Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Friends laptop has malware (I think) I found seekmo installed


  • This topic is locked This topic is locked
7 replies to this topic

#1 Pazma

Pazma

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 07 January 2009 - 11:09 AM

I've uninstalled Seekmo but I don't know how to get rid of the reg files and any other possible threats, any help would be great.


DDS (Ver_09-01-07.01) - NTFSx86
Run by mick at 15:15:50.66 on Wed 01/07/2009
Internet Explorer: 6.0.2600.0000
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.511.385 [GMT 0:00]


============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\mick\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: &Research: {037c7b8a-151a-49e6-baed-cc05fcb50328} - c:\windows\system32\winsrc.dll
TB: {07AA283A-43D7-4CBE-A064-32A21112D94D} - No File
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ieupdate] "c:\windows\system32\ieupdates.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [Microsoft security adviser] c:\program files\microsoft security adviser\mssadv.exe
mRun: [msctrl.exe] c:\program files\microsoft security adviser\msctrl.exe
mRun: [msavsc.exe] c:\program files\microsoft security adviser\msavsc.exe
mRun: [msscan.exe] c:\program files\microsoft security adviser\msscan.exe
mRun: [msiemon.exe] c:\program files\microsoft security adviser\msiemon.exe
mRun: [msfw.exe] c:\program files\microsoft security adviser\msfw.exe
mRun: [mssadv.exe]
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-07 14:42 <DIR> --d----- c:\docume~1\mick\applic~1\AVG7

==================== Find3M ====================


============= FINISH: 15:16:06.23 ===============

Edited by Pazma, 07 January 2009 - 11:44 AM.


BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 08 January 2009 - 12:44 PM

Hello Pazma,

Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

Reboot your system, then re-scan with HijackThis..

Please post the new HijackThis log and the MalwareBytes results.

#3 Pazma

Pazma
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 10 January 2009 - 05:03 AM

Thanks, here they are.

Malwarebytes' Anti-Malware 1.32
Database version: 1637
Windows 5.1.2600

1/10/2009 9:57:39 AM
mbam-log-2009-01-10 (09-57-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 73088
Time elapsed: 20 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft security adviser (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> No action taken.
C:\Program Files\Starware381 (Adware.Starware) -> No action taken.
C:\Program Files\Starware408 (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381 (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408 (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts (Adware.Starware) -> No action taken.

Files Infected:
C:\Documents and Settings\mick\Local Settings\Temporary Internet Files\Content.IE5\9RFJPX8E\AV2009Install_77013601[1].exe (Rogue.Installer) -> No action taken.
C:\RECYCLER\S-1-5-21-1547161642-1580818891-1343024091-1005\Dc2.exe (Rogue.Installer) -> No action taken.
C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_def.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_over.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1317_button_1b_def.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindIt.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindItHot.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\findithotxp.png (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\finditxp.png (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logo.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logoxp.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\error.xml (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\related.xml (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\travel.xml (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_def.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_over.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_def.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_over.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindIt.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindItHot.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\findithotxp.png (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\finditxp.png (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logo.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logoxp.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\Weather.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\WeatherHot.bmp (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherhotxp.png (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherxp.png (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts\error.xml (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts\related.xml (Adware.Starware) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts\travel.xml (Adware.Starware) -> No action taken.
C:\WINDOWS\msscan.dll (Trojan.Clicker) -> No action taken.
C:\WINDOWS\msiemon.dll (Trojan.Clicker) -> No action taken.
C:\WINDOWS\msfw.dll (Trojan.Clicker) -> No action taken.
C:\WINDOWS\msctrl.dll (Trojan.Clicker) -> No action taken.


-------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:55 AM, on 1/10/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Microsoft security adviser] C:\Program Files\Microsoft Security Adviser\mssadv.exe
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 2157 bytes

------------------------------------------------------------------------------------------------------------------------------------------------
I've just updated xp to sp2, do I need to run the tests again?

Edited by Pazma, 10 January 2009 - 07:34 AM.


#4 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 10 January 2009 - 07:59 AM

Hello Pazma,

Thank you for doing that for me, for now can you please just follow these instuctions...

Please note - I can see No action taken showing in the Malwarebytes scan, can you please run through the Malwarebyte's Anti-Malware instructions again. When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results.
Make sure all entries have a checkmark at their far left.
Click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs' quarantine.


Once you have done that.... Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Reboot your computer and enter Safe Mode (tap the F8 key just before Windows starts to load, then select Safe Mode).

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

Please rescan with HijackThis and post the new log, the new Malwarebytes log and the SDFix Report.

#5 Pazma

Pazma
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 11 January 2009 - 04:45 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:09 PM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 1544 bytes

-----------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.32
Database version: 1637
Windows 5.1.2600 Service Pack 2

1/11/2009 8:35:12 PM
mbam-log-2009-01-11 (20-35-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 81918
Time elapsed: 2 hour(s), 33 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 40

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msavsc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msctrl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msfw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiemon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mssadv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft security adviser (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Starware381 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Program Files\Starware408 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408 (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts (Adware.Starware) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\mick\Local Settings\Temporary Internet Files\Content.IE5\9RFJPX8E\AV2009Install_77013601[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1547161642-1580818891-1343024091-1005\Dc2.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msavsc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msctrl.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msfw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msiemon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Security Adviser\msscan.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1316_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\1317_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware381\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1223_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_def.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\1229_button_1b_over.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindIt.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\FindItHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\findithotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\finditxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logo.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\logoxp.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\Weather.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\WeatherHot.bmp (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherhotxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\buttons\weatherxp.png (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts\error.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts\related.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Starware408\contexts\travel.xml (Adware.Starware) -> Quarantined and deleted successfully.
C:\WINDOWS\msscan.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\msiemon.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\msfw.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\msctrl.dll (Trojan.Clicker) -> Quarantined and deleted successfully.

-----------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------


SDFix: Version 1.240
Run by mick on Sun 01/11/2009 at 09:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\msavsc.dll - Deleted
C:\WINDOWS\system32\winsrc.dll.tmp - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 21:20:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:51,1a,0d,c0,81,ff,a8,e5,2e,51,f7,60,b0,fe,39,61,f1,ef,b8,2d,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:51,1a,0d,c0,81,ff,a8,e5,2e,51,f7,60,b0,fe,39,61,f1,ef,b8,2d,c7,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]
"p0"="C:\Program Files\Alcohol Soft\Alcohol 120\"
"h0"=dword:00000000
"ujdew"=hex:51,1a,0d,c0,81,ff,a8,e5,2e,51,f7,60,b0,fe,39,61,f1,ef,b8,2d,c7,..

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\KB944338-v2.log 3812 bytes
C:\WINDOWS\KB956802.log 2927 bytes
C:\WINDOWS\LastGood
C:\WINDOWS\LastGood\INF
C:\WINDOWS\LastGood\INF\oem11.inf 0 bytes
C:\WINDOWS\LastGood\INF\oem11.PNF 0 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 6


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 19 Dec 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 19 Dec 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0044c05f784f01d2208480e0d7e7d170\BIT20.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\158e67e5edd92c78c30c06dd18cea563\BIT1C.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1741e6217a93d36aaaaa3cead0913a10\BIT19.tmp"
Sun 11 Jan 2009 1,465,384 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1abb4643eccf67e5ec8b2a16ba5befb7\BIT16.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\28bfc9e6560577a89aed6b0c726eb7e6\BIT1E.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30176d767e46d7fcf2d00c8f50c9758e\BIT1B.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40e9dcb66532a7d0904f24c869fdfd7e\BIT1D.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BITB.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\588786e399909bbe558853aada5a75c8\BIT17.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\74a19a19cc31989be4bb0df6ac36d839\BIT18.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7684fcdc5c1747eb53ef3c2d202add11\BIT13.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\db250b969298d4b9909ab53611417a5a\BIT1F.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ede23652b16ac5041616fd3bd72c6048\BIT1A.tmp"
Sun 11 Jan 2009 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a37ea2d49e8a7659886ac76c226cad7d\download\BIT21.tmp"

Finished!

#6 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 12 January 2009 - 12:09 PM

Hello Pazma,

Quarantined and deleted successfully

Thats great... :thumbsup:

Your log is showing that you do not have a third party firewall installed. Please note that using a firewall on your computer is very important. Without one your computer is susceptible to being hacked and taken over. I strongly recommend that you now install one of these free versions of a commercial firewall onto your system. Anyone of these will protect your system and will give you full control over everything that requests Internet access.

Comodo
OutPost Firewall Free
Kerio Personal Firewall

It is also really dangerous to go online without an antivirus. Without one, you are extremely likely to get infected and the consequences could be even worse next time. All of the following are excellent free versions of commercial antiviruses. Be sure to only install one.

avast!.
AntiVir
AVG Free 8.0

Please re-scan with HijackThis and post the new log and can you let me know how your system is running now.

#7 Pazma

Pazma
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 12 January 2009 - 09:18 PM

Hi, I've installed AVG Free 8.0 for him since but he's taken the laptop back so I can't post the HijackThis log.

Thanks for all your help, you've been great. It seems to be running smoothly now.

#8 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 AM

Posted 13 January 2009 - 11:49 AM

Hello Pazma,

Thank you for letting me know. Since this issue appears to be resolved this Topic has been closed. Glad we could help. :thumbsup:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users