Computer Hope
Software => Computer viruses and spyware => Topic started by: atittaya23 on June 17, 2008, 01:05:36 PM
-
Even after I quarantine all of those bad files that the antivirus and Antispyware recommend, and reboot and then when I ran a scan again soon after, the programs will still find it again ???
I have follow the instruction about what to do before posting HJT log. So here they are
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/18/2008 at 01:16 AM
Application Version : 4.15.1000
Core Rules Database Version : 3469
Trace Rules Database Version: 1460
Scan type : Complete Scan
Total Scan Time : 00:40:30
Memory items scanned : 167
Memory threats detected : 0
Registry items scanned : 5879
Registry threats detected : 0
File items scanned : 42311
File threats detected : 6
Adware.Tracking Cookie
C:\Documents and Settings\Mr.Postman\Cookies\mr.postman@2o7[1].txt
C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
C:\Documents and Settings\Mr.Postman\Cookies\mr.postman@atdmt[2].txt
C:\Documents and Settings\Mr.Postman\Cookies\mr.postman@statcounter[2].txt
C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
---------------------------------------------------------------------
Malwarebytes' log next post
-
After close Malwarebytes' Anti-Malware, I receive this from spybot
(http://i300.photobucket.com/albums/nn33/atittaya23/Capture-6.gif)
what it mean?
-
Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:29:48, on 18 ÁÔ.Â. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SC3.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 8686 bytes
-
After close Malwarebytes' Anti-Malware, I receive this from spybot
That is Tea Timer warning you to the changes.
Did you allow it?
The Hijackthis log looks fine, how is everything now?
-
That is Tea Timer warning you to the changes.
Did you allow it?
No, I deny it because I'm afraid to change anything or use any other program except SUPERAntispyware Free Edition and Malwarebytes' Anti-Malware. Did I do something wrong?
The Hijackthis log looks fine, how is everything now?
Wow, those two programs are pretty impress. Everything seem to be ok now but I'll wait a little bit longer to see if ever I'll receive this message again when running virus scan.
(http://i300.photobucket.com/albums/nn33/atittaya23/Capture-7.gif)
By the way, I don't know if this relevant but I first run a SUPERAntispyware Free Edition scan at 06:59 PM but after I reboot, I tried to retrieve a scan log as instruction but I can't find it so I thought I must do something wrong. So, i decided to run SUPERAntispyware again in safe mode. And after the second scan finish, I just check a scan while still using in safe mode. That how I find the first log that I can't find before. But I'll show you that first log anyway.
-----------------------
First attempt SUPERAntispyware log next post
-
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/17/2008 at 06:59 PM
Application Version : 4.15.1000
Core Rules Database Version : 3469
Trace Rules Database Version: 1460
Scan type : Complete Scan
Total Scan Time : 00:52:15
Memory items scanned : 172
Memory threats detected : 0
Registry items scanned : 5853
Registry threats detected : 6
File items scanned : 54515
File threats detected : 3
Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\RemoveRP
C:\WINDOWS\SYSTEM32\MCRH.TMP
Unclassified.Unknown Origin/System
C:\D\G\AS\2\CHPSTART.EXE
Trojan.Unclassified/Loader-Suspicious
C:\PROGRAM FILES\EVERSTRIKE SOFTWARE\LOCK FOLDER XP 3.6\LOADER.EXE
------------------------------------------------------------------------------------------------------------
-
Download Dr.Web CureIt! (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) & save it to your desktop.
- Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
- Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan tab" and UNcheck "Heuristic analysis"
- Back at the main window, click "Custom Scan", then "Select drives" (a red dot will show which drives have been chosen).
- Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
- When done, a message will be displayed at the bottom advising if any viruses were found.
- Click "Yes to all" if it asks if you want to cure/move the file.
- When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
- Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
- Save the DrWeb.csv report to your desktop.
- Exit Dr.Web Cureit when done.
- Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
You can use Notepad to open the DrWeb.cvs report by right clicking it and selecting Open with > Notepad
-
Download Dr.Web CureIt! (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) & save it to your desktop.
Get this instead when I try to click at your link.
(http://i300.photobucket.com/albums/nn33/atittaya23/Capture-8.gif)[/list]
-
Get it HERE (http://www.majorgeeks.com/Dr.Web_CureIT_d4783.html)
Click to enlarge.
(http://s1.screenshots.cc/thumb/thumb_41ae9785.png) (http://www.screenshots.cc/show.php/7655_untitled.PNG.html)
-
Thank you, I'll do it but since it very late now so I hope you don't mind if I'll continue all this tomorrow. Thank you very much for your help so far ;D
-
No worries, we will get it taken care of one way or another.
-
Here is DrWeb.cvs report,
--------------------------------------------
SmitfraudFix.exe\SmitfraudFix\404Fix.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\GenericRenosFix.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.C.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;Trojan.Shutdown.47;;
SmitfraudFix.exe;C:\Documents and Settings\Mr.Postman\Desktop;Archive contains infected objects;Moved.;
slghex.dll;C:\Program Files\Common Files\Sandlot Shared;Adware.SpywareStorm;Moved.;
1QK2UVAA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
HW1A2AAA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
MXDYT1DA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
WPPUSVDA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
setup.exe;C:\Program Files\ESET\Install;Trojan.MulDrop.16617;Deleted.;
setup.exe;C:\Program Files\ESET\Setup;Trojan.MulDrop.16617;Deleted.;
404Fix.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
GenericRenosFix.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.C.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
IEDFix.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
Process.exe;C:\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\SmitfraudFix;Trojan.Shutdown.47;Deleted.;
A0004548.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
A0004548.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
A0004548.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
A0004548.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
A0004548.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;Tool.Prockill;;
A0004548.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;Trojan.Shutdown.47;;
A0004548.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;Archive contains infected objects;Moved.;
A0004592.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
A0004595.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
A0004597.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
A0004598.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
A0004600.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;Tool.Prockill;Moved.;
A0004602.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;Trojan.Shutdown.47;Deleted.;
A0004946.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
A0004946.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
A0004946.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
A0004946.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
A0004946.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;Tool.Prockill;;
A0004946.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;Trojan.Shutdown.47;;
A0004946.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Archive contains infected objects;Moved.;
A0004947.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Trojan.MulDrop.16617;Deleted.;
A0004948.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Trojan.MulDrop.16617;Deleted.;
A0004949.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
A0004950.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
A0004951.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
A0004952.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
A0004953.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Trojan.Shutdown.47;Deleted.;
mgkruxeb.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.16;Deleted.;
squwnqaq.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.16;Deleted.;
A0004267.exe;D:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP38;Trojan.DownLoader.62905;Deleted.;
SlgClientServicesRedists.exe\data002;D:\GameHouse\Cake Mania\SlgClientServicesRedists.exe;Adware.SpywareStorm;;
SlgClientServicesRedists.exe;D:\GameHouse\Cake Mania;Archive contains infected objects;Moved.;
----------------------------------------------------------------------------
New HJT Log next post
-
Is my pc clean now?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:34, on 18 ÁÔ.Â. 2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\post\postexcel.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SC3.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 8582 bytes
-
Looks good, how is everything now?
-----
Final steps.
Download OTMoveIt2 by OldTimer OTMoveIt2.exe (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe) and place it on your desktop. (unless you already have it installed)
1. Double click OTMoveIt2.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt2
----------
Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
- Go to Start > Programs > Accessories > System Tools and click System Restore
- Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
- The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Next go to Start > Run and type Cleanmgr
- Click OK
- Click the More Options Tab.
- Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
If you are running any Microsoft Office version go to the Office Update (http://office.microsoft.com/search/redir.aspx?assetid=ES790020331033&CTT=96&Origin=CL100570421033) site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
----------
Make sure all of your security programs are up to date and run scans with them regularly. Once or twice a week minimum.
Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.
To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Another thing I would suggest installing SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
*If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.
-
Perfectly ;D I run a scan again today and NOD 32 found noting, SuperAntiSpyware; nothing accept a fews cookies which were delete with no difficulty, Malwarebytes' found no infection. I've so much joy. Thank you for your help :-* Learning from you was fun and very well educate process. My brain cells were expanded because of you. May you always have a good health and wealth :D
Nancy
-
Glad it all worked out.
Safe surfing....