Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Scan Faulty?


  • Please log in to reply
3 replies to this topic

#1 SRRider

SRRider

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 28 November 2004 - 01:29 AM

This is a virus scan log from E Trust EZ antivirus run on my machine. I see a virus in a Netscape folder that I was saving but will remove. Why can't this scan open the files it said it can't open and then not scan? I ran spybot, cleansweep 8, adaware, before the scan. Help
eTrust EZ Antivirus Version 6.4.0.4
Started scanning: 8:00:05 PM, 11/27/2004
Dat file v8756

Scanning boot sectors...
C:\ Master Boot Record matches template, is OK: standard Win2000 (1).
C:\ Partition Boot Record matches template, is OK: standard Win2000 (2).

Scanning file(s)...
eTrust EZ Antivirus Version 6.4.0.4
Started scanning: 9:26:21 PM, 11/27/2004
Dat file v8756

Scanning boot sectors...
C:\ Master Boot Record matches template, is OK: standard Win2000 (1).
C:\ Partition Boot Record matches template, is OK: standard Win2000 (2).

Scanning file(s)...
C:\Documents and Settings\Jerald\Application Data\Mozilla\Profiles\jerald61\rdq5fbo5.slt\Mail\mail.netzero.net\Sent>ffictionlynsfictionboarddiscussionfanfictiontalk[2].scr - Win32.Klez.H worm.
C:\Documents and Settings\Jerald\Application Data\Mozilla\Profiles\jerald61\rdq5fbo5.slt\Mail\mail.netzero.net\Sent contains infected files.
C:\Documents and Settings\Jerald\Cookies\INDEX.DAT - unable to open file - not scanned.
C:\Documents and Settings\Jerald\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned.
C:\Documents and Settings\Jerald\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\Jerald\Local Settings\History\History.IE5\INDEX.DAT - unable to open file - not scanned.
C:\Documents and Settings\Jerald\Local Settings\History\History.IE5\MSHist012004112720041128\index.dat - unable to open file - not scanned.
C:\Documents and Settings\Jerald\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT - unable to open file - not scanned.
C:\Documents and Settings\Jerald\My Documents\Notebook backup\Netscape\Users\JERALD61\Mail\Sent>ffictionlynsfictionboarddiscussionfanfictiontalk[2].scr - Win32.Klez.H worm.
C:\Documents and Settings\Jerald\My Documents\Notebook backup\Netscape\Users\JERALD61\Mail\Sent contains infected files.
C:\Documents and Settings\Jerald\ntuser.dat - unable to open file - not scanned.
C:\Documents and Settings\Jerald\ntuser.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\LocalService\Cookies\index.dat - unable to open file - not scanned.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned.
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat - unable to open file - not scanned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat - unable to open file - not scanned.
C:\Documents and Settings\LocalService\NTUSER.DAT - unable to open file - not scanned.
C:\Documents and Settings\LocalService\ntuser.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Cookies\index.dat - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\NTUSER.DAT - unable to open file - not scanned.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - unable to open file - not scanned.
C:\hiberfil.sys - unable to open file - not scanned.
C:\I386\WBCACHE.DE_ - scan incomplete.
C:\I386\WBCACHE.EN_ - scan incomplete.
C:\I386\WBCACHE.ES_ - scan incomplete.
C:\I386\WBCACHE.FR_ - scan incomplete.
C:\I386\WBCACHE.IT_ - scan incomplete.
C:\I386\WBCACHE.NL_ - scan incomplete.
C:\I386\WBCACHE.SV_ - scan incomplete.
C:\pagefile.sys - unable to open file - not scanned.
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VIRUSLOG.TXT - unable to open file - not scanned.
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\change.log - unable to open file - not scanned.
C:\WINDOWS\Debug\PASSWD.LOG - unable to open file - not scanned.
C:\WINDOWS\Internet Logs\fwdbglog.txt - unable to open file - not scanned.
C:\WINDOWS\Internet Logs\fwpktlog.txt - unable to open file - not scanned.
C:\WINDOWS\Internet Logs\GEESLAPTOP.ldb - unable to open file - not scanned.
C:\WINDOWS\Internet Logs\IAMDB.RDB - unable to open file - not scanned.
C:\WINDOWS\Internet Logs\tvDebug.log - unable to open file - not scanned.
C:\WINDOWS\SchedLgU.Txt - unable to open file - not scanned.
C:\WINDOWS\SoftwareDistribution\EventCache\{7E1451E7-16E6-4EC4-8085-84AC573B9452}.bin - unable to open file - not scanned.
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\default - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\sam - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\security - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\software - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\system - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\H323LOG.TXT - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA - unable to open file - not scanned.
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP - unable to open file - not scanned.
C:\WINDOWS\Temp\Perflib_Perfdata_524.dat - unable to open file - not scanned.
C:\WINDOWS\Temp\ZLT06d1e.TMP - unable to open file - not scanned.
C:\WINDOWS\WindowsUpdate.log - unable to open file - not scanned.

Finished scanning: 10:02:06 PM, 11/27/2004
Number of files scanned: 68890.
Number of files that could not be scanned: 61
Number of archives containing infected files: 2
Number of infections: 2
Number of infected files not cleaned/deleted/renamed: 2
C:\Documents and Settings\Jerald\Application Data\Mozilla\Profiles\jerald61\rdq5fbo5.slt\Mail\mail.netzero.net\Sent>ffictionlynsfictionboarddiscussionfanfictiontalk[2].scr (Win32.Klez.H worm)
C:\Documents and Settings\Jerald\My Documents\Notebook backup\Netscape\Users\JERALD61\Mail\Sent>ffictionlynsfictionboarddiscussionfanfictiontalk[2].scr (Win32.Klez.H worm)

Edited by SRRider, 28 November 2004 - 01:31 AM.


BC AdBot (Login to Remove)

 


#2 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:04:29 PM

Posted 28 November 2004 - 03:47 AM

hi

those files with:

unable to open file - not scanned.

they're locked by the operating system, and exclusively in use by the operating system> that's why the av is not able to scan them. nothing to worry there

just delete the infected files

post a hijackthis log as your next reply...just to be certain !

Edited by illukka, 28 November 2004 - 03:48 AM.

To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor

#3 SRRider

SRRider
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 29 November 2004 - 02:07 AM

This is the Hijackthis log:
Dell insiron 4100

Logfile of HijackThis v1.98.2
Scan saved at 12:04:16 AM, on 11/29/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\EZReport.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\helpctr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VCOM\PowerDesk\PDExplo.exe
C:\DOCUME~1\Jerald\LOCALS~1\Temp\~~PDTEMP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\Fix-It\MemCheck.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24937dc5705045d6d923/...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {A6A216EB-4F7C-11D5-8438-0000B456BA3D} (Matn5250 Control) - https://www.alpineaccess.com/mocha5250/matn5250.cab
O16 - DPF: {A8CF21B0-75F9-4B5F-8D90-E67E8F3922F3} (AlpineAccessPhoneDialerX Control) - http://alpineaccess.com/programs/AlpineAccessDialer2.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...404/mcfscan.cab

#4 illukka

illukka

    retar.. erm retired!


  • Security Colleague
  • 2,858 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Pits Of Hell
  • Local time:04:29 PM

Posted 29 November 2004 - 01:35 PM

fix these with hijackthis:


O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24937dc5705045d6d923/...ip/RdxIE601.cab

this looks suspicious, clsid is unknown to google!

O16 - DPF: {A8CF21B0-75F9-4B5F-8D90-E67E8F3922F3} (AlpineAccessPhoneDialerX Control) - http://alpineaccess.com/programs/AlpineAccessDialer2.cab

do you have any idea what it is??

if not, fix it ;)

then reboot and post a fresh log
To Ride, Shoot Straight And Speak The Truth

a retired malware fighter/teacher/advisor




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users