WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
HJT Log Browser redirects
Started by
kelbel
, Mar 16 2007 08:48 AM
-
This topic is locked
25 replies to this topic
#1
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 16 March 2007 - 08:48 AM
Register to Remove
#2
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 17 March 2007 - 05:30 AM
Please download VundoFix.exe to your desktop.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
#3
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 17 March 2007 - 10:56 AM
Thanks for the help here are the Vundo txt and hijackthis logs:
VundoFix V6.3.16
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 11:02:35 AM 3/17/2007
Listing files found while scanning....
F:\WINDOWS\System32\tmp8.tmp.dll
Beginning removal...
Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll
F:\WINDOWS\System32\tmp8.tmp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll
F:\WINDOWS\System32\tmp8.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.16
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 11:39:57 AM 3/17/2007
Listing files found while scanning....
No infected files were found.
Logfile of HijackThis v1.99.1
Scan saved at 11:38:44 AM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#4
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 17 March 2007 - 11:19 AM
You have no antivirus installed, please install one of the following free products:
AVG
Avast
Please download FindAWF here:
http://noahdfear.gee...com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
AVG
Avast
Please download FindAWF here:
http://noahdfear.gee...com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum). - Finally paste the contents of the Report.txt back on the forum with the contents of awf.txt and a new HijackThis log
#5
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 17 March 2007 - 01:47 PM
Ok here are the requested logs. Also I could only get sdfix to run in safe mode under my admin account.
SDFix: Version 1.73
Run by Administrator - Sat 03/17/2007 - 14:29:45.59
Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll - Deleted
F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.dll - Deleted
F:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00004.dll - Deleted
F:\WINDOWS\Temp\$_2341233.TMP - Deleted
F:\WINDOWS\Temp\$_2341235.TMP - Deleted
ADS Check:
F:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Remaining Files:
---------------
Backups Folder: - F:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
F:\Documents and Settings\Kelly\NetHood\states on altfuels.centerpointenergy.com\Desktop.ini
F:\Documents and Settings\Kelly\NetHood\members.aol.com\Desktop.ini
F:\WINDOWS\Temp\$_3472452.EXE
F:\Documents and Settings\Kelly\Local Settings\Temp\$b17a2e8.tmp
F:\Documents and Settings\Kelly\My Documents\~WRL2225.tmp
F:\Documents and Settings\Kelly\My Documents\~WRL3845.tmp
F:\Program Files\InterActual\InterActual Player\iti31.tmp
Finished
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of F:\WINDOWS\SYSTEM32\BAK
03/07/2007 08:07 AM 37,807 lsasss.exe
02/05/1998 03:16 PM 24,576 NILaunch.exe
2 File(s) 62,383 bytes
Directory of F:\PROGRA~1\QUICKT~1\BAK
09/18/2004 07:50 AM 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of F:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of F:\PROGRA~1\MUSICM~1\MUSICM~1\BAK
10/08/2004 08:49 AM 131,072 mm_tray.exe
10/08/2004 08:49 AM 53,248 mmtask.exe
2 File(s) 184,320 bytes
Directory of F:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
01/02/2005 11:11 AM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of F:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK
01/24/2007 07:15 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes
Directory of F:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
06/03/2005 03:52 AM 36,975 jusched.exe
1 File(s) 36,975 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
37215 Mar 15 2007 "F:\WINDOWS\system32\NILaunch.exe"
24576 Feb 5 1998 "F:\WINDOWS\system32\bak\NILaunch.exe"
37215 Mar 15 2007 "F:\WINDOWS\system32\lsasss.exe"
37807 Mar 7 2007 "F:\WINDOWS\system32\bak\lsasss.exe"
37215 Mar 15 2007 "F:\Program Files\QuickTime\qttask.exe"
98304 Sep 18 2004 "F:\Program Files\QuickTime\bak\qttask.exe"
37215 Mar 15 2007 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
131072 Oct 8 2004 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
135168 Aug 28 2005 "F:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
37215 Mar 15 2007 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
53248 Oct 8 2004 "F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
53248 Aug 28 2005 "F:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
37215 Mar 15 2007 "F:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jan 2 2005 "F:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
52272 Jan 24 2007 "F:\Program Files\Google\googletoolbar3user.exe"
37215 Mar 15 2007 "F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
138168 Jan 24 2007 "F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Jan 24 2007 "F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
37215 Mar 15 2007 "F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Jun 3 2005 "F:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
end of report
Logfile of HijackThis v1.99.1
Scan saved at 2:44:37 PM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\system32\notepad.exe
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\NILaunch.exe
F:\QUICKENW\QWDLLS.EXE
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#6
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 17 March 2007 - 02:33 PM
Our experts would like some samples of the files you are infected with
Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please click here
You will be taken to a new post page (at a different forum)
In the subject box put Suspicious files for analysis
Please put your name and email in the relevant boxes. In the message portion, please paste this:
Then, by the attach bar at the bottom, hit 'browse' Find this file, and hit ok:
C:\Documents and Settings\User\Desktop\requested-files[date].cab
Then click submit to upload that file. That way our experts can analyse the file
Please post a link to the topic at the other forum as a response to this topic
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.
Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat
Reboot your computer in Safe Mode.
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll
Then close all windows except HijackThis and click Fix Checked
Use windows explorer to find and delete these files:
F:\WINDOWS\System32\lsasss.exe
F:\WINDOWS\geeedd.dll[/b]
F:\WINDOWS\SYSTEM32\pxinnit.dll
Restart in normal mode and post a new HijackThis log
Please download the Suspicious File Packer from here:
http://www.safer-net...g/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:
F:\WINDOWS\system32\bak\lsasss.exe
Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please click here
You will be taken to a new post page (at a different forum)
In the subject box put Suspicious files for analysis
Please put your name and email in the relevant boxes. In the message portion, please paste this:
Infected Files for analysis Suspect: SDbot logfile: http://forums.tomcoyote.org/index.php?showtopic=77595
Then, by the attach bar at the bottom, hit 'browse' Find this file, and hit ok:
C:\Documents and Settings\User\Desktop\requested-files[date].cab
Then click submit to upload that file. That way our experts can analyse the file
Please post a link to the topic at the other forum as a response to this topic
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.
attrib -s -h -r F:\WINDOWS\system32\NILaunch.exe
attrib -s -h -r F:\WINDOWS\system32\lsasss.exe
attrib -s -h -r F:\Program Files\QuickTime\qttask.exe
attrib -s -h -r F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
attrib -s -h -r F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
attrib -s -h -r F:\Program Files\Common Files\Real\Update_OB\realsched.exe
attrib -s -h -r F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
attrib -s -h -r F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
attrib -s -h -r F:\WINDOWS\system32\bak\lsasss.exe
del /q F:\WINDOWS\system32\NILaunch.exe
del /q F:\WINDOWS\system32\lsasss.exe
del /q F:\WINDOWS\system32\bak\lsasss.exe
del /q F:\Program Files\QuickTime\qttask.exe
del /q F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
del /q F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
del /q F:\Program Files\Common Files\Real\Update_OB\realsched.exe
del /q F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
del /q F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
copy F:\WINDOWS\system32\bak\NILaunch.exe F:\WINDOWS\system32\NILaunch.exe
copy F:\Program Files\QuickTime\bak\qttask.exe F:\Program Files\QuickTime\qttask.exe
copy F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
copy F:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
copy F:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe F:\Program Files\Common Files\Real\Update_OB\realsched.exe
copy F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
copy F:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O4 - HKLM\..\Run: [Lexmark_X79-55] F:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [2chkdsk] rundll32.exe "F:\WINDOWS\geeedd.dll",setvm
O20 - AppInit_DLLs:
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll
Then close all windows except HijackThis and click Fix Checked
Use windows explorer to find and delete these files:
F:\WINDOWS\System32\lsasss.exe
F:\WINDOWS\geeedd.dll[/b]
F:\WINDOWS\SYSTEM32\pxinnit.dll
Restart in normal mode and post a new HijackThis log
#7
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
#8
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 17 March 2007 - 04:44 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:33:16 PM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O20 - Winlogon Notify: pxinnit - F:\WINDOWS\SYSTEM32\pxinnit.dll
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#9
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 17 March 2007 - 05:05 PM
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once the scan is complete, Right Click inside the listbox (white box) and click add more files
- Copy&Paste the entry below into the top box
- F:\WINDOWS\SYSTEM32\pxinnit.dll
- Click Add Files and Click Close Window
- Click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Post back with the vundofix log and a new HijackThis log
#10
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 17 March 2007 - 05:50 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:45:12 PM, on 3/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
VundoFix V6.3.16
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 11:02:35 AM 3/17/2007
Listing files found while scanning....
F:\WINDOWS\System32\tmp8.tmp.dll
Beginning removal...
Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll
F:\WINDOWS\System32\tmp8.tmp.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete F:\WINDOWS\System32\tmp8.tmp.dll
F:\WINDOWS\System32\tmp8.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.16
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 11:39:57 AM 3/17/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.3.16
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.4.2.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.4
Old versions of java are exploitable and should be removed.
Scan started at 6:29:05 PM 3/17/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete F:\WINDOWS\SYSTEM32\pxinnit.dll
F:\WINDOWS\SYSTEM32\pxinnit.dll Has been deleted!
Performing Repairs to the registry.
Done!
Register to Remove
#11
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 18 March 2007 - 05:56 AM
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll (file missing)
Then close all windows except HijackThis and click Fix Checked
Go here to run an online scannner from Kaspersky.
Post back with the Kaspersky log, a new HijackThis log and let me know how its running now
Please follow these steps to remove older version Java components and update.
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6 .
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement".
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.
Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)
O2 - BHO: (no name) - {a8b72ad4-349d-4918-a36d-651daa791653} - F:\WINDOWS\system32\pxinnit.dll (file missing)
Then close all windows except HijackThis and click Fix Checked
Go here to run an online scannner from Kaspersky.
- Click on "Kaspersky Online Scanner"
- A new smaller window will pop up. Press on "Accept". After reading the contents.
- Now Kaspersky will update the anti-virus database. Let it run.
- Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
- Then click on "My Computer", and the scan will start.
- Once finished, save the log as "KAV.txt" to the desktop.
Post back with the Kaspersky log, a new HijackThis log and let me know how its running now
#12
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 18 March 2007 - 12:20 PM
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 18, 2007 1:10:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/03/2007
Kaspersky Anti-Virus database records: 282839
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 29243
Number of viruses found: 6
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:24:25
Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0131795.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
D:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
E:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SYSTEM Object is locked skipped
F:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
F:\WINDOWS\system32\config\DEFAULT Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\moaupd.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.h skipped
F:\WINDOWS\system32\moaupd.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.b skipped
F:\WINDOWS\system32\moaupd.exe WiseSFX: infected - 2 skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\Debug\oakley.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{855C3863-E10B-4A59-8CE2-276342743C7A}.bin Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp2.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp6.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\MSHist012007031820070319\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\ntuser.dat.LOG Object is locked skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129739.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129745.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
I:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe/data0001 Infected: Trojan-Downloader.Win32.Agent.oz skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe NSIS: infected - 1 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 1:16:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Microsoft Office\Office10\EXCEL.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 18, 2007 1:10:26 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/03/2007
Kaspersky Anti-Virus database records: 282839
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 29243
Number of viruses found: 6
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:24:25
Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0131795.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
D:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
E:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SYSTEM Object is locked skipped
F:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
F:\WINDOWS\system32\config\DEFAULT Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\moaupd.exe/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.h skipped
F:\WINDOWS\system32\moaupd.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.b skipped
F:\WINDOWS\system32\moaupd.exe WiseSFX: infected - 2 skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\Debug\oakley.log Object is locked skipped
F:\WINDOWS\Sti_Trace.log Object is locked skipped
F:\WINDOWS\wiaservc.log Object is locked skipped
F:\WINDOWS\wiadebug.log Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\SoftwareDistribution\EventCache\{855C3863-E10B-4A59-8CE2-276342743C7A}.bin Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp2.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\Temp\tmp6.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bjk skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\History\History.IE5\MSHist012007031820070319\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Kelly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Kelly\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Kelly\ntuser.dat.LOG Object is locked skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129739.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1149\A0129745.dll Infected: Trojan-PSW.Win32.Sinowal.af skipped
F:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
I:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\change.log Object is locked skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe/data0001 Infected: Trojan-Downloader.Win32.Agent.oz skipped
J:\System Volume Information\_restore{27EEF314-9828-4EFD-B901-805795959A3E}\RP1151\A0131931.exe NSIS: infected - 1 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 1:16:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Program Files\Microsoft Office\Office10\EXCEL.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\WINDOWS\system32\NOTEPAD.EXE
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#13
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 18 March 2007 - 01:22 PM
Use windows explorer to find and delete this file:
F:\WINDOWS\system32\moaupd.exe
Download ATF Cleaner by Attribune
Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:
http://www.adobe.com.../readstep2.html
Post back with a new HijackThis log and let me know how its running now
F:\WINDOWS\system32\moaupd.exe
Download ATF Cleaner by Attribune
- Double-click ATF-Cleaner.exe to run the program.
- Click Main at the top and choose Select All from the list.
- Click the Empty Selected button.
- Click Firefox at the top and choose Select All from the list.
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose Select All from the list.
- Click the Empty Selected button.
- NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:
http://www.adobe.com.../readstep2.html
Post back with a new HijackThis log and let me know how its running now
#14
kelbel
-
- Authentic Member
-
- 31 posts
Authentic Member
Posted 18 March 2007 - 03:42 PM
Hi,
No more re-directs but IE still initializes real slow and hyperlinks to secondary windows are slow as well. Once things initialize they run at normal speed it's just getting there that is taking time.
Logfile of HijackThis v1.99.1
Scan saved at 4:36:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\System32\msiexec.exe
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
No more re-directs but IE still initializes real slow and hyperlinks to secondary windows are slow as well. Once things initialize they run at normal speed it's just getting there that is taking time.
Logfile of HijackThis v1.99.1
Scan saved at 4:36:22 PM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\System32\NILaunch.exe
F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Java\jre1.6.0\bin\jusched.exe
F:\QUICKENW\QWDLLS.EXE
F:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\WINDOWS\System32\msiexec.exe
I:\Program Files\hijackthis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - F:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - F:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Net-It Launcher] F:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [MMTray] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] F:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "I:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = F:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A480D802-76BA-4198-B221-77DEE53A4A27}: NameServer = 216.144.187.71,204.186.0.201
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - I:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
#15
random/random
-
- Malware Expert
-
- 481 posts
MRU Expert
Posted 18 March 2007 - 03:53 PM
- Download GMER by GMER from here
- Unzip it to a folder on your desktop
- Double click on gmer.exe to launch GMER
- If asked, allow the gmer.sys driver load
- If it warns you about rootkit activity and asks if you want to run scan, click OK
- If you don't get a warning then
- Click the rootkit tab
- Click Scan
- Once the scan has finished, click copy
- Paste the log into notepad using Ctrl+V
- Save it to your desktop as gmerrk.txt
- Click on the >>> tab
- This will open up the rest of the tabs for you
- Click on the Autostart tab
- Click on Scan
- Once the scan has finished, click copy
- Paste the log into notepad using Ctrl+V
- Save it to your desktop as gmerautos.txt
- Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic
- Download WinPFind by OldTimer here
- Double click on winpfind.exe to extract it
- Click extract
- Wait for the message "All files have been extracted" and then click OK
- This will create the folder winPFind on your desktop
- Inside that folder is a file called WinPFind.exe
- Double click on that file to launch WinPFind
- This will launch a configuration screen
- Under Driver Services change the selection to Non-Microsoft
- Under File Created Within change the selection to 60 days
- Leave the other settings as they are
- Click Run Scan
- During the scan WinPFind may appear to be not responding, this is normal
- Wait for the scan to finish, this may take several minutes
- A notepad window will open with WinPFind's log.
- Copy and paste the contents of that window here.
- Note: You may need several posts to post the entire log, or it might get cut off
You will probably need to several posts to fit all the logs in
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
