Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Antispyware Soldier


  • Please log in to reply
12 replies to this topic

#1 anakin skywalker

anakin skywalker

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 02 November 2006 - 07:13 PM

Hi everyone; I'm having some problems with my computer in these days, i thing it's about a spyware called "antispyware soldier".When i downloaded the file with the same name, my computer began to give attentions about security and pop-ups titled "System security center alert"

Here is my HJlog please help me!

Logfile of HijackThis v1.99.1
Scan saved at 02:06:45, on 03.11.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\VM303_STI.EXE
C:\WINDOWS\System32\adirss.exe
C:\WINDOWS\System32\wservice.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O1 - Hosts: 221.130.176.199 www.chenshijituan.com
O1 - Hosts: 222.208.183.246 www.realwinxp.com
O1 - Hosts: 61.152.90.31 www.chenshijituan.com
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Radyo - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Windows Workstation Service [5 1 2600]] winmupge.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [adir] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Windows Workstation Service [5 1 2600]] winmupge.exe
O4 - HKCU\..\Run: [Windows Workstation Service [5 1 2600]] winmupge.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service [5 1 2600]] winmupge.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FLASHGET\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FLASHGET\jc_link.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Billionton\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O20 - AppInit_DLLs: 75976M.BMP
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Billionton\Bluetooth Software\bin\btwdins.exe
O23 - Service: KLBLMain - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe (file missing)
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:54 AM

Posted 02 November 2006 - 10:36 PM

Hi and welcome

You have one nasty mess on board. Know off-hand what site did this? or IM link?

Wish I had better news. :thumbsup:

You have several backdoors installed along with at least 1 rootkit, spambots, and at least 1 virus.
This virus has infected many of your exe files which will explain why many of your programs are not working right. (if at all)
Of particular importance most if not all your security software is infected as well & therefore cannot protect you from anything.

If you use this computer for anything sensitive such as banking, online CC purchases, paypal or like services I would highly suggest calling these companies to watch your accounts.
Once computer is clean you will need to change ALL your passwords to these accounts and any other online groups/services you belong to.
Anyone else who uses the computer for similar activities will need to change their passwords as well.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

Here is some info to read.:

How do I handle possible Identity theft, Internet Fraud & CC Fraud?:

http://www.dslreports.com/faq/10451

This is something i dont like to recommend normally, but with a computer this badly infected it would be the best solution for your safety to format the drive and do a fresh install of the operation system.. Consider this especially if there is important or confidential information stored on your hard disk

some more to read:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If for some reason you can't format do you have another computer available to work from?
I really don't want this one online while we try fixing it.
More crappies will keep installing as we work.

Let me know what you want to do please.

Thanks :flowers:

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 anakin skywalker

anakin skywalker
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 03 November 2006 - 04:07 AM

Thanks for your answer Blender. I have another computer available to work from; I can format the drive too, buy my first choice is fixing it.Is this possible?

Thanks for your help and sorry for my bad english :thumbsup:

Edited by anakin skywalker, 03 November 2006 - 04:12 AM.


#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:54 AM

Posted 03 November 2006 - 04:48 AM

Hi

We can try fixing it but I cannot guarenty the system will be safe to do anything sensitive like banking and such.
I know how to rip out these malwares but if this crap was on my machine...I would not try saving it.

If you have any important documents, mp3, etc I suggest backing those puppies up now.
There is alot wrong here and we just might crash totally & be forced to format.
I can't guarenty we're not going to "lose it".

Whatever you do back up...don't back up ANY exes or SCR files. (programs or screensavers)
The virus you have infects them and you risk spreading the virus to the other computer.

It will take several tools and fix routines to get it done.

Tools needed:

Best to save these to a usb stick or cd before putting them to the infected computer.
You might need to replace them a few times.

Fresh copy of hijackthis. (likely the one you have now is infected & broke)

http://spywarewarrior.com/files/HijackThis.exe

DrWeb's Curit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

SDFix:

http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

-------------------------------

Fixes:

Copy the files you downloaded to a folder on the desktop.

If you have not already.....disconnect from internet.

Open your task manager (right click in task bar> choose task manager)
End task the following items if listed: --(not all are bad but the less we have running the easier fixes will go)

DUMeter.exe
qttask.exe
jusched.exe
UnlockerAssistant.exe
adirss.exe
wservice.exe
realsched.exe
msmsgs.exe
msnmsgr.exe
iexplore.exe
winmupge.exe
regscan.exe
update.exe


Go ahead and shut down your AVG and AntiVir as well.

Once those are ended...

Open Hijackthis (the new one)
Run system scan only and check: (if listed)

O1 - Hosts: 221.130.176.199 www.chenshijituan.com
O1 - Hosts: 222.208.183.246 www.realwinxp.com
O1 - Hosts: 61.152.90.31 www.chenshijituan.com
<--unless you added these hosts?

O4 - HKLM\..\Run: [Windows Workstation Service [5 1 2600]] winmupge.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\System32\adirss.exe
O4 - HKLM\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - HKLM\..\RunServices: [Windows Workstation Service [5 1 2600]] winmupge.exe
O4 - HKCU\..\Run: [Windows Workstation Service [5 1 2600]] winmupge.exe
O4 - HKCU\..\Run: [ScanRegistry] C:\Program Files\Common Files\update\update.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [UpdateService] C:\WINDOWS\System32\wservice.exe
O4 - HKCU\..\RunServices: [Windows Workstation Service [5 1 2600]] winmupge.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
<--If you set these IE restrictions then you can ignore the O6 lines to fix.

O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O20 - AppInit_DLLs: 75976M.BMP
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xartcd5 - xartcd5.dll (file missing)
O23 - Service: Network Logon (NetWorkLogon) - Unknown owner - rundll32.exe (file missing)


Once checked close ALL open windows except hijackthis & click "Fix checked".

Exit hijackthis.

Double-click the drweb-cureit.exe file and allow it to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow > to the right and the scan will begin.

At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" toggle button (if available) next to the files found

Then click the green cup icon right below and select Move incurable

This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).

Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.

Right click the SDFix.zip folder and choose Extract All to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Let me know how machine is running please.

There is still more work to do! Keep it offline if possible please.

If you are using a usb stick to transfer files back & forth...Do scan that drive with AV on good computer before using ANYTHING off there.
There is a chance the contents of the usb stick could be infected from other computer.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 anakin skywalker

anakin skywalker
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 03 November 2006 - 05:19 AM

I want to ask something, if i copy my mp3 files, pictures, wmv files and some important word files to to D:/ (my hard disk is formed from 2 parts C and D, and there isn't anything in D part except of my games), and format the C part only will my computer be cleaned completely?

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:54 AM

Posted 03 November 2006 - 06:16 AM

Hi

As long as you scan your D:\ drive before installing anything from there yes you should be OK.

Unknown to me if this virus infects other drives or not. I would imagine it does.

You can tell if luder worm/virus is on D:\ if there are a bunch of randomed named files like uhfgueie.t on that drive.

They are hidden files and you will need to enable your system to show hidden files.

Reveal Hidden Files
  • Click Start.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Select Show hidden files and foldersin the Hidden files and folders section.
  • Uncheck Hide protected operating system files (recommended) option.
  • Uncheck the Hide file extensions for known file types option.
  • Click Yes.
  • Click OK.


Once you format though...the virus is not "Active" and D:\ will be cleanable if infected.

Before you put that machine on the wild wild internet...

You will need:

An antivirus
A 3rd party firewall (XP's is not good enough)
Service Pack 2
Drivers for your hardware if you don't already have em.

These I would put on a cd and install them before connecting to internet.

Once you install those...go to windows update and get all critical updates listed.
make sure your antivirus is updated.

I would not install IE7 yet. Lots of people still having problems with it.

Also recommended:

SpywareBlaster
IE-Spyad
An antispyware program

All this info can be found at any of these links:

http://www.geekstogo.com/forum/index.php?a...;page=How_did_I
http://boards.cexx.org/index.php?topic=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Run that drweb curit tool on the D:\ drive to clean up any infections there before moving anything back to C:\


Once that has been done make a fresh restore point and flush the old.
D:\ Drive will have its restore files too and if any are infected....

let me know how you make out. :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 anakin skywalker

anakin skywalker
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 03 November 2006 - 04:58 PM

i have formatted my c dirve and here is my new hijack this log.I don't think that i have still viruses but probably you would like to see my log:

Logfile of HijackThis v1.99.1
Scan saved at 23:52:12, on 03.11.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTFMON.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:54 AM

Posted 03 November 2006 - 10:53 PM

Hi

Log looks good. :thumbsup:

You got D:\ drive cleaned up OK?
Did the infection spread to that drive? I ask because this virus is still under study and not everything about it is known yet.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 anakin skywalker

anakin skywalker
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 04 November 2006 - 01:08 AM

Yes true when i have scanned my computer with AVG it's still find some viruses in D; what must i do? I think i have forgotten to delete some exe files from D.Is there any way to clean D except formatting

#10 anakin skywalker

anakin skywalker
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 05 November 2006 - 03:57 PM

When i scanned my D drive with AVG it gives 8 trojans connected to two rar files, it has given no warnings when i deleted the two files.(when i scanned my C drive it gives no warnings). And here is my hjt log about last situtation of my pc, can you tell me is there any more problems??

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:54 AM

Posted 06 November 2006 - 04:27 AM

Hi

Log looks OK. Shouldn't need to format D:\. Likely just a few files hanging around from previous infection.

If the D:\ Drive is showing still some infected files try DrWeb Curit:

Download Dr.Webs CureIt to your desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Double-click the drweb-cureit.exe file and allow it to run the express scan.

This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen. (In your case it is likely sufficient to only scan D:\)

Click the green arrow > to the right and the scan will begin.

At the first infection, select 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, click the "Select all" toggle button (if available) next to the files found

Then click the green cup icon right below and select Move incurable

This will move any infected files to the %userprofile%\DoctorWeb\quarantaine-folder that can't be cured (in case if we need samples).

Then, from the main Dr.Web CureIt menu (top left), click File and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit and Restart your computer to completely remove any stubborn files in reboot.
(Not likely you will need reboot since they are nbot "in use")

Post back with the DrWeb.csv report please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 anakin skywalker

anakin skywalker
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 06 November 2006 - 07:04 AM

Hi again;
I have scanned both of my C: and D: drive with Dr. Web and it has found no viruses,so i can't put the report here.(i can't choose the "save report list" function).What must i do now?

Thanks.

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:10:54 AM

Posted 12 November 2006 - 02:52 AM

Hi there

sorry for delay. i missed your topic reply notice. :|

Drweb not seeing anything as well as AVG not seeing anything most likely means you are OK now.

If you still have hidden files showing you can go back and hide them again. I would leave file extensions showing though.

If you have not already..don't forget to activate your windows. (30 day limit)

Stuff still running good?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users