Jump to content

help me remove infections


Recommended Posts

When I logged into my computer as my normal user, I got my normal background, but none of my shortcuts nor my taskbar, and I couldn't run task manager or other programs.

So I logged out, logged back in as administrator, and ran Malwarebytes' Anti-Malware. It found a dozen or so infected files. I "removed selected", rebooted, and ran HJT.

The HJT log follows. I kindly ask for assistance in determining next steps to clean my system.

Many Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:33:07 AM, on 2/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\PROGRA~1\sygate\ssa\syg_hp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\usbservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\kurt\spyware\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SSA\smc.exe" -startgui

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [statusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto

O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"

O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [DeskTopSrv] C:\WINDOWS\system32\grcrt.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com

O15 - Trusted Zone: http://ie.config.eur.compaq.com

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com

O15 - Trusted Zone: http://ie.config.jp.compaq.com

O15 - Trusted Zone: http://ie.config.ecom.dec.com

O15 - Trusted Zone: http://ie.config.tandem.com

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://vincaspro.cce.cpqcorp.net/cpqtraqipo/Exect/smsx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208908348468

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vmware.webex.com/client/T26L/training/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B9C5CEC-E587-48AE-AB65-F540012B107F}: NameServer = 151.197.0.39,151.197.0.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{B116C73E-0986-4996-B6E9-3C24DFC844F1}: NameServer = 151.197.0.39,151.197.0.38

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

--

End of file - 8347 bytes

Link to post
Share on other sites

When I logged into my computer as my normal user, I got my normal background, but none of my shortcuts nor my taskbar, and I couldn't run task manager or other programs.

So I logged out, logged back in as administrator, and ran Malwarebytes' Anti-Malware. It found a dozen or so infected files. I "removed selected", rebooted, and ran HJT.

The MBAM and HJT logs follow. I kindly ask for assistance in determining next steps to clean my system.

(Note: I originally neglected to include the MBAM log, so I edited my post to include it.)

Many Thanks!

Malwarebytes' Anti-Malware 1.34

Database version: 1749

Windows 5.1.2600 Service Pack 2

2/16/2009 9:29:34 AM

mbam-log-2009-02-16 (09-29-34).txt

Scan type: Full Scan (C:\|)

Objects scanned: 267916

Time elapsed: 1 hour(s), 7 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 9

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 14

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\hs78344kjkfd.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jsf8uiw3jnjgffght (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Desktop) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\hs78344kjkfd.dll (Trojan.Zlob.H) -> Delete on reboot.

C:\kurt\OB4150-95\BugdoctorSetup.exe (Rogue.BugDoctor) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{B9F59AC2-3F48-4326-A9AC-7C6E57FAA7B9}\RP258\A0020790.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\itqclyeo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACpoakfhdy.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACxgogmcnr.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACwyroyobq.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system\xccef090131.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nnnoPJYS.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\kaco\Local Settings\Temp\winlognn.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\system32\UACevjlkxju.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACgtspqjup.log (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UAClrnlskkg.dll (Trojan.Agent) -> Quarantined and deleted successfully.

------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:33:07 AM, on 2/16/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\PROGRA~1\sygate\ssa\syg_hp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\usbservice.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\system32\userinit.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\kurt\spyware\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SSA\smc.exe" -startgui

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [statusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto

O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"

O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [DeskTopSrv] C:\WINDOWS\system32\grcrt.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com

O15 - Trusted Zone: http://ie.config.eur.compaq.com

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com

O15 - Trusted Zone: http://ie.config.jp.compaq.com

O15 - Trusted Zone: http://ie.config.ecom.dec.com

O15 - Trusted Zone: http://ie.config.tandem.com

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://vincaspro.cce.cpqcorp.net/cpqtraqipo/Exect/smsx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208908348468

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vmware.webex.com/client/T26L/training/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B9C5CEC-E587-48AE-AB65-F540012B107F}: NameServer = 151.197.0.39,151.197.0.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{B116C73E-0986-4996-B6E9-3C24DFC844F1}: NameServer = 151.197.0.39,151.197.0.38

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

--

End of file - 8347 bytes

Link to post
Share on other sites

Thanks for helping :)

I haven't used my computer since my original post(s).

I updated MBAM, did a quick scan and had it "remove selected", which led to a reboot. When I logged back in, my computer said it couldn't start:

spoolsv.exe

ScardSvr.exe

and UTool encountered an error and had to close.

Also, my Symantec AntiVirus found and quarantined Trojan.Packed.9 It did not specify a location.

I did this all logged in as the administrator account. I normally login as a different user, but I'm hesistant to do so again until we feel we've got most of this cleaned up. I say that because the last time I logged in as the non-administrator user, I could access my taskbar, taskmgr, or run any programs.

Here's the MBAM log, followed by the HJT log. A subsequent MBAM (after the reboot) showed no objects infected, so it appears to have removed everything in the log below.

Thanks again!

Malwarebytes' Anti-Malware 1.34

Database version: 1780

Windows 5.1.2600 Service Pack 2

2/19/2009 8:11:17 PM

mbam-log-2009-02-19 (20-11-10).txt

Scan type: Quick Scan

Objects scanned: 68529

Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{0de84a17-739f-47eb-99cf-86b7acf3365d} (Trojan.Vundo) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DeskTopSrv (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\suohbg.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\tirxfrow.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\drivers\c5d477ca.sys (Rootkit.Agent) -> No action taken.

C:\cxfagn.exe (Trojan.Agent) -> No action taken.

C:\cwxwwgtl.exe (Trojan.Agent) -> No action taken.

C:\xyephkl.exe (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:21:31 PM, on 2/19/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SSA\smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\PROGRA~1\sygate\ssa\syg_hp.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe

C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE

C:\Documents and Settings\hpadmin\My Documents\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.portal.hp.com/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Hewlett-Packard

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SSA\smc.exe" -startgui

O4 - HKLM\..\Run: [soundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"

O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start

O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe

O4 - HKLM\..\Run: [synTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [statusClient] "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto

O4 - HKLM\..\Run: [TomcatStartup] "C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe"

O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O14 - IERESET.INF: START_PAGE_URL=http://athp.hp.com

O15 - Trusted Zone: http://ie.config.asia.compaq.com

O15 - Trusted Zone: http://ie.config.eur.compaq.com

O15 - Trusted Zone: http://ie.config.im.hou.compaq.com

O15 - Trusted Zone: http://ie.config.jp.compaq.com

O15 - Trusted Zone: http://ie.config.ecom.dec.com

O15 - Trusted Zone: http://ie.config.tandem.com

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://vincaspro.cce.cpqcorp.net/cpqtraqipo/Exect/smsx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208908348468

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://vmware.webex.com/client/T26L/training/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\Software\..\Telephony: DomainName = americas.hpqcorp.net

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B9C5CEC-E587-48AE-AB65-F540012B107F}: NameServer = 151.197.0.39,151.197.0.38

O17 - HKLM\System\CCS\Services\Tcpip\..\{B116C73E-0986-4996-B6E9-3C24DFC844F1}: NameServer = 151.197.0.39,151.197.0.38

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = americas.cpqcorp.net

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

O23 - Service: HP Sygate Icon Control (HPSygControl) - Hewlett-Packard Company - C:\PROGRA~1\sygate\ssa\syg_hp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Lan Discover Agent (magaService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\maga\maga.exe

O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)

O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SSA\smc.exe

O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: Usb Service 2.0 - UToo - C:\WINDOWS\usbservice.exe

--

End of file - 8263 bytes

Link to post
Share on other sites

Yes, I set the DNS entries to 151.xxx at the request of my service provider. They've been there for a couple of years. I have another computer using DHCP just fine with the same router, so I can probably take those out.

MBAM seemed to create the log before it fixed those items. I ran it again after it did its required reboot, and that log follows (and shows the items fixed).

It appears as though spoolsv & ScardSvr have been hacked. How can I get those back to what they should be?

Thanks :)

Malwarebytes' Anti-Malware 1.34

Database version: 1780

Windows 5.1.2600 Service Pack 2

2/19/2009 8:36:52 PM

mbam-log-2009-02-19 (20-36-52).txt

Scan type: Quick Scan

Objects scanned: 68390

Time elapsed: 4 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please run the following AV scanner

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

FYI, my Symantec AntiVirus found and quarantined 2 files when I brought the computer out of hibernation:

c:\windows\temp\VRTF.tmp

c:\windows\temp\VRT11.tmp

I used another computer to download Dr.Web CureIt, so the infected computer was never reconnected to the web. I disabled SAV real time protection, and tried to run drweb-cureit.exe.

I clicked Start, then OK, but it then said setup.exe encountered a problem and needed to close.

I also tried stopping all of the SAV services, but I received the same error.

What can I do to get this to run?

Thanks.

Link to post
Share on other sites

  • Root Admin

Well actually if you can get Symantec to run and UPDATE or copy the UPDATE to the system via CD then you should be able to scan it.

I don't know that you have it yet, but there are potential indication you may have a virus that is damaging all the executable files on your system.

If you can't get Symantec to update and run then using another computer try to download and burn this CD and scan with it.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file.

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Screen resolution problems

Please see the post
here
if you're unable to view the entire screen of Avira.
Link to post
Share on other sites

  • Root Admin

I would like to get Dr Web to run (yes Launch.exe is the file to run)

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

No luck with launch.exe or drweb-cureit.exe. Same setup.exe error. I have another XP computer that is clean that I can copy files from if that would help get around the "setup.exe" error and let me run cureit. Let me know if that's a possibility.

It's getting too late to create that CD - I'll try that later/next time.

I fear I may have virut (as you aluded to). Would keeping the computer hibernated/off minimize the infection spread? I seem to remember reading somewhere that it infected .exe files as they were accessed (i.e. no further access implies no further spread), and someone thought the root cause was secupdat.dat.

I appreciate your thoughts, and thanks for your help so far...

Link to post
Share on other sites

  • Root Admin

It may slow it, but bottom line is IF it is infected with Virut then it's already a lost cause. You may not have Virut though as another symptom appears to be Internet access is often killed off for many.

In any case, keep it off of any network with other computers and DO NOT swap USB drives between this system and another one unless the other one is very well protected.

The Avira CD is a good choice since it does not rely on any system files to run. It does have trouble running though on some newer computers because the Linux cored doesn't have drivers for everything.

Link to post
Share on other sites

Well, the good news is the "other" computer was/is better protected. It has McAfee OAS, and it quarantined F:\userinit.exe as a W32/Virut.n.gen back on Feb 16 when I was using a usb thumb drive.

(Note: I'm using the "other" computer for all network access, including entering this post.)

The bad news is "this" computer must have virut. I assume System Recovery is useless.

Can I still backup my data files (non .exe) to an external usb drive?

Link to post
Share on other sites

Assuming I "can" backup my data files, should I:

just copy selected folders with my data files (leaving out .exe and .zips that contain .exe), or

use MS Backup, or

use something like Ghost?

If MS Backup, does the wizard support backing up from XP, and restoring to Win 2000 Server or Win 2003 Server. (My XP came pre-installed, and I don't have the CDs to re-install it. So I may try one of those other OSes.)

Thank you.

Link to post
Share on other sites

  • Root Admin

Well if you can download and burn the Avira CD it should be able to tell us for sure what is on the box or not.

As for backups, yes you should be able to backup data files like music, pictures, mail, etc. No zips, No screen savers, No EXE programs or files.

Then scan the backup device with more than one scanner. Use your McAfee, but also use one like the Dr Web CureIT as well to make sure you don't transfer it back to a good computer.

Link to post
Share on other sites

I ran the Avira Rescue CD, and it had found 114 records when I stopped it. All of these were not removable, so they were renamed. I think a lot (most or all?) of these are false positives, because some of the 1st files it found were in /mnt/sda1/CDROMBB (several executables in there), which is a directory with a baseball game I play. It's known to generate false positives, see this link: http://www.stratfanforum.com/forums/showthread.php?t=59123

It also showed alerts for a lot of stuff I haven't used in a long time, such as GhostView, Ulead, and many others. My system doesn't seem bad enough (yet) to have so many infected files, especially ones I haven't accessed in some time.

Does Avira have a way to rename the files back to what they were?

Link to post
Share on other sites

Can I scan an MS-Backup file? I ask because I "think" SAV just recently updated their definitions file to catch this, and I have an MS-Backup from last Saturday (the 14th) right around the time I started to notice problems. I know the virus had already started to infect by then, but if SAV can "clean" the backup, I can at least use that to restore my data files after I format and re-install.

BTW, the Avira log also had a hit in /Program Files/Symantec AntiVirus/tool_time.exe, which it renamed, so I'm not sure SAV will work anymore on that computer, but I do have another one that is clean with up to date SAV definitions.

Thanks.

Link to post
Share on other sites

Sorry about the multiple posts. As I mentioned before, I don't see any way to edit a post.

I realize now that while there may be some false positives, most of those files are probably infected. I'm going to reboot and try to backup as much of my data as I can. I think zips are ok as long as they don't contain .exe files, true?

My XP image came factory installed, and I only have win 2k server and win 2003 server media. Do you think the latter (win 2003 server) is better?

Thanks.

Link to post
Share on other sites

  • Root Admin

Yes 2003 Server is better as far as security is concerned but is not as program, game friendly as XP.

Regardless of what you backup make sure you scan it with at least a couple AV scanners so you don't put it back.

As for scanning a backup file, I don't think any AV program properly scans a backup file for virus.

No there is no way to have Avira automatically rename files back, but all it does is add the .xxx extension to it so you could rename it and put it back yourself.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.