Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infested


  • Please log in to reply
14 replies to this topic

#1 pr0xy333

pr0xy333

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 27 March 2007 - 04:38 PM

Hello.

first, I would like to thank everyone here for offering such a great service to the computing world, and secondly, I'd like to introduce myself.

Now, to business. I'm a sysadmin at a small organization, and I usually help people clean their windows machines on the side. I recently reformat/reinstalled a box for a buddy. I gave him ZA and AVG, thinking those sufficient and very workable for non-techies. Now, a few weeks later, he is coming to me with notions that he has a virus.

Well, his box is infested. I figured that I could blow it all out of the water, but after I got past

malwarewipe
Zlob I
spylocked

and realized that there was yet more that I couldn't deal with (AVG comes up clean, some files are locked and resist deletion through the command line, unlocker failed miserably) , I decided to call in the big guns, aka, you.

Here's he log.

--------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:15:58 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
E:\Apps\HijackThis\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll (file missing)
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pest-Capture] C:\Program Files\PestCapture\PestCapture.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173980387176
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-------------------------------

Thanks.
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

BC AdBot (Login to Remove)

 


m

#2 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 27 March 2007 - 06:48 PM

Hello and welcome to BleepingComputer!

I am logreeval and will be helping you clean that computer :flowers:

Give me some time to look over the log and I will post back ASAP! :thumbsup:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#3 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 28 March 2007 - 09:34 AM

Hey again :thumbsup:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

IMPORTANT
I do not recommend that you have more than one antivirus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (real-time) protection switched on, then those products which do not encrypt the virus strings within them can cause other antivirus products to cause false alarms. It can also lead to a clash as both products fight for access to files which are opened again: this is the resident/automatic protection. In general terms, the programs may conflict and cause:
- False Alarms - When the antivirus software tells you that your PC has a virus when it actually doesn't.
- System Performance Problems - Your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to Start > Control Panel > Add/Remove Programs and remove either your McAfee or AVG Anti-Virus

===============

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

PestCapture is know to be rogue, as seen here > Spyware Warrior

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [Pest-Capture] C:\Program Files\PestCapture\PestCapture.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

PestCapture

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\PestCapture

After that, Reboot.

===============

Please download SmitfraudFix (by S!Ri) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

===============

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
===============

When done post a fresh Hijackthis log, the Kapsersky log and the SmitfraudFix log.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#4 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 28 March 2007 - 01:57 PM

Thanks for the speedy and professional reply. I usually avoid forums because I'm not well versed in l33t. ;)

Like I said above, I help coworkers fix their personal machines on the side, so I haven't had time to perform the above listed tasks. I would just like to thank you for your help beforehand. I will most likely be able to clean this machine out tonight, and I'll post the logs as you have asked then.

Again, thanks.
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#5 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 28 March 2007 - 02:04 PM

It is my pleasure :flowers:

I am glad that I can help you help your coworker out :thumbsup:

Thanks for the nice comments :huh:

logreeval

Edited by logreeval, 28 March 2007 - 02:06 PM.

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#6 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 28 March 2007 - 06:14 PM

Here's the log texts.

SmitFraudFix v2.158

Scan done at 14:04:44.43, Wed 03/28/2007
Run from C:\Documents and Settings\Eric\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{b292ec9f-a074-4115-8342-1f459702d8d2}"="characterizing"

[HKEY_CLASSES_ROOT\CLSID\{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32]
@="C:\WINDOWS\system32\fyxkaah.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b292ec9f-a074-4115-8342-1f459702d8d2}\InProcServer32]
@="C:\WINDOWS\system32\fyxkaah.dll"


Killing process


hosts


127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\fyxkaah.dll -> Hoax.Win32.Renos.gen.j
C:\WINDOWS\system32\fyxkaah.dll -> Deleted


Deleting infected files


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 28, 2007 4:08:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/03/2007
Kaspersky Anti-Virus database records: 288331
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 32188
Number of viruses found: 4
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 01:06:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Eric\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Desktop\SmitFraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Eric\Desktop\SmitFraudFix\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Eric\Desktop\SmitFraudFix\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Eric\Desktop\SmitFraudFix\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Eric\Desktop\SmitFraudFix\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 1 for isamini.zip\isamini.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 2 for isamini.zip\isamini.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\Eric\Local Settings\Temp\Temporary Directory 3 for isamini.zip\isamini.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Eric\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Eric\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Eric\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006639.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006640.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006641.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006644.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006651.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006652.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006653.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006668.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006669.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP154\A0006670.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006749.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bqr skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006749.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bqr skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006749.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006749.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006749.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006750.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bqr skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006750.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bqr skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006750.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006750.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006750.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006751.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bqr skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006751.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bqr skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006751.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006751.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP155\A0006751.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0006834.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0006835.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0006836.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007825.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007826.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007827.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007839.dll Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007840.dll Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007841.dll Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP156\A0007842.dll Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0007896.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0007897.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0007898.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0008895.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0008896.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0008898.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0008915.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0008916.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0008917.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009920.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009921.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009922.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009950.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009951.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009952.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009977.dll Infected: Trojan-Downloader.Win32.Zlob.ang skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009978.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009979.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009991.exe Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009994.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0009995.exe Infected: Trojan-Downloader.Win32.Zlob.bpn skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\A0010134.dll Object is locked skipped
C:\System Volume Information\_restore{BC5D32B0-6FC2-4263-872C-CA87C202DA31}\RP157\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ERICSLAPTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6F0A3400-EDBC-465F-BE84-BA5494749EBC}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT01b71.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT01b74.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 4:09:44 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
E:\Apps\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Eric\LOCALS~1\Temp\2007328134823_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173980387176
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#7 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 28 March 2007 - 06:18 PM

I would like to note that as I was scanning the box AVG alerted me to many of the infected files. I chose not to take action with AVG as to not complicate this process; I eagerly await your reply.
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#8 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 28 March 2007 - 07:00 PM

Sorry, but I will post back later tonight or tomorrow morning.

Thanks for your patience :thumbsup:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#9 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 28 March 2007 - 11:45 PM

No problem. Thanks for your help.
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#10 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 28 March 2007 - 11:56 PM

Here I am :flowers:

If AVG detects something have it Move to Vault. :thumbsup:

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==========

Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
==========

When done post a fresh HijackThis log and the SuperAntiSpyware log.

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#11 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 29 March 2007 - 01:15 PM

Here you go. AVG came up with some items, so I moved them to the vault. I think that may be why the superspyware app came up clean.

SUPERAntiSpyware Scan Log
Generated 03/29/2007 at 10:39 AM

Application Version : 3.6.1000

Core Rules Database Version : 3143
Trace Rules Database Version: 1159

Scan type : Complete Scan
Total Scan Time : 00:41:29

Memory items scanned : 389
Memory threats detected : 0
Registry items scanned : 3526
Registry threats detected : 0
File items scanned : 31738
File threats detected : 0

Logfile of HijackThis v1.99.1
Scan saved at 10:56:24 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
E:\Apps\HijackThis\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Eric\LOCALS~1\Temp\2007328134823_mcinfo.exe /insfin
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173980387176
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#12 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 29 March 2007 - 01:22 PM

I pretty sure that I understand the HijackThis logs. When I first encountered HijackThis I was pretty green. I'm by no means an expert, but I've had to hack a few registry keys in the mean time and I run currprocess and currports, startuprun etc. freeware on all machines I deal with, so I've become accustomed to these types of files. I just need to become more familiar to standard activity versus anomalous entries, but I'm not opposed to asking the experts!

What's your verdict?
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#13 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 29 March 2007 - 02:48 PM

Congratulations! You are clean :flowers:

Now that you are clean of all malware, there are a few steps I need you to complete:

I need you to re-hide files/folders, to do this:
  • Click Start.
  • Click My Computer.
  • Open the Tools menu and click Folder Options.
  • Click the View tab.
  • Under the Hidden files and folders heading UNCHECK Show hidden files and folders.
  • Now, CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Defrag your Hard Drive, to do this:
  • Click Start>> Run>> Type Compmgmt.msc.
  • Click Disk Defragmenter.
  • Click the volume that you want to defragment(Usually C:) and then click Defragment.
Now, you need to clear your restore points. Here is a tutorial on how-to.

Real Time Anti-Spyware Programs protect you in Real-Time, not just scan after you infected, they are nice to have to prevent infections:
SpywareGuard
SpywareBlaster
SpywareTerminator


Internet Explorer is not the most secure browser available. I recommend using one of these browsers:
Firefox
Opera

*NOTE*If you keep Internet Explorer, here is a link to tighten up the security of Internet Explorer.

It is important to clear out temporary files, many types of malware hide in the temp, here are some programs to clear out the temp folders:
CCleaner
ATF Cleaner


Windows Update is a very important thing to do. It contains critical security patches for Internet Explorer and Windows.

If you want to read a little bit, you can check this out - Must Read Info!

Congratulations and happy surfing! :thumbsup:

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image


#14 pr0xy333

pr0xy333
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Location:NorCal
  • Local time:08:00 PM

Posted 29 March 2007 - 04:55 PM

Thanks a lot. I appreciate your help!


:huh: :huh: :o :)
:thumbsup: :flowers: :huh: :huh:
:huh:
Whoever undertakes to set himself up as a judge of Truth and Knowledge is shipwrecked by the laughter of the gods. Albert Einstein

#15 logreeval

logreeval

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Location:Petaluma, California
  • Local time:06:00 PM

Posted 29 March 2007 - 05:07 PM

No problem at all! :thumbsup:

If you have any more questions/problems just tell me :flowers:

logreeval

Are you infected?, if you need help, go here!
Do you want to learn how you got infected, and how to prevent it? Try looking here!
For some free malware removal/prevention tools, and some malware prevention advice, check out my site!

Please don't PM me asking for help, post on the forums instead.

Am I helping you and haven't replied in a few days?, Go ahead and send me a polite PM.

Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users