Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help To Identify And Remove Malware


  • This topic is locked This topic is locked
17 replies to this topic

#1 navjr

navjr

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 28 July 2008 - 02:18 PM

I seem to be infected with some malware. My computer is slowed down by some process which always seem to be running in the background. Can somebody please help me? Here is my hijack this logfile.

Thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:12:20, on 2008-07-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PEPID\PepidMgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launch Pepid Manager.lnk = C:\Program Files\PEPID\PepidMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7350 bytes

Attached Files


Edited by navjr, 28 July 2008 - 02:19 PM.


BC AdBot (Login to Remove)

 


#2 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:23 AM

Posted 28 July 2008 - 04:10 PM

Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.



Next
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#3 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:23 AM

Posted 03 August 2008 - 06:37 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

#4 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:09:23 AM

Posted 04 August 2008 - 09:24 PM

Reopened per users request

#5 navjr

navjr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 05 August 2008 - 09:10 AM

Here are the three files you requested.

Thanks again,

navjr

Attached Files



#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 05 August 2008 - 10:48 AM

Hello. I am PropagandaPanda (Panda or PP for short) and I will be helping you with your log.

I will need some time to look over your computer's log(s). You may want to keep the link to this topic in your favorites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of a few guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#7 navjr

navjr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 05 August 2008 - 11:44 AM

Thanks for your reply.
Unfortunately, I have installed an adobe flash player update since I ran the scan a few days ago. Should I rerun the scans that were suggested by Don 77 and send you the new reports? If no, do you want me to paste the old scan reports in my next reply or do you have access to them (I inserted them as attached documents in my last reply).

navjr

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 05 August 2008 - 12:20 PM

Hello Navjr.

If you just installed a Flash Player, it would not affect the steps at all. I can see the scan reports just fine.

My replies to you must first be reviewed by a coach, so apologies for any delay.

With Regards,
The Panda

#9 navjr

navjr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 05 August 2008 - 12:41 PM

Understood, I will wait for your instructions.

Thank you,

navjr

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 06 August 2008 - 02:00 PM

Hello Navjr.

Have you removed some entries using HijackThis yourself?

Posted ImageBackdoor Threat
I'm sorry to say that your computer is infected with one or more backdoor trojans.

This means that sensitive information could have been stolen. I would advise to change any passwords for any accounts that you have accessed with the infected computer using a clean computer ASAP. If you have used this computer for banking, I would strongly suggest that you report the possible stolen information. Please do not use the computer for any further transactions, or to enter any other information, if at all possible, until it is declared clean.

You may want to read this article on how to handle identity theft.
You may also want to read this article regarding preventing of identity theft.

This computer can still be cleaned, however, I cannot guarantee that it will be 100% safe even after disinfection.

Please read When Should I Format, How Should I Reinstall.

I will proceed assuming you wish to disinfect. If you want to do a reinstall, reply back saying so.


Peer-to-Peer Programs Warning
Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s). However, please refrain from using them until your computer has been declared clean.


Update Java to Version 6 Update 7
Your current version of Java is outdated. Malware creators can exploit the lesser security of older versions. Please uninstall your current version through Add/Remove Programs. Remove all instances of Java, Java Runtime, and Java Runtime Environment.

The old Javas on your computer are:
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java™ 6 Update 2
Java™ SE Runtime Environment 6 Update 1

Restart your computer after uninstalling.

Please then install the latest Java from this page. Follow the prompts and select the appropriate settings for your machine. Click on the "Required File" jdk-6u7-windows-i586-p.exe to download the installer. Double click the installer to run. Delete the installer after use.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete[/color] choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTMoveIT
  • Please download OTMoveIt2 by OldTimerto your desktop.
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\X!?
    C:\WINDOWS\0
    C:\WINDOWS\popcinfo.dat
    C:\WINDOWS\system32\A2F7A7A7EEF3F6F7F4EEA0A7
    C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE
    C:\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe
    C:\WINDOWS\system32\arqxtavs.dll
    C:\WINDOWS\system32\awttqnn.dll
    C:\WINDOWS\system32\iyyrwrct.dll
    C:\WINDOWS\system32\jrcmfmyu.dll
    C:\WINDOWS\system32\lmulftbb.dll
    C:\WINDOWS\system32\nutngtvy.dll
    C:\WINDOWS\system32\pmnnlmn.dll
    C:\WINDOWS\system32\pndiugrl.dll
    C:\WINDOWS\system32\tanvdhjd.dll
    C:\WINDOWS\system32\tlnnvnwv.dll
    C:\WINDOWS\system32\uuoarjre.dll
    C:\WINDOWS\system32\wifmriyw.dll
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\iukuom6ei
    BTHidEnum <delete service>
    BTHidMgr <delete service>
    intelppm <delete service>
    BlueletAudio <delete service>
    BlueletSCOAudio <delete service>
    BT <delete service>
    Btcsrusb <delete service>
    VComm <delete service>
    VcommMgr <delete service>
    iukuom6ei <delete service>
  • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Install Antivirus
An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a free anti-virus program from one of the trusted venders below:F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.
---------------
Post back with:
-the OTMoveIt log
-the F-Secure Log
-a new DSS log (only main.txt will appear this time)

Please paste them into your reply and not attach them, thanks.

Also comment on how your computer is running now.

With Regards,
The Panda

#11 navjr

navjr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 06 August 2008 - 10:10 PM

PropagandaPanda,

I have followed every step, but unfortunately my system bugged at one point and I lost the OTMoveIt and the F-secure logs. Nonetheless, I was able to complete all the steps you requested. I have the new DSS log just below. It seems to be working so far but it might be too early to tell. Do you suggest I run other scans on my computer?

Thank you,

Navjr

New DSS log:

Deckard's System Scanner v20071014.68
Run by HP_Owner on 2008-08-06 22:56:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

logfile has no content; running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-06 22:56:14
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Le Robert\Le Petit Robert\PRHYPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PEPID\PepidMgr.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Documents and Settings\HP_Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: {1A03F196-9617-4CA0-842B-A83CEECB022B} - - (no file)
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launch Pepid Manager.lnk = C:\Program Files\PEPID\PepidMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Recherche - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UFD Command Service (UFDSVC) - Unknown owner - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE


--
End of file - 9846 bytes

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 20:47:38 0 d-------- C:\fsaua.data
2008-08-06 20:41:48 0 d-------- C:\Program Files\Avira
2008-08-06 20:41:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-06 20:14:25 0 d-------- C:\Program Files\Sun
2008-07-06 17:03:57 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-07-06 17:03:55 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Software
2008-07-06 17:03:53 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-06 17:03:53 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\NCH Swift Sound
2008-07-06 17:03:32 0 d-------- C:\Program Files\NCH Software
2008-07-06 16:54:52 0 d-------- C:\Program Files\WMA-MP3.com


-- Find3M Report ---------------------------------------------------------------

2008-08-06 22:51:29 0 d-------- C:\Program Files\VideoEgg
2008-08-06 20:14:15 0 d-------- C:\Program Files\Java
2008-08-06 14:57:15 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\U3
2008-07-28 14:27:44 0 d-------- C:\Program Files\Trend Micro
2008-07-28 14:08:24 0 d-------- C:\Program Files\Lavasoft
2008-07-28 14:07:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-21 18:56:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-18 12:50:59 0 d-------- C:\Program Files\Palm
2008-07-06 15:37:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\ZoomBrowser EX
2008-06-26 21:50:14 0 d-------- C:\Program Files\Documents To Go
2008-06-25 14:03:45 0 d-------- C:\Program Files\iLike
2008-06-22 19:02:03 0 d-------- C:\Program Files\Call of Duty
2008-06-19 12:03:18 0 d-------- C:\Program Files\Temporary
2008-06-11 11:27:16 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\LimeWire
2008-05-18 23:07:37 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-05-18 23:07:37 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 12:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-13 10:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Le Petit Robert Hyperappel"="C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe" [2001-10-11 13:11]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-03 09:59]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"iLike"=C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 15:16:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
Launch Pepid Manager.lnk - C:\Program Files\PEPID\PepidMgr.exe [2006-08-13 21:35:59]
Quicken Scheduled Updates.lnk - C:\Program Files\QUICKENW\bagent.exe [2008-04-13 14:44:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iLike]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16672eb9-beca-11db-8640-0013d322198d}]
AutoRun\command- L:\LaunchU3.exe -a

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - F-SECURE_STANDALONE_MINIFILTER



-- End of Deckard's System Scanner: finished at 2008-08-06 22:56:39 ------------

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 07 August 2008 - 03:18 PM

Hello Navjr.

but unfortunately my system bugged at one point and I lost the OTMoveIt and the F-secure logs.

It appears that OTMoveIt worked fine; it can handle most files. But if you would post the .log files found at:
C:\_OTMoveIt\MovedFiles
that would be great.

There is just a bit more to do.


Run OTMoveIt
  • Double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}
    hkey_classes_root\clsid\{7E853D72-626A-48EC-A868-BA8D5E23E045}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{1A03F196-9617-4CA0-842B-A83CEECB022B}
    hkey_classes_root\clsid\{1A03F196-9617-4CA0-842B-A83CEECB022B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
    C:\WINDOWS\system32\ddccd.dll
  • Return to OTMoveIt2, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Click the red Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Apply Registry Fix
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    REGEDIT4

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.reg.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .bat file.

Double click fix.reg and answer Yes to the prompts. You will recieve a message that the entries have been successfully merged. Delete fix.reg after use.


Run ESET Online Scan
I would like to see a second opinion from a scanner :thumbsup: .

Disable your antivirus before proceeding. Refer to this page if you are unsure how.
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start. If you see a "Security Warning" that asks if you want to install and run a file called "OnlineScanner.cab", click Yes.
  • Click Start. The online scanner will now prepare itself for running on your pc.
  • To do a full-scan, tick: Remove found threats and Scan potentially unwanted applications.
  • Press Scan. The Onlinescan will now start and scan your computer. Please be patient as this a while.
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window.
  • Click Start, then Run.... The the box that appears type with the quotes:
    "C:\Program Files\EsetOnlineScanner\log.txt"
  • The scan results will now open in Notepad
  • Click into the text area, right-click and chose select all. Right-click again and chose Copy.
  • Post back with the log.txt in your next reply.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
--------------------
Please post back with
-the OTMoveIt logs
-the ESET log
-a new DSS log

Tell me if you experience any further problems during this time. Does your antivirus pick up anything at all (other than tracking cookies)?

With Regards,
The Panda

Edited by PropagandaPanda, 07 August 2008 - 04:19 PM.


#13 navjr

navjr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 August 2008 - 04:18 PM

PropagandaPanda:

I have run the scans you requested. You will find the logs you requested just below.

Thanks again for your help,

Waiting for your reply,

navjr


OTmoveIt log requested (first one):

< C:\WINDOWS\X!? >
C:\WINDOWS\X!Ä moved successfully.
C:\WINDOWS\X!Å moved successfully.
C:\WINDOWS\0 moved successfully.
C:\WINDOWS\popcinfo.dat moved successfully.
C:\WINDOWS\system32\A2F7A7A7EEF3F6F7F4EEA0A7 moved successfully.
C:\Program Files\Online Services\AOL90US\comps\toolbar\toolbr.EXE moved successfully.
C:\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\arqxtavs.dll
C:\WINDOWS\system32\arqxtavs.dll NOT unregistered.
C:\WINDOWS\system32\arqxtavs.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\awttqnn.dll
C:\WINDOWS\system32\awttqnn.dll NOT unregistered.
C:\WINDOWS\system32\awttqnn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iyyrwrct.dll
C:\WINDOWS\system32\iyyrwrct.dll NOT unregistered.
C:\WINDOWS\system32\iyyrwrct.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jrcmfmyu.dll
C:\WINDOWS\system32\jrcmfmyu.dll NOT unregistered.
C:\WINDOWS\system32\jrcmfmyu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lmulftbb.dll
C:\WINDOWS\system32\lmulftbb.dll NOT unregistered.
C:\WINDOWS\system32\lmulftbb.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nutngtvy.dll
C:\WINDOWS\system32\nutngtvy.dll NOT unregistered.
C:\WINDOWS\system32\nutngtvy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pmnnlmn.dll
C:\WINDOWS\system32\pmnnlmn.dll NOT unregistered.
C:\WINDOWS\system32\pmnnlmn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pndiugrl.dll
C:\WINDOWS\system32\pndiugrl.dll NOT unregistered.
C:\WINDOWS\system32\pndiugrl.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tanvdhjd.dll
C:\WINDOWS\system32\tanvdhjd.dll NOT unregistered.
C:\WINDOWS\system32\tanvdhjd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\tlnnvnwv.dll
C:\WINDOWS\system32\tlnnvnwv.dll NOT unregistered.
C:\WINDOWS\system32\tlnnvnwv.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\uuoarjre.dll
C:\WINDOWS\system32\uuoarjre.dll NOT unregistered.
C:\WINDOWS\system32\uuoarjre.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wifmriyw.dll
C:\WINDOWS\system32\wifmriyw.dll NOT unregistered.
C:\WINDOWS\system32\wifmriyw.dll moved successfully.
< HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\iukuom6ei >
Registry value HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services\\iukuom6ei deleted successfully.
BTHidEnum service deleted successfully.
BTHidMgr service deleted successfully.
intelppm service deleted successfully.
BlueletAudio service deleted successfully.
BlueletSCOAudio service deleted successfully.
BT service deleted successfully.
Btcsrusb service deleted successfully.
VComm service deleted successfully.
VcommMgr service deleted successfully.
Service not present: iukuom6ei.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08062008_202034

OTMoveIt log (last one) requested:

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ deleted successfully.
< hkey_classes_root\clsid\{7E853D72-626A-48EC-A868-BA8D5E23E045} >
Registry key hkey_classes_root\clsid\{7E853D72-626A-48EC-A868-BA8D5E23E045}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{1A03F196-9617-4CA0-842B-A83CEECB022B} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{1A03F196-9617-4CA0-842B-A83CEECB022B} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A03F196-9617-4CA0-842B-A83CEECB022B}\ deleted successfully.
< hkey_classes_root\clsid\{1A03F196-9617-4CA0-842B-A83CEECB022B} >
Registry key hkey_classes_root\clsid\{1A03F196-9617-4CA0-842B-A83CEECB022B}\\ not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263} >
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\\ deleted successfully.
File/Folder C:\WINDOWS\system32\ddccd.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08112008_105834

ESET Scan log:

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3346 (20080811)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=bbf57d6f7b1b654ca04f8c46e311aa4a
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-08-11 05:50:48
# local_time=2008-08-11 01:50:48 (-0500, Eastern Daylight Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=1172611
# found=9
# scan_time=9809
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe multiple infiltrations (deleted) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »freeze_388.exe Win32/Adware.NdotNet application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »whCC-FREEZE5.exe Win32/Adware.Webhancer.A application (error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »whCC-FREEZE5.exe »RAR »whAgent.exe Win32/Adware.Webhancer.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »whCC-FREEZE5.exe »RAR »whInstaller.exe Win32/Adware.Webhancer.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »whCC-FREEZE5.exe »RAR »whSurvey.exe Win32/Adware.Webhancer.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »whCC-FREEZE5.exe »RAR »webhdll.dll Win32/Adware.Webhancer.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\RECYCLER\S-1-5-21-3342996536-2622747253-1705427353-1009\Dc211.exe »WISE »whCC-FREEZE5.exe »RAR »whiehlpr.dll Win32/Adware.Webhancer.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\_OTMoveIt\MovedFiles\08062008_202034\WINDOWS\system32\TANVDHJD.0LL Win32/BHO.NCC trojan (unable to clean - deleted) 00000000000000000000000000000000


New DSS log:

Deckard's System Scanner v20071014.68
Run by HP_Owner on 2008-08-11 17:13:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as HP_Owner.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:13:15, on 2008-08-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Palm\Hotsync.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\MétéoMédia\MétéoIMédia\WeatherEye.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\My Documents\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HP_Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.fr.msn.ca/0SEFRCA/SAOS01?FORM=TOOLBR
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Le Petit Robert Hyperappel] C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [iLike] C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Launch Pepid Manager.lnk = C:\Program Files\PEPID\PepidMgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {17D667BA-5675-4AAB-9221-08B9379384D4} (Image Uploader Control) - http://cdnimg.piczo.com/images/uploader/pi...st_uploader.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Service Partage réseau du Lecteur Windows Media (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 8514 bytes

-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-11 11:05:31 0 d-------- C:\Program Files\EsetOnlineScanner
2008-08-10 13:42:57 0 d-------- C:\WINDOWS\LastGood
2008-08-07 13:45:39 0 d-------- C:\Program Files\Risk II
2008-08-07 13:45:26 0 d-------- C:\Program Files\ReflexiveArcade
2008-08-07 13:39:34 0 d-------- C:\Program Files\Shockwave.com
2008-08-07 08:40:12 0 d-------- C:\Documents and Settings\LocalService\My Documents
2008-08-07 08:39:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-08-07 08:39:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-08-06 20:47:38 0 d-------- C:\fsaua.data
2008-08-06 20:41:48 0 d-------- C:\Program Files\Avira
2008-08-06 20:41:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-06 20:14:25 0 d-------- C:\Program Files\Sun


-- Find3M Report ---------------------------------------------------------------

2008-08-07 08:58:24 0 d-------- C:\Program Files\Windows Media Connect 2
2008-08-06 22:51:29 0 d-------- C:\Program Files\VideoEgg
2008-08-06 20:14:15 0 d-------- C:\Program Files\Java
2008-08-06 14:57:15 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\U3
2008-07-28 14:27:44 0 d-------- C:\Program Files\Trend Micro
2008-07-28 14:08:24 0 d-------- C:\Program Files\Lavasoft
2008-07-28 14:07:34 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-21 18:56:21 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-18 12:50:59 0 d-------- C:\Program Files\Palm
2008-07-18 11:48:09 0 d-------- C:\Program Files\NCH Software
2008-07-06 17:03:53 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-06 17:03:53 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\NCH Swift Sound
2008-07-06 16:54:52 0 d-------- C:\Program Files\WMA-MP3.com
2008-07-06 15:37:24 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\ZoomBrowser EX
2008-06-26 21:50:14 0 d-------- C:\Program Files\Documents To Go
2008-06-25 14:03:45 0 d-------- C:\Program Files\iLike
2008-06-22 19:02:03 0 d-------- C:\Program Files\Call of Duty
2008-06-19 12:03:18 0 d-------- C:\Program Files\Temporary
2008-06-11 11:27:16 0 d-------- C:\Documents and Settings\HP_Owner\Application Data\LimeWire
2008-05-18 23:07:37 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-05-18 23:07:37 286720 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Windows>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2004-12-14 12:07]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-13 10:29]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Le Petit Robert Hyperappel"="C:\Program Files\Le Robert\Le Petit Robert\prhyper.exe" [2001-10-11 13:11]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe
"iLike"=C:\Program Files\iLike\1.1.41\ilikesidebar.exe /checkforupdate

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\Hotsync.exe [2004-06-09 15:16:08]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 20:28:24]
Launch Pepid Manager.lnk - C:\Program Files\PEPID\PepidMgr.exe [2006-08-13 21:35:59]
Quicken Scheduled Updates.lnk - C:\Program Files\QUICKENW\bagent.exe [2008-04-13 14:44:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iLike]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
AutoRun\command- L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16672eb9-beca-11db-8640-0013d322198d}]
AutoRun\command- L:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-08-11 17:13:31 ------------

#14 navjr

navjr
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 11 August 2008 - 04:22 PM

PropagandaPanda:

To answer your last questions, my computer is working much better. More virus were picked up after the initial scan with avira but none since.

navjr

#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:23 AM

Posted 12 August 2008 - 03:31 PM

Hello Navjr. Your logs are clean :thumbsup: . I would like to thank the instructor Don77 for supervising our work.

Delete Service with Batch File
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "quote".


    sc stop WMPNetworkSvc
    sc delete WMPNetworkSvc
    del %0

  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input fix.bat.
  • Hit OK.
When done properly, the icon should look like Posted Image for a .bat file.

Double click fix.bat. You will see a black command prompt window flash open then close. Fix.bat will have deleted itself from your desktop.

Run Cleanup! with OTMoveIt
Let's clear out the tools we've used.

You will need Internet access becuase OTMoveIt needs to download a small list of files.
  • Double click the OTMoveIt2.exe icon on your desktop to start the program.
  • Click Posted Image. If you recieve a warning from your security program, select allow to download the packet.
  • When the list is downloaded, a pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
Install Firewall
Please now install a third-party firewall from the following selection of excellent programsThe main reason you would prefer a third-party firewall over the Windows XP Firewall is because Windows Firewall only stops incoming signals from accessing your computer. However, it will not stop programs (possibly ones that could intrude your privacy) from sending outgoing signals to the Internet or to other networks.

After you have installed one of the above firewalls, please disable your Windows Firewall, if you had it enabled.


Set New System Restore Point
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restor".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Preventing Malware Infection in the Future
Please also have a look at the following links, giving some advice and suggestions for preventing future infections: I recommend you regularly visit the Windows Update Site .
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates separately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Start Menu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select at least one of the three .
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
    Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Thank you for choosing Bleeping Computer as you malware removal source. Be sure to tell your friends about us!
--------------
If your issues have been resolved, please say so we can close this topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users