.

hjt analized via http://hijackthis.de/en. dont realy wanna post a log here but that was the only bad entry.

"[X] O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing) - Fuzzy Algorithmcheck (2.85 / 5.00), Nasty"

i pointed spybot shreader at the path just to look, not shread, and it couldnt be seen. or i dont know how to look.

what happened to finaly remove NIS was that it kinda held my pc ransom. i was opening tabs in IE from a google search pg and clicked several links, i think one said "this site may harm your computer". norton popped up said temp ie files infected with downloader. nortons window only showed an option "OK". after clicking ok for like forever, i finaly read the info in the NIS window. it said something like, you subscription is out of date, "subscription expired on 1899", and i need to be an admin to renew. i am logged on as admin and NIS still had three months (actual) before expiring. had to kill ie and norton anti virus notification just so i could take action which was all of the above.


before the swap of software and after the NIS issue, online bit defender found this;

C:\Program Files\Norton AntiVirus\Quarantine\01EA589F.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\01EA589F.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\01EA589F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0228765B.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\0228765B.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0228765B.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\050920A2.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\050920A2.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\050920A2.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>Beyond.class
Infected with: Java.Trojan.StartPage.O

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>Beyond.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>Beyond.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>BlackBox.class
Infected with: Java.Trojan.ClassLoader.F

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>BlackBox.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>BlackBox.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>Dummy.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>Dummy.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>Dummy.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>VerifierBug.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>VerifierBug.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)=>VerifierBug.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\0A565D02
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\0E5C3AB2=>(Quarantine-2)
Infected with: Java.Trojan.Downloader.OpenConnection.V

C:\Program Files\Norton AntiVirus\Quarantine\0E5C3AB2=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0E5C3AB2=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0EC53624.class=>(Quarantine-2)
Infected with: Java.Trojan.Downloader.OpenConnection.V

C:\Program Files\Norton AntiVirus\Quarantine\0EC53624.class=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\0EC53624.class=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0FD360C2=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\0FD360C2=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\10CA7A69=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\10CA7A69=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\142D6BFF=>(Quarantine-2)
Infected with: Trojan.Java.Byteverify.A

C:\Program Files\Norton AntiVirus\Quarantine\142D6BFF=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\142D6BFF=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>GetAccess.class
Infected with: Trojan.Exploit.Byteverify.O

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>GetAccess.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>GetAccess.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>InsecureClassLoader.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>InsecureClassLoader.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>InsecureClassLoader.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>Dummy.class
Infected with: Trojan.Java.Classloader.Dummy.A

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>Dummy.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>Dummy.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>Installer.class
Infected with: Java.Trojan.OpenConnection.F

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>Installer.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)=>Installer.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145139D8=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145139D8
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>GetAccess.class
Infected with: Trojan.Exploit.Byteverify.O

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>GetAccess.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>GetAccess.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>InsecureClassLoader.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>InsecureClassLoader.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>InsecureClassLoader.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>Dummy.class
Infected with: Trojan.Java.Classloader.Dummy.A

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>Dummy.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>Dummy.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>Installer.class
Infected with: Java.Trojan.OpenConnection.F

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>Installer.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)=>Installer.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\145563D4=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\145563D4
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\19561F5D=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\19561F5D=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1C871226=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\1C871226=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1D3F1858.htm=>(Quarantine-2)
Infected with: Generic.XPL.MhtRedir.D1349F5F

C:\Program Files\Norton AntiVirus\Quarantine\1D3F1858.htm=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\1D3F1858.htm=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\24B8640C.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\24B8640C.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\24B8640C.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\25CD02F3=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\25CD02F3=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\27C96EB1.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\27C96EB1.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\27C96EB1.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\299B2F94=>(Quarantine-2)
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\299B2F94=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\299B2F94=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\299E5990=>(Quarantine-2)
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\299E5990=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\299E5990=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\2C06750E=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\2C06750E=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\2D4E1578=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\2D4E1578=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\31907217=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\31907217=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\31DE0BE7.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\31DE0BE7.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\31DE0BE7.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\31E235E3.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\31E235E3.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\31E235E3.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3342556C=>(Quarantine-2)
Infected with: Java.Trojan.ClassLoader.Z

C:\Program Files\Norton AntiVirus\Quarantine\3342556C=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\3342556C=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\37100353.class=>(Quarantine-2)
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\37100353.class=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\37100353.class=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\37962D58=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\37962D58=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\39123F17.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\39123F17.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\39123F17.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3A735D60=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\3A735D60=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3AD56EDA=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\3AD56EDA=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3AD818D6=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\3AD818D6=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3C8C0949.hta=>(Quarantine-2)
Infected with: Generic.XPL.ADODB.1FCBAE8D

C:\Program Files\Norton AntiVirus\Quarantine\3C8C0949.hta=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\3C8C0949.hta=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3CF31BE2=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\3CF31BE2=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\3CF31BE2=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3D202E16=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\3D202E16=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>BlackBox.class
Infected with: Trojan.Java.Classloader.C

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>BlackBox.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>BlackBox.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>VerifierBug.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>VerifierBug.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>VerifierBug.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>Dummy.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>Dummy.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>Dummy.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>Beyond.class
Infected with: Java.Trojan.Downloader.OpenStream.D

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>Beyond.class
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)=>Beyond.class
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip=>(Quarantine-2)
Updated

C:\Program Files\Norton AntiVirus\Quarantine\44D61CC8.zip
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\47FD0880.class=>(Quarantine-2)
Infected with: Java.Trojan.ClassLoader.Z

C:\Program Files\Norton AntiVirus\Quarantine\47FD0880.class=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\47FD0880.class=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\4801327D.class=>(Quarantine-2)
Infected with: Java.Trojan.ClassLoader.Z

C:\Program Files\Norton AntiVirus\Quarantine\4801327D.class=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\4801327D.class=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\48BA494F.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\48BA494F.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\48BA494F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\4E201918=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\4E201918=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5A236EDA=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\5A236EDA=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5C62307E=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\5C62307E=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\622706B5=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\622706B5=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6820675D.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\6820675D.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\6820675D.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\68231159.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\68231159.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\68231159.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\68806B12=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\68806B12=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6BC81418=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\6BC81418=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6D9065B4=>(Quarantine-2)
Infected with: Java.Trojan.Exploit.Bytverify

C:\Program Files\Norton AntiVirus\Quarantine\6D9065B4=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\6D9065B4=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6DCB5973=>(Quarantine-2)
Infected with: Java.Trojan.ClassLoader.Z

C:\Program Files\Norton AntiVirus\Quarantine\6DCB5973=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\6DCB5973=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6DFD1929.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\6DFD1929.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\6DFD1929.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70BE3D44=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\70BE3D44=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70C26740=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\70C26740=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70C83B39=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\70C83B39=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70CC6535=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\70CC6535=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\74CB215E=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\74CB215E=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\77585017=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\77585017=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\79381F0E=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\79381F0E=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\7CCF4244=>(Quarantine-2)
Infected with: Trojan.Krepper.AE

C:\Program Files\Norton AntiVirus\Quarantine\7CCF4244=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\7DF0127E.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\Program Files\Norton AntiVirus\Quarantine\7DF0127E.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\7DF0127E.exe=>(Quarantine-2)
Deleted

C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\WinBej2.exe
Infected with: Trojan.Generic.27004

C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\WinBej2.exe
Disinfection failed

C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\WinBej2.exe
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013560.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013560.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013560.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013561.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013561.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013561.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013562.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013562.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013562.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013563.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013563.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013563.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013564.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013564.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013564.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013565.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013565.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013565.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013566.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013566.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013566.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013567.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013567.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013567.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013568.hta=>(Quarantine-2)
Infected with: Generic.XPL.ADODB.1FCBAE8D

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013568.hta=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013568.hta=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013569.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013569.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013569.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013570.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013570.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013570.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013571.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013571.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013571.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013572.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013572.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013572.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013573.exe=>(Quarantine-2)
Infected with: Trojan.Regger.G

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013573.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013573.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013574.exe
Infected with: Trojan.Generic.27004

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013574.exe
Disinfection failed

C:\System Volume Information\_restore{8644B53C-E305-4C14-B2BD-C6673D25DC97}\RP190\A0013574.exe
Deleted
----------------------------------------
this was not a dl'd version. it was a ligit game disk bought at walnut, sorry Walmart. probably a false hit.
C:\Program Files\PopCap Games\Bejeweled 2 Deluxe\WinBej2.exe
Deleted
------------------------------------------
then i diabled sys restore and did all the pc based scans and hjt, found nothing and rebooted. the program clocks in NIS and windefend are off. what i mean is i set them for a scan at night but they scan in the day instead. also i do an hjt scan and the bad entry doesnt appear every time. it like disappears and reappears. every thing is shows clean except the one entry, that looks intermitent on hjt. chd proccess, sys internal, and startups w/spybot and nothing.

yes i do online banking. but no passwords are stored on my pc. dont think i have a key logger, assuming it would show up on one of the scans. my ignorance says that NIS may have let loose some quarantined items and maybe an orphaned file? but how could it appear and disappear.

i was going to dl and run silent runners but i dont know how to read the results. now with avg and its clean as well. doesnt seem to be any issues either. cpu and ram usage are almost nil at idle. with windefend software explorer i chd all and all is ligit.

i hope you can understand my ramblings. i hate it (not you), but your gonna still suggest a reformat, right. i know its really up to me, but i would rather take your word as law.

igo

Edited by igonuts2, 13 January 2008 - 10:54 PM.

Why work when you can play!

#4 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:09:01 AM

Posted 14 January 2008 - 03:16 AM

im studying your links and i think i see what you mean. so its important to submit the suspect files, which i cant see. in your link http://www.microsoft.com/technet/security/...o/virusrat.mspx it says it can use symantec pc's. i have DPF symantec ol scanning that hjt fixes but keeps returning. and i cant see it in my DPF folder.

i put avg on an infected pc. this is a can of worms.
Why work when you can play!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 14 January 2008 - 07:40 AM

Your decision as to what action to take should be made by asking yourself the questions presented in the "When should I re-format? link". Reformatting and doing a clean install of the OS is the safest action but I cannot make that decision for you.

The BitDefender scan found all the files stored in Norton AntiVirus' Quarantine. When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

The infected RP***\A0000**** file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SIV folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point. BitDefender appears to have been able to delete those files.

Another way to do that after your system has been cleaned of malware, is to Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

If your not having any other issues and your scans are not finding anymore malware, then that unknown Trojan which installed as a service has probably been removed. Lets do another check to see if we find anything else your scans may be missing.

Please download Please download SDFix by AndyManchesta and save it to your desktop.
alternate zipped version
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Double click SDFix.exe and it will extract the files to %systemdrive%
  • (this is the drive that contains the Windows Directory, typically C:\SDFix).
  • DO NOT use it just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
  • Copy and paste the contents of Report.txt in your next reply.
-- If this error message is displayed when running SDFix: "The command prompt has been disabled by your administrator. Press any key to continue..."
Please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\swreg IMPORT %systemdrive%\SDFix\apps\Enable_Command_Prompt.reg
Press Ok and then run SDFix again.

-- If the Command Prompt window flashes on then off again on XP or Win 2000, please go to Start Menu > Run > and copy/paste the following line:
%systemdrive%\SDFix\apps\FixPath.exe /Q
Reboot and then run SDFix again.

-- If SDFix still does not run, check the %comspec% variable. Right-click My Computer > click Properties > Advanced > Environment Variables and check that the ComSpec variable points to cmd.exe.
%SystemRoot%\system32\cmd.exe

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:09:01 AM

Posted 14 January 2008 - 04:52 PM

ty sir,

during the session (in bold) it said it couldn't open up the four directories it was looking at. it didnt stall, blink or anything else. but could spybot and it's locking of the hosts file be an issue?

Open the SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load, the SDFix report will open on screen and also save a copy into the SDFix folder as Report.txt.
Copy and paste the contents of Report.txt in your next reply.

-------------------------


SDFix: Version 1.126

Run by Compaq_Owner on Mon 01/14/2008 at 02:11 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\D2KPAX.EXE - Deleted
C:\WINDOWS\SYSTEM32\IED.EXE - Deleted
C:\WINDOWS\SYSTEM32\MCC.EXE - Deleted
C:\WINDOWS\SYSTEM32\MINIPO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\CDIMGDEV.DLL - Deleted
C:\WINDOWS\SYSTEM32\D2KPAX.DLL - Deleted
C:\WINDOWS\SYSTEM32\JAC.DLL - Deleted
C:\WINDOWS\SYSTEM32\MSASMC18.DLL - Deleted
C:\WINDOWS\SYSTEM32\MSXSLAB.DLL - Deleted
C:\E.EXE - Deleted
C:\M.EXE - Deleted
C:\NTLDR.EXE - Deleted
C:\P.EXE - Deleted
C:\Q.EXE - Deleted
C:\Q250204.EXE - Deleted
C:\Q8276112.EXE - Deleted
C:\?.exe - Deleted
C:\WINDOWS\regedit.com - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 14:23:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe"="C:\\Program Files\\Compaq Connections\\6750491\\Program\\Compaq Connections.exe:*:Disabled:BackWeb for Presario"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\interMute\\SpySubtract\\SpySub.exe"="C:\\Program Files\\interMute\\SpySubtract\\SpySub.exe:*:Disabled:SpySubtract"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Enabled:Earthlink"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Disabled:Windows Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\America Online 9.0b\\waol.exe"="C:\\Program Files\\America Online 9.0b\\waol.exe:*:Enabled:America Online 9.0b"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sat 1 Jan 2005 213 A.SHR --- "C:\BOOT.BAK"
Wed 29 Dec 2004 196 A.SHR --- "C:\BOOTNXX.BAK"
Sat 29 Jan 2005 0 ..SHR --- "C:\mssys.com"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\cvchost.exe"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\msstasks.exe"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\mssys.com"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\mstaskss.exe"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\ntldr.exe"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\rocky.exe"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\seksdialer.exe"
Tue 3 Jul 2007 9,897 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070703_2324.reg"
Tue 23 Jan 2007 85,671 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1501.reg"
Tue 23 Jan 2007 278 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1541.reg"
Tue 23 Jan 2007 3,722 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1441.reg"
Tue 23 Jan 2007 314 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1444.reg"
Tue 23 Jan 2007 42 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1544.reg"
Sun 22 Jul 2007 4,717 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070722_2209.reg"
Tue 23 Jan 2007 38,508 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1538.reg"
Tue 23 Jan 2007 5,658 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1549.reg"
Tue 23 Jan 2007 42 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070123_1449.reg"
Fri 2 Feb 2007 1,314 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070202_0025.reg"
Fri 2 Feb 2007 334 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070202_0026.reg"
Fri 2 Feb 2007 1,033 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070202_0024.reg"
Sat 16 Jun 2007 1,505 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070616_1701.reg"
Sat 16 Jun 2007 3,910 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070616_1700.reg"
Thu 28 Jun 2007 491 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070629_0043.reg"
Tue 13 Feb 2007 42 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070213_0315.reg"
Tue 13 Feb 2007 83 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070213_0316.reg"
Sat 16 Jun 2007 11,092 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070616_1654.reg"
Sun 18 Feb 2007 492 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070218_1538.reg"
Mon 2 Jul 2007 330 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070702_2200.reg"
Mon 2 Jul 2007 18,315 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20070702_2221.reg"
Mon 31 Jul 2006 225 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20060731_2307.reg"
Mon 31 Jul 2006 1,591 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20060731_2314.reg"
Sun 27 Aug 2006 127 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20060827_1939.reg"
Fri 1 Dec 2006 2,473 A..H. --- "C:\Transfer\CCleaner reg backup\cc_20061201_2214.reg"
Fri 4 Feb 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\system\system.exe"
Sat 29 Jan 2005 0 ..SHR --- "C:\WINDOWS\system\wmscrop.exe"
Sun 27 Mar 2005 56 ..SHR --- "C:\WINDOWS\system32\B858487918.sys"
Sun 27 Mar 2005 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 18 Jun 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 14 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 11 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT1.tmp"
Mon 14 Jan 2008 7,689 A..H. --- "C:\Documents and Settings\Compaq_Owner\My Documents\Arnes stuff\igonuts2\New Folder\New Compressed (zipped) Folder.zip"
Thu 30 Dec 2004 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Tue 10 Jan 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Fri 19 May 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"

Finished!

FYI; i used CCleaner to remove remnants of Symantec and backed up my changes. before i started this thread. no changes have been made since the start of this thread.

you must have a head ache after reading my last reply. i should compose my replies elswhere and then post 'em. last night i did netstat -ab w/no windows open and then opened IE. everything ligit. but i didnt use an enumerator. i did have windows configured to show all files. i eventualy did find svhost.exe and submitted it at Virustotal and Jotti. clean. i just didnt know where the heckle C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS\C:\WINDOWS was. since i only have one C:\ directory. confusing to me. dont laugh. snickering is ok.

what the heckle did i do to the size of the reply window?

ty again,

igo

Edited by igonuts2, 14 January 2008 - 06:22 PM.

Why work when you can play!

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 15 January 2008 - 08:39 AM

As I suspected SDFix found much more malware. This is a heavily infected system and I still recommend your best course of action is to reformat and reinstall the OS. How do you wish to proceed?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:09:01 AM

Posted 15 January 2008 - 03:11 PM

i wish to not waste your time sir. i thank you for all your time.

you're right. we could spend a week going back and forth trying to clean. i have my os disks in hand and can do that in a few hours.

i wish i wasn't a D.V. on a fixed income. i'd contribute more. heckle, i've only been able to toss a couple of bucks at BC through the years.

this happened under Symantecs watch, so to speak.

i wish i could find a word to express our thanks.

igo

Edited by igonuts2, 16 January 2008 - 02:21 AM.

Why work when you can play!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,279 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:01 PM

Posted 16 January 2008 - 08:59 AM

Reformatting a hard disk deletes all data. You should back up all your important documents, data files and photos. You should not backup any .exe files because they may be infected. Save your files to a CD. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive. Don't forget you will have to update your system and apply all Windows security patches.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 igonuts2

igonuts2
  • Topic Starter

  • Members
  • 358 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my closet
  • Local time:09:01 AM

Posted 17 January 2008 - 04:56 AM

spent the last few nights dropping docs to the cd. didn't want to use the wizard. i was concerned with all the hidden desktop.ini files that are all over my pc now. i just don't know. so i was being safer than sorry.

my wife has over 10gigs of pics. i only have cd/rw. too many disks. i'm going to try and use another hdd as a slave and transfer the pics to it, then remove the slave hdd. then format and reinstall the os.

then take a chance and intro the hdd with the pics back into my pc. hopefully the slave won't have the bug and won't re-infected my pc.

i won't be connected to the net when i do this.

maybe in safe mode would be better as well.

you said to scan the files after saving. but SAS, AVG,Spybot, Adaware, and Windows Defender, online Panda, Symantec, and Trend micro don't hit on the infection now. the onlything that even gave me a clue was the 023 entry then bit defender online. even now bit defender online and all the above find nothing. i don't know how to read sdfix but i compaired a newer log with the first one, line for line and it said no trojans found. th e 023 entry is still there though.

please don't missunderstand me. i don't communicate well in type. i'm not trying to say i'm not infected any more. and i do very much value your help.

one lesson i'm learning is to do regular backups.

ty so much sir,
respectfully,
igo
igo

Edited by igonuts2, 17 January 2008 - 05:27 AM.

Why work when you can play!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users