Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Not Much Hope On This Pc.


  • This topic is locked This topic is locked
16 replies to this topic

#1 bubbis

bubbis

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 12 April 2007 - 12:19 PM

Hi mates

First time I use hijackthis.

This pc is quite a mess, windows searchassistant comes up blank from any shortcut, tried reinstalling the searcmgr.inf with no luck.

It wont let me install or run anything but spybot, no online scanners will work.

Lets see what you think of it.


Logfile of HijackThis v1.99.1
Scan saved at 19:04:17, on 2007-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\ICQLite\ICQLite.exe
C:\WINDOWS\system32\iid.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\Program\QuickTime\qttask.exe
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program\HPQ\SHARED\HPQWMI.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\HijackThis\HijackThis.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tatjana Solovjova\Skrivbord\stng260.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program\HPQ\IAM\Bin\ItIeAddIN.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\Program\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [PcSync] C:\Program\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Skapa mobilfavorit - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Skapa mobilfavorit... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149806474609
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx
O20 - AppInit_DLLs: ASAPHook
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: OneCard - C:\Program\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Unknown owner - C:\Program\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)



Thanks in advance.

/b

BC AdBot (Login to Remove)

 


#2 bubbis

bubbis
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 14 April 2007 - 09:30 AM

Not intend to be bumping.

Just a little update.

Finally a got around the online scan block.

Installed firefox and went able to launch trendmicro housecall,
it is running as I type this.

I'll be back with another HiJackThis log.

By the way, is my issue getting any attention?

Don't mean to sound pushy just wondering.

/b

Edit: Housecall scan results turned up as a mexican advertisement.

Edited by bubbis, 14 April 2007 - 11:44 AM.


#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 16 April 2007 - 11:41 PM

Hello bubbis,

I am SifuMike and I will be helping you. :thumbsup: Sorry for the delay, it's been pretty busy here lately and we have over 60 logs in the que.

Lets check your HOSTS file.
It's located at c:\windows\system32\drivers\etc\hosts.
You can open it up in Notepad.
If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it; however, if there are others following 127.0.0.1 localhost, you may have to fix it.
Post it here if that's the case.

******************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586-p.exe to install the newest version.
******************

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.

******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

When done, submit the BitDefender log, the [b]AVG Anti-Spyware 7.5
log and a fresh Hijackthis log.

Edited by SifuMike, 16 April 2007 - 11:53 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 bubbis

bubbis
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 17 April 2007 - 06:00 PM

Cheers SifuMike

Stepping through your advices:

HOSTS file is clean.

Java updated.

Bitdefender onlinescan still fails to load, when I click on [I agree] button nothing happends.

This goes for any other online scanner I have tried, except trend micro housecall that went trough the scanning process and in the scanresults window turned up as a mexican advertisment.

Done the ATF clean and the AVG scan-clean.

Outcome as follows:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:52:40 2007-04-17

+ Scan result:



C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@ehg-bizjournals.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@ehg-nokiafin.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@spylog[2].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Göteborgs Vattenskär\Lokala inställningar\Temp\Cookies\göteborgs vattenskär@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end




Logfile of HijackThis v1.99.1
Scan saved at 00:35:13, on 2007-04-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\HPQ\IAM\bin\asghost.exe
C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Synaptics\SynTP\SynTPLpr.exe
C:\Program\Synaptics\SynTP\SynTPEnh.exe
C:\Program\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\ICQLite\ICQLite.exe
C:\WINDOWS\system32\iid.exe
C:\Program\Grisoft\AVG7\avgcc.exe
C:\Program\HPQ\SHARED\HPQWMI.exe
C:\Program\QuickTime\qttask.exe
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program\HPQ\IAM\Bin\ItIeAddIN.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ATIPTA] C:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\Program\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Cpqset] C:\Program\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [WatchDog] C:\Program\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ICQ Lite] "C:\Program\ICQLite\ICQLite.exe" -minimize
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skapa mobilfavorit - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Skapa mobilfavorit... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149806474609
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - https://ssl.extrafilm.org/upload/activex/ImageUploader3.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program\AutoCAD 2002\AcPreview.ocx
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: OneCard - C:\Program\HPQ\IAM\Bin\AsWlnPkg.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgemc.exe (file missing)
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Unknown owner - C:\Program\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)




/bubbis

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 17 April 2007 - 06:41 PM

Are you using Internet Explorer to run BitDefender Online scanner? It will not work with FireFox.
Also, all the online virus scanners use ActiveX, so make sure you have you ActiveX enabled.

http://support.microsoft.com/kb/308260

Verify that Active Scripting, ActiveX, and Java are not blocked

Verify that Internet Explorer or another program on your computer such as an anti-virus program or a firewall are not configured to block scripts, ActiveX controls, or Java applets. Active Scripting, ActiveX controls, and Java applets are turned off at the High security level in Internet Explorer. By default, Internet Explorer 6 and some versions of Internet Explorer 5.x use the High security level for the Restricted sites zone. By default, Microsoft Windows Server 2003 uses the High security level for both the Restricted sites zone and the Internet zone.

To reset the Internet Explorer security settings for the current Web page, follow these steps:
1. Start Internet Explorer.
2. On the Tools menu, click Internet Options.
3. In the Internet Options dialog box, click Security.
4. Click Default Level.
5. Click OK.




It may be your AVG firewall blocking applications from running.
Please turn off your AVG firewall and see if you can run BitDefender Online Scanner.

If BitDefender does not work, then Go here and run the online scan, allow it to delete whatever is found:

Panda ActiveScan
Note: This Scanner is for Internet Explorer Only!
Once you are on the Panda site click the Scan your PC button
[*]A new window will open...click the Check Now button
[*]Enter your Country
[*]Enter your State/Province
[*]Enter your e-mail address and click send
[*]Select either Home User or Company
[*]Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes, so be patient)
[*]When download is complete, click on Local Disks to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please post the contents of Panda scan

Edited by SifuMike, 17 April 2007 - 06:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 bubbis

bubbis
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 18 April 2007 - 12:16 PM

Double checked the Internet Explorer security settings.

Tried following online scanners.

Bitdefender
Panda
Trend micro housecall
Kapersky
eTrust
a-squared
f-secure

In Internet Explorer 6 with or without firewall.

None will start.

Trend micro housecall (run from firefox) gives no result window.

Mac afee freescan tells me the browser is not supported.
IE5.0 or later to run their freescan.
The ie on the pc is version 6 latest update.

Also run a sfc /scannow to check sys files, non happier.

Do you think it's a waste of time to keep on trying?

Next thing would be reinstall of IE6.

/b

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 18 April 2007 - 01:51 PM

Also run a sfc /scannow to check sys files, non happier.

Is the Windows XP on this computer a legal version or a hacked version?
I am assuming that sfc /scannow ran OK , checked all the files and reloaded those it found in error. Correct?

Do you think it's a waste of time to keep on trying?

Next thing would be reinstall of IE6.


Are you a computer repair shop?
Yes, resintall IE6. If that does not work then try installing IE7.
If both of those do not work, then it is time for reformat and reisntall Windows.

Edited by SifuMike, 18 April 2007 - 01:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 25 April 2007 - 02:38 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 01 May 2007 - 09:59 PM

this thread is opened per request of bubbis.

I have been away since thursday 19th hence no activity on the thread.

A friend of mine asked me to join him on a trip to Barcelona with half a days notice,
flight, hotel and a Roger Waters concert ticket paid for, hope that excuses the delay, back home yesterday.

I'm no computer repair shop, thanks for asking.

I take a great interest in learning to fix everything possible with pc's.

It's a legit XPhome on a laptop, windowsCD lost but i386 folder on the hdd.

Restore points wiped.

sfc /scannow ran OK, no errors indicated.

It started with a girl asking me why windows search-assistant had stopped working,
I had a look at the pc, assuming she had some malware on it.

All the issues makes me think it is a rootkit lurking in there.

ActiveX seems to be somehow corrupt too as no online scanners will work,
only trendmicro housecall that also can run with java, but no result displayed as I mentioned in the thread.

Do you see anything suspect in the hijacklog so far?

I'll go on with IE reinstall, and try to scan for rootkit if I still cant get any online scan to run.

The owner want to be able to use her pc asap so I begged for a few more days,
thats why I ask the waste of time question.

Feel free to quote this pm in the thread so that interested readers get the whole picture.

Thanks again.

/bubbis


If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 01 May 2007 - 10:15 PM

Hi bubbis,


I do not see any malware in the Hijackthis log.
When did the owner of this computer notice this problem?

Test Your ActiveX Installation

If ActiveX is not enabled, then instructions to enable ActiveX http://pcpitstop.com/faq/security.asp


We can dig deeper.

Please download A-Squared Free, save it to the desktop.
  • Double-click on a2FreeSetup.exe, follow the installer's instructions.
  • At the end of the install process, make sure Launch a-squared Free is checked, then click Finish.
  • When it launches, it will ask you if you would like to update, click Yes, it will take a few moments to update.
  • When done with the update, if it asks you to restart the application, click Yes.
  • At the main menu, click Scan Now, there will be 4 options, choose Deep Scan.
  • At the end of the scan, click Save Report. Save the report to somewhere convenient, such as your desktop.
  • If malware is found, select all found and click Quarantine selected objects.
*******************



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.


*******************

Download and Save Blacklight Beta (graphical user interface version) to your desktop.

Double-click fsbl.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.

Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe" :!:

There will be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply.

Edited by SifuMike, 01 May 2007 - 10:25 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bubbis

bubbis
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 02 May 2007 - 08:56 PM

Not sure when it started acting up, a couple of months ago she thinks.

ActiveX test shows an empty box (with or without firewall activated) indicating ActiveX probably ok but no scripting.


A-Squared found two items, now quarantined.
----------------------------------------------------------------------------------------------------------------------------
a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 2007-05-03 00:27:51

Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run --> WatchDog detected: Trace.Registry.WatchDog v8.5
C:\SwSetup\Nav05\CH\Support\LUpdate\LUSETUP.EXE detected: Trojan.Win32.Starter.m

Scanned

Files: 134318
Traces: 111714
Cookies: 1
Processes: 52

Found

Files: 1
Traces: 1
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 2007-05-03 01:57:42
Scan time: 01:29:51
----------------------------------------------------------------------------------------------------------------------------


ComboFix Log


((((((((((((((((((((((((((((((( Files Created from 2007-04-03 to 2007-05-03 ))))))))))))))))))))))))))))))))))


2007-05-03 00:21 <KAT> d-------- C:\Program\a-squared Free
2007-04-18 17:19 <KAT> d-------- C:\Program\RCrawler
2007-04-15 12:27 <KAT> d-------- C:\Program\CCleaner
2007-04-14 15:18 <KAT> d-------- C:\DOCUME~1\TATJAN~1\.housecall6.6
2007-04-14 15:15 2,247 --a------ C:\WINDOWS\mozver.dat
2007-04-14 15:15 107,134 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-04-14 15:15 0 --a------ C:\WINDOWS\nsreg.dat
2007-04-12 13:20 <KAT> d-------- C:\Program\Delade filer\Wise Installation Wizard
2007-04-12 12:53 <KAT> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-02 23:21 110592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-03-28 16:38 9216 --a--c--- C:\WINDOWS\system32\avgwlntf.dll
2007-03-28 15:31 -------- d-------- C:\Program\nokia
2007-03-28 15:01 63134 --a------ C:\WINDOWS\system32\perfc01d.dat
2007-03-28 15:01 384018 --a------ C:\WINDOWS\system32\perfh01d.dat
2007-03-23 22:38 -------- d-------- C:\Program\pc connectivity solution
2007-03-23 22:38 -------- d-------- C:\Program\difx
2007-03-23 15:02 -------- d-------- C:\Program\norton antivirus(2)
2007-03-17 23:46 -------- d-------- C:\Program\icqlite
2007-03-17 15:45 292864 --a--c--- C:\WINDOWS\system32\winsrv.dll
2007-03-15 22:44 -------- d-------- C:\DOCUME~1\TATJAN~1\APPLIC~1\pc suite
2007-03-15 21:45 -------- d-------- C:\DOCUME~1\TATJAN~1\APPLIC~1\nokia
2007-03-15 21:17 19755560 --a------ C:\WINDOWS\system32\avg75free_446a965.exe
2007-03-08 17:39 577536 --a--c--- C:\WINDOWS\system32\user32.dll
2007-03-08 17:39 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 17:39 281600 --a--c--- C:\WINDOWS\system32\gdi32.dll
2007-03-08 17:38 1843584 --a--c--- C:\WINDOWS\system32\win32k.sys
2007-02-05 22:20 185344 --a------ C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program\Java\jre1.6.0_01\bin\ssv.dll
{DF21F1DB-80C6-11D3-9483-B03D0EC10000} C:\Program\HPQ\IAM\Bin\ItIeAddIN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"ATIPTA"="C:\\Program\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UpdateManager"="\"C:\\Program\\Delade filer\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"SynTPLpr"="C:\\Program\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program\\Synaptics\\SynTP\\SynTPEnh.exe"
"eabconfg.cpl"="C:\\Program\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"CognizanceTS"="rundll32.exe C:\\Program\\HPQ\\IAM\\Bin\\AsTsVcc.dll,RegisterModule"
"Cpqset"="C:\\Program\\HPQ\\Default Settings\\cpqset.exe"
"hpWirelessAssistant"=hex(2):22,25,50,72,6f,67,72,61,6d,46,69,6c,65,73,25,5c,\
"SetDefPrt"="C:\\Program\\Brother\\Brmfl04a\\BrStDvPt.exe"
"ControlCenter2.0"="C:\\Program\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"Adobe Photo Downloader"="\"C:\\Program\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ICQ Lite"="\"C:\\Program\\ICQLite\\ICQLite.exe\" -minimize"
"Net iD"="C:\\WINDOWS\\system32\\iid.exe"
"AVG7_CC"="C:\\Program\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program\\iTunes\\iTunesHelper.exe\""
"Registry Crawler"="C:\\Program\\RCrawler\\RCrawler.exe -TRAYONLY"
"SunJavaUpdateSched"="C:\\Program\\Java\\jre1.6.0_01\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program\\Messenger\\msmsgs.exe\" /background"
"H/PC Connection Agent"="\"C:\\Program\\Microsoft ActiveSync\\WCESCOMM.EXE\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0AsWlnPkg\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Cognizance REG_MULTI_SZ ASChannel\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81f8ac98-9f1a-11da-8b26-0014a51e4cb8}]
Shell\AutoRun\command E:\setupSNK.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070412-152542-413
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Unknown owner - C:\Program\Norton AntiVirus\navapsvc.exe (file missing)
backup-20070412-152542-532
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
backup-20070412-152542-303
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)
backup-20070412-152542-955
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
backup-20070412-152542-159
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
backup-20070412-152542-918
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe (file missing)
backup-20070412-152542-434
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
backup-20070412-152542-425
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
backup-20070412-152542-417
O4 - HKCU\..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
backup-20070412-152542-440
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program\google\googletoolbar1.dll (file missing)
backup-20070412-152542-411
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
backup-20070412-152542-282
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
backup-20070412-152542-550
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
backup-20070412-152542-646
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
backup-20070412-152542-460
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program\google\googletoolbar1.dll (file missing)
backup-20070412-152542-165
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\Program\Grisoft\AVGFRE~1\avgemc.exe (file missing)
backup-20070412-152542-748
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe /Consumer
backup-20070412-152542-902
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
backup-20070412-152542-661
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
backup-20070412-152542-743
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-03 02:41:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program\HPQ\Default Settings\cpqset.exe?|????????????9?9?9?3??P???? ?d?B????????? ???hLC????????

scanning hidden files ...

C:\System.sav\FI.bom 16384 bytes
C:\System.sav\info.bom 16384 bytes
C:\System.sav\INFO.FI 4096 bytes
C:\System.sav\INFO.SE 4096 bytes
C:\System.sav\INFO.US 4096 bytes
C:\System.sav\Logs
C:\System.sav\Logs\Cia.ini 249856 bytes
C:\System.sav\Logs\Info.bom 16384 bytes
C:\System.sav\Logs\Install.log 1081344 bytes
C:\System.sav\Logs\Preinchk.log 8192 bytes
C:\System.sav\Logs\Sysinfo.log 286720 bytes
C:\System.sav\Logs\UIADUMP.EUE 4096 bytes
C:\System.sav\Logs\UIADUMP.FPP 4096 bytes
C:\System.sav\PREINCHK.log 8192 bytes
C:\System.sav\REBOOT.ME 48 bytes
C:\System.sav\REGDEV.FAC 40 bytes
C:\System.sav\REGFLUSH.LOG 8192 bytes
C:\System.sav\RmDev.log 40960 bytes
C:\System.sav\SE.bom 16384 bytes
C:\System.sav\SYSINFO.LOG 286720 bytes
C:\System.sav\SysInfo.US 286720 bytes
C:\System.sav\US.bom 16384 bytes
C:\System.sav\util
C:\System.sav\util\Audio.log 168 bytes
C:\System.sav\util\biosconf.log 192 bytes
C:\System.sav\util\BOOTSEC.NT4 512 bytes
C:\System.sav\util\BrandIt.Log 12288 bytes
C:\System.sav\util\CHKIMAGE.exe 126976 bytes
C:\System.sav\util\CIA.CDC 65536 bytes
C:\System.sav\util\cia.FI 73728 bytes
C:\System.sav\util\CIA.INI 36864 bytes
C:\System.sav\util\cia.SE 73728 bytes
C:\System.sav\util\cia.US 73728 bytes
C:\System.sav\util\ClassMnu.log 88 bytes
C:\System.sav\util\cpqci.dll 122880 bytes
C:\System.sav\util\cvacompg.exe 118784 bytes
C:\System.sav\util\cvacompg.tmp 168 bytes
C:\System.sav\util\DelDir.exe 36864 bytes
C:\System.sav\util\delmodem.ini 184 bytes
C:\System.sav\util\DETECTOS.INI 4096 bytes
C:\System.sav\util\DNSP1.LOG 49152 bytes
C:\System.sav\util\esuinst.log 168 bytes
C:\System.sav\util\EVENTDEL.VBS 208 bytes
C:\System.sav\util\hpqnt.dll 77824 bytes
C:\System.sav\util\hptool.log 184 bytes
C:\System.sav\util\hsc.log 176 bytes
C:\System.sav\util\INSTALL.LOG 1085440 bytes
C:\System.sav\util\ISLOGCHK.EXE 94208 bytes
C:\System.sav\util\ISLOGCHK.INI 4096 bytes
C:\System.sav\util\mobproc.ini 4096 bytes
C:\System.sav\util\mscu.log 168 bytes
C:\System.sav\util\OEMLINK.INI 224 bytes
C:\System.sav\util\PININST.EXE 110592 bytes
C:\System.sav\util\PININST.INI 4096 bytes
C:\System.sav\util\PININST.LOG 4096 bytes
C:\System.sav\util\POSTOOBE.LOG 24 bytes
C:\System.sav\util\postproc.ini 4096 bytes
C:\System.sav\util\powerset.log 88 bytes
C:\System.sav\util\PREINCHK.BAT 216 bytes
C:\System.sav\util\PREINFO.INI 192 bytes
C:\System.sav\util\PREINFO2.EXE 86016 bytes
C:\System.sav\util\qlb.log 176 bytes
C:\System.sav\util\random.ini 40 bytes
C:\System.sav\util\REGDEV.EXE 106496 bytes
C:\System.sav\util\REGDEV.INI 560 bytes
C:\System.sav\util\RMICONS.LOG 312 bytes
C:\System.sav\util\SWSET_A.INI 4096 bytes
C:\System.sav\util\SWSET_B.INI 4096 bytes
C:\System.sav\util\ticrdbus.log 32 bytes
C:\System.sav\util\touchpad.log 192 bytes
C:\System.sav\util\WINDVD.LOG 168 bytes
C:\System.sav\util\wlassistant.log 184 bytes

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 72


********************************************************************


BlackLight Log


05/03/07 02:47:31 [Info]: BlackLight Engine 1.0.61 initialized
05/03/07 02:47:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/03/07 02:47:31 [Note]: 7019 4
05/03/07 02:47:31 [Note]: 7005 0
05/03/07 02:47:55 [Note]: 7006 0
05/03/07 02:47:55 [Note]: 7011 2332
05/03/07 02:47:55 [Note]: 7026 0
05/03/07 02:47:56 [Note]: 7026 0
05/03/07 02:47:58 [Note]: FSRAW library version 1.7.1021
05/03/07 02:53:12 [Note]: 2000 1012
05/03/07 02:56:04 [Note]: 7007 0


I dont do anything further until you say so.

/b

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 02 May 2007 - 09:50 PM

Not sure when it started acting up, a couple of months ago she thinks.

Was she operating without an active antivirus program?

BlackLight says it did not find a rootkit and I dont see malware files in the ComboFix log. :thumbsup:

Lets use a malware scan and another rootkit tool.


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously.

    ****************
Please Download GMER application: (gmer.zip)( 450kB ) from here :- http://www.gmer.net

1. Save it to your desktop ... it's a zip file ...
2. unzip it to your desktop to reveal a GMER.exe file
3. Double click the GMER.exe file
4. Click the Rootkit tab and then click the Scan button.
5. IMPORTANT: Do NOT use the computer while the scan is in progress.
6. Please, do not select the "Show all" checkbox during the scan.
7. Once done, click the Copy button. This will copy the results to your clipboard.
8. Paste the results in your next reply.

Edited by SifuMike, 02 May 2007 - 09:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 bubbis

bubbis
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 03 May 2007 - 12:56 PM

Norton Internet security was installed when I got my fingers on it, update stopped working about the time when search was crippled.

Dr.Web gave us this log

-------------------------------------------------------
nlwinvnc.exe;
C:\Program\ffc-se-photo-manager\remotehelp;
Probably DLOADER.Trojan;
Incurable.Moved.;
-------------------------------------------------------


And gmer came out with

----------------------------------------------------------------------------------------------------------------------------
GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-03 18:39:05
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\system32\DRIVERS\update.sys

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [B8EB66B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [B8EB66B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [B8EB66B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [B8EB66B6] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [B8EB66B6] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [B8EB6852] tfsnifs.sys

---- EOF - GMER 1.0.12 ----
----------------------------------------------------------------------------------------------------------------------------


/b

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:41 PM

Posted 03 May 2007 - 01:16 PM

No rootkits are hiding in your system as far as I can tell.

How is the computer acting?
Can you run any of the online virus scanners?

Edited by SifuMike, 03 May 2007 - 01:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 bubbis

bubbis
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:41 PM

Posted 03 May 2007 - 02:58 PM

I will have a go at the onliners again.

Be back with the outcome.

/b




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users