Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan detected - HJT log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trojan detected - HJT log

Unread postby griff9 » June 12th, 2007, 11:51 pm

Symantec AV detected msorcl32.exe and quarantined it. I was then able to delete it from within Symantec. Must not be gone though as Ad-Aware can't finish a scan and intermittent reboots keep happening. HJT log to follow: (please help)

Logfile of HijackThis v1.99.1
Scan saved at 11:20:40 PM, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\garmin Nuvi\gStart.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [gStart] C:\Program Files\garmin Nuvi\gStart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
griff9
Active Member
 
Posts: 5
Joined: June 12th, 2007, 10:36 pm
Advertisement
Register to Remove

Unread postby Kimberly » June 13th, 2007, 10:23 am

Hello griff9 and welcome,

Possible you have a whole bundle installed, depends if Symantec catched the files or not in time as msorcl32.exe downloads other stuff.

Please do an online scan with Kaspersky Online Scanner

Notice!
A new version of Kaspersky Virus Scanner has been released on August 8, 2006. If you have installed a previous version, you must unistall that program first before installing the new version. To uninstall, please go to the computer control panel and select "Add/Remove Programs." Close all Internet Explorer windows before uninstalling the Kaspersky Online Scanner.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save Report As button:
    • Save the file to your desktop.
    • File Type: Text file (*.txt).
    • Name: Kav.txt for example
  • Copy and paste that information in your next post.
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby griff9 » June 13th, 2007, 10:01 pm

Thank you for your assistance and expertise! The Kaspersky log follows:

KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 13, 2007 9:49:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/06/2007
Kaspersky Anti-Virus database records: 345978
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 41349
Number of viruses found: 7
Number of infected objects: 23
Number of suspicious objects: 37
Duration of the scan process: 00:48:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\Jon\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Outlook\2004 eMail.pst/2004 eMail/02 Oct 2004 06:48 from CITI:CitiBank: Special Announce [Sat, 02 .rtf Infected: Trojan-Spy.HTML.Citifraud.ai skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Outlook\2004 eMail.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Outlook\Archive Sent.pst/Archive Sent/18 Aug 2003 13:00 to Mike Bryson:FW: Returned mail: delivery pro/17 Aug 2003 05:01 to ers@pathwaynet.com:Horoscopes.com All right.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Outlook\Archive Sent.pst/Archive Sent/18 Aug 2003 13:00 to Mike Bryson:FW: Returned mail: delivery pro/17 Aug 2003 05:10 to 0HDG00E4G2LOGV@mtain12.icomcast.net:Hypnoti.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Outlook\Archive Sent.pst/Archive Sent/18 Aug 2003 12:59 to Mike Bryson:FW: Returned mail: delivery pro/17 Aug 2003 05:09 to 0HDG000I12LPUM@msgstore07.icomcast.net:Have.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Outlook\Archive Sent.pst Mail MS Mail: suspicious - 3 skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jon\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jon\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jon\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jon\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0342NAV~.TMP Object is locked skipped
C:\RECYCLER\S-1-5-21-1935655697-73586283-682003330-1003\Dc15.pst/2004 eMail/02 Oct 2004 06:48 from CITI:CitiBank: Special Announce [Sat, 02 .rtf Infected: Trojan-Spy.HTML.Citifraud.ai skipped
C:\RECYCLER\S-1-5-21-1935655697-73586283-682003330-1003\Dc15.pst Mail MS Mail: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1935655697-73586283-682003330-1003\Dc20.pst/Archive Sent/18 Aug 2003 13:00 to John Smith:FW: Returned mail: delivery pro/17 Aug 2003 05:01 to ers@pathwaynet.com:Horoscopes.com All right.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1935655697-73586283-682003330-1003\Dc20.pst/Archive Sent/18 Aug 2003 13:00 to John Smith:FW: Returned mail: delivery pro/17 Aug 2003 05:10 to 0HDG00E4G2LOGV@mtain12.icomcast.net:Hypnoti.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1935655697-73586283-682003330-1003\Dc20.pst/Archive Sent/18 Aug 2003 12:59 to John Smith:FW: Returned mail: delivery pro/17 Aug 2003 05:09 to 0HDG000I12LPUM@msgstore07.icomcast.net:Have.rtf Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\RECYCLER\S-1-5-21-1935655697-73586283-682003330-1003\Dc20.pst Mail MS Mail: suspicious - 3 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{731DA17D-927C-450E-B483-0BDF0AAB9B4E}\RP178\A0010745.sys Infected: Packed.Win32.Tibs.w skipped
C:\System Volume Information\_restore{731DA17D-927C-450E-B483-0BDF0AAB9B4E}\RP179\change.log Object is locked skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/13 Apr 2003 13:25 from susanhowell:A IE 6.0 patch.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/17 Aug 2003 05:03 from Mail Delivery Subsystem:Returned mail: de/17 Aug 2003 05:01 to ers@pathwaynet.com:Horoscopes.com All right.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/17 Aug 2003 05:13 from Mail Delivery Subsystem:Returned mail: de/17 Aug 2003 05:09 to 0HDG000I12LPUM@msgstore07.icomcast.net:Have.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/06 Aug 2003 01:17 from Mail Delivery Subsystem:Returned mail: de/06 Aug 2003 01:17 to 112febc-0@bbeta.o:Your browser must support.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/21 Jun 2003 12:45 from Mail Delivery System:Mail delivery failed.eml/[From ZACK <ZACK@FTC.BZ>][Date Date header was inserted by mtaout03.icomcast.net]/UNNAMED/install.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/21 Jun 2003 12:45 from Mail Delivery System:Mail delivery failed.eml/[From ZACK <ZACK@FTC.BZ>][Date Date header was inserted by mtaout03.icomcast.net]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/21 Jun 2003 12:45 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/17 Aug 2003 05:10 from Mail Delivery Subsystem:Returned mail: de/17 Aug 2003 05:10 to 0HDG00E4G2LOGV@mtain12.icomcast.net:Hypnoti.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 18:11 from Mail Delivery Subsystem:Returned mail: de/04 Aug 2003 17:54 to JCmusic-tdbear@msn.com:Noresize src.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 01:06 from rundeb50:A WinXP patch.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 01:22 from 0HD5008ITIRPWT:The Garden of Eden.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 02:45 from Mail Delivery Subsystem:Returned mail: de/04 Aug 2003 02:40 to 59@lexcominc.net:MKE 98 108 108 10 .html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 03:20 from Mail Delivery Subsystem:Returned mail: de/04 Aug 2003 03:16 to rajn@bscon.com:Unders and floating)).html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 03:35 from Mail Delivery Subsystem:Returned mail: de/04 Aug 2003 03:32 to 0HDG00E4G2LOGV@mtain12.icomcast.net:Hello,0.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 04:07 from Mail Delivery Subsystem:Returned mail: de/04 Aug 2003 04:07 to 20press@streamcast.ws:The Garden of Eden.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 06:15 from Mail Delivery Subsystem:Returned mail: de/04 Aug 2003 06:11 to fidelity@inco.com.lb:Look,my beautiful girl.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 13:41 from Mail Delivery System:Mail delivery failed.eml/[From Ziembo <Ziembo@aol.com>][Date Mon, 4 Aug 2003 13:40:41 +0000 (GMT)]/UNNAMED/install.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 13:41 from Mail Delivery System:Mail delivery failed.eml/[From Ziembo <Ziembo@aol.com>][Date Mon, 4 Aug 2003 13:40:41 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Aug 2003 13:41 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/07 Aug 2003 14:49 from mmdubak.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/08 Aug 2003 10:03 from Mail Delivery Subsystem:Returned mail: de/08 Aug 2003 10:03 to 0HD3008009RUCQ@msgstore07.icomcast.net:Wscr.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/09 Aug 2003 05:31 from Mail Delivery Subsystem:Returned mail: de/09 Aug 2003 05:29 to 112febc-1@bbeta.o:Language.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/09 Aug 2003 05:36 from Mail Delivery Subsystem:Returned mail: de/09 Aug 2003 05:33 to 0HD3008009RUCQ@msgstore07.icomcast.net:All .html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/17 Aug 2003 03:33 from Mail Delivery Subsystem:Returned mail: de/17 Aug 2003 03:33 to OCTzta@ocs.e:Happy excite Assumption.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/17 Aug 2003 03:36 from jibiy2:Questionnaire.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/17 Aug 2003 04:06 from Mail Delivery Subsystem:Returned mail: de/17 Aug 2003 04:03 to wolf_lair31@yahoo.com:Happy Assumption.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/31 Aug 2003 19:02 from Mail Delivery Subsystem:Returned mail: de/31 Aug 2003 18:51 to IMamn@kpie.o.u:Some questions.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/01 Sep 2003 08:29 from Mail Delivery Subsystem:Returned mail: de/28 Aug 2003 02:45 to cfiorini@peoplepc.com:Fw:cfiorini,the Garde.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/02 Sep 2003 08:36 from Mail Delivery Subsystem:Returned mail: de/29 Aug 2003 21:06 to support@gnutella.co.uk:A very powful tool.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/04 Sep 2003 12:41 from Mail Delivery Subsystem:Returned mail: de/04 Sep 2003 12:41 to mssupport@gbrands.com:Tabindex.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/10 Sep 2003 23:22 from POSTMASTER@lnsmtp.usairways.com:Undeliver.eml/[From postmaster <postmaster@usairways.com>][Date Wed, 10 Sep 2003 23:20:42 +0000 (GMT)]/UNNAMED/jsjfu.pif Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/10 Sep 2003 23:22 from POSTMASTER@lnsmtp.usairways.com:Undeliver.eml/[From postmaster <postmaster@usairways.com>][Date Wed, 10 Sep 2003 23:20:42 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/10 Sep 2003 23:22 from POSTMASTER@lnsmtp.usairways.com:Undeliver.eml Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/11 Sep 2003 04:41 from Mail Delivery Subsystem:Returned mail: de/11 Sep 2003 02:26 to tifcurtis@hotmail.com:Meeting notice.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/16 Sep 2003 16:18 from Mail Delivery System:Mail delivery failed.eml/[From 0H9X00EC7EWDYN <0H9X00EC7EWDYN@msgstore07.icomcast.net>][Date Tue, 16 Sep 2003 16:18:30 +0000 (GMT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/16 Sep 2003 16:18 from Mail Delivery System:Mail delivery failed.eml/[From 0H9X00EC7EWDYN <0H9X00EC7EWDYN@msgstore07.icomcast.net>][Date Tue, 16 Sep 2003 16:18:30 +0000 (GMT)]/UNNAMED/dcr04[1].scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/16 Sep 2003 16:18 from Mail Delivery System:Mail delivery failed.eml/[From 0H9X00EC7EWDYN <0H9X00EC7EWDYN@msgstore07.icomcast.net>][Date Tue, 16 Sep 2003 16:18:30 +0000 (GMT)]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Inbox/16 Sep 2003 16:18 from Mail Delivery System:Mail delivery failed.eml Infected: Email-Worm.Win32.Klez.h skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Sent Items/18 Aug 2003 12:59 to John Smith:FW: Returned mail: delivery pro/17 Aug 2003 05:09 to 0HDG000I12LPUM@msgstore07.icomcast.net:Have.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Sent Items/18 Aug 2003 13:00 to John Smith:FW: Returned mail: delivery pro/17 Aug 2003 05:10 to 0HDG00E4G2LOGV@mtain12.icomcast.net:Hypnoti.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst/Personal Folders/Sent Items/18 Aug 2003 13:00 to John Smith:FW: Returned mail: delivery pro/17 Aug 2003 05:01 to ers@pathwaynet.com:Horoscopes.com All right.html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Updates\Backup\Outlook\outlook.pst Mail MS Mail: infected - 12, suspicious - 29 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\JON-SILVER.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\alt.exe.exe Infected: Packed.Win32.Tibs.y skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\mgsiknhw.exe Infected: Packed.Win32.Tibs.y skipped
C:\WINDOWS\system32\pee.exe.exe Infected: Packed.Win32.Tibs.y skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wmvds32.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\WINDOWS\system32\ylgczqgp.exe Infected: Trojan-Downloader.Win32.VB.axs skipped
C:\WINDOWS\Temp\Perflib_Perfdata_43c.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT03aee.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT04594.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
griff9
Active Member
 
Posts: 5
Joined: June 12th, 2007, 10:36 pm

Unread postby Kimberly » June 14th, 2007, 12:19 am

hello griff9

We still got some work to do, you did get yourself a nifty infection if you did get the full load. Do you suffer from a fake warning on your desktop too ? (Normally it installs AntiSpyware Solutions.)

Let's move on a bit.

Make sure that you can see hidden files.
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading select Show hidden files and folders.
  6. Uncheck the Hide protected operating system files (recommended) option.
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login under your account
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Click Start, click Settings, click Control Panel and then double-click Display. Click on the Web tab. With the Show Web content on my Active Desktop box checked, you should see a checked entry called Security info or something similar under WebPages. If it is there, select that entry and click the Delete button. Click Yes, then Apply and Ok.
Uncheck Show Web content on my Active Desktop again and Apply and Ok - Set the wallpaper of your choice.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Using Windows Explorer, Search and Delete these Files if listed:

C:\WINDOWS\system32\alt.exe.exe
C:\WINDOWS\system32\mgsiknhw.exe
C:\WINDOWS\system32\pee.exe.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\ylgczqgp.exe
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\system32\setup0.exe
C:\WINDOWS\system32\tmrsrv32.exe

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is uncheck it and try again.
______________________________

Reboot in normal mode.

Guide : http://www.suspectfile.com/systemscan_guide.php

Download SystemScan from the link on that page, it will be a random name. Save it to your desktop, run the file. Leave all options checked. It might take a while before the scan is done. The log is very huge, so upload it here please :

http://www.bleepingcomputer.com/submit- ... channel=26

It's my channel. Put a link to your topic here in the appropriate case.

You will have to clean out your mailboxes and their backups manually, they do contain infected files. Be very carefull while doing that.

Thanks. :)
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby griff9 » June 14th, 2007, 10:36 pm

So far, so good...only hiccup was that I couldn't delete "perflib_perfdata_22c.dat" from Windows|temp - it was in use (in safe mode). Otherwise, I've done as instructed...
griff9
Active Member
 
Posts: 5
Joined: June 12th, 2007, 10:36 pm

Unread postby Kimberly » June 15th, 2007, 7:20 am

Hello griff9,

Way better than I would have thought, you didn't get the full infection. No worries for the perflib_perfdata_22c.dat, it can't be deleteled because in use. On the other had, the log shows the presence of a few modified settings and a rootkit.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby griff9 » June 15th, 2007, 11:47 pm

OK - glad I didn't get both barrels! Logs to follow:


SDFix: Version 1.87

Run by Jon on Fri 06/15/2007 at 11:36 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
windev-7455-47ea

ImagePath:
\??\C:\WINDOWS\system32\windev-7455-47ea.sys

windev-7455-47ea - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\windev-7455-47ea.sys - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe:*:Disabled:pcAnywhere Host Service"
"C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"="C:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe:*:Disabled:pcAnywhere Remote Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:


Listing User Accounts:

User accounts for \\JON-SILVER

Administrator Guest HelpAssistant
Jon SUPPORT_388945a0


Finished






Logfile of HijackThis v1.99.1
Scan saved at 11:43:47 PM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\garmin Nuvi\gStart.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [gStart] C:\Program Files\garmin Nuvi\gStart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
griff9
Active Member
 
Posts: 5
Joined: June 12th, 2007, 10:36 pm

Unread postby Kimberly » June 15th, 2007, 11:54 pm

Hello griff9,

Everything looks fine now, files were correctly removed.

Could you upload the C:\SDFix\backups\backups.zip to my channel please, I wanna see how they are detected by AV's. Thanks. :)

http://www.bleepingcomputer.com/submit- ... channel=26


How is the computer running, still trouble or alerts from Norton ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby Kimberly » June 17th, 2007, 10:35 am

Thanks for the file upload, how is the PC running now ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby griff9 » June 18th, 2007, 10:47 pm

Hi Kimberly - it seems to be running fine - no issues. Thank you very much for your assistance and expertise.

Sincerely,

Griff9
griff9
Active Member
 
Posts: 5
Joined: June 12th, 2007, 10:36 pm

Unread postby Kimberly » June 18th, 2007, 11:23 pm

You're welcome griff9 :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Windows, Internet Explorer and Microsoft Office Updates

Visit Microsoft's Windows Update Site frequently. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

If you are running Microsoft Office, or any application of it, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed.

If you have trouble with Windows Update, you still can get all the Critical Updates, Security Fixes and Service Packs. Below are a few links to bookmark.

Microsoft Security Bulletins
http://www.microsoft.com/technet/security/current.aspx

Office downloads
http://office.microsoft.com/en-us/offic ... fault.aspx

Download Center
http://www.microsoft.com/downloads/search.aspx

Microsoft Security Advisories
http://www.microsoft.com/technet/securi ... fault.mspx

Recently Published
http://www.microsoft.com/technet/securi ... fault.mspx

Make your Internet Explorer more secure
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click on the Security tab
  3. Click the Internet icon so it becomes highlighted.
  4. Click on Default Level and click Ok
  5. Click on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • Internet Explorer 7 users : Check all other items and make sure that they meet the (recommended) setting when applies.
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  6. Next press the Apply button and then the OK to exit the Internet Properties page.
Take the time to check out the following links

Introduction to Internet Explorer 7
http://www.microsoft.com/windows/ie/default.mspx

Internet Explorer 7 features
http://www.microsoft.com/windows/ie/ie7 ... fault.mspx

Release Notes for Internet Explorer 7
http://msdn2.microsoft.com/en-us/ie/aa740486.aspx
These Release Notes give you information about installing Internet Explorer® 7 and contain information about known issues and possible workarounds for those issues.

Internet Explorer 7 Ressources - In Depth Articles - Known Issues ...
http://www.ie-vista.com/

Internet Explorer7 - Phishing Filter Frequently Asked Questions
http://www.microsoft.com/mscorp/safety/ ... g/faq.mspx

Resources for using Internet Explorer 6
http://support.microsoft.com/?kbid=867470

How to Configure Enhanced Security Features for Internet Explorer from Windows XP SP2
http://www.microsoft.com/technet/securi ... secxp.mspx

Safety Home
http://www.microsoft.com/mscorp/safety/default.mspx

IEBlog
http://blogs.msdn.com/ie/default.aspx

Microsoft Malicious Software Removal Tool
http://www.microsoft.com/security/malwa ... ilies.mspx

Keep your Sun Java up to date

The most current version of Sun Java is: Java Runtime Environment Version 6.0
http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save it to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
And in the future, remember to remove older versions of Java when you update to a newer version to avoid exploitation of older versions left on your system.

Check out these topics for more information:
http://spywarewarrior.com/viewtopic.php?t=17910
http://spywarewarrior.com/viewtopic.php?t=17598

Free programs that may help you in keeping the PC clean
  • SpywareBlaster
    SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
    You can download SpywareBlaster here
    A tutorial can be found here
  • SpywareGuard
    It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware. And you can easily have an anti-virus program running alongside SpywareGuard. It also features Download Protection and Browser Hijacking Protection.
    You can download SpywareGuard here
    A tutorial can be found here
  • IE-SPYAD
    IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. It basically prevents any downloads, cookies, scripts from the sites listed, although you will still be able to connect to the sites.
    You can download IE-SPYAD here
    A tutorial can be found here
  • Hosts File
    A Hosts file replaces your current HOSTS file with one containing well known ad, spyware sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    A tutorial tutorial can be found here
    • MVPS Hosts File
      You can download the MVPS Hosts File here
      Furthermore the website contains useful tips and links to other resources and utilities.
    • Bluetack's Hosts File and Hosts Manager
      Essentially based on the research made by Webhelper, Andrew Clover and Eric L. Howes, it contains most if not all the known spyware sites, sites responsible for hijacks, rogue apllications etc...
      Download Bluetack's Hosts file here
      Download Bluetack's HostsManager here
Free Spyware Detection and Removal Programs
  • Ad-Aware
    It scans for known spyware on your computer. These scans should be run at least once every two weeks.
    You can download Ad-Aware here
    A tutorial can be found here
  • Spybot - Search & Destroy
    It scans for spyware and other malicious programs. Spybot has preventitive tools that stop programs from even installing on your computer.
    You can download Spybot - S&D here
    A tutorial can be found here
Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware".
You will find the list here

AVG Anti-Spyware (formerly Ewido)

Realtime protection against these threats:
  • Hijackers and Spyware
    Secure surfing in the Internet without fear of annoying changes of the start page of your browser, tracking cookies and advertising bars.
  • Worms
    Nobody should receive e-mails in your name with malicious files in the appendix anymore.
  • Dialers
    Security against all kinds of dialers. No fear when receiving the next phone bill.
  • Trojans and Keyloggers
    No chance for thieves to steal your bank data and personal sensitive information by tapped Internet connections, remote controlled webcams or secret keyboard recordings.
Most of you will have already the trial version of this software, which is an excellent program and particularly good at catching trojans. If you find it useful you might want to consider buying the full program. When the trial period ends the following features will stop working:
  • Scheduled scans.
  • Real-time monitoring of the entire system.
  • Memory Scan detects active threats.
  • Self-protection at kernel layer guarantees gapless monitoring.
  • Automatic online-update.
The manual memory scan will work in the free version and you can manually update the definitions by clicking on the "Start Update" button under Manual update in the update module.

You can download AVG Anti-Spyware here
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

WinPatrol

WinPatrol uses a heuristic approach to detecting attacks and violations of your computing environment. Traditional security programs scan your hard drive searching for previously identified threats. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You'll be removing dangerous new programs while others download new reference files.
  • Detect & Neutralize Spyware.
  • Detect & Neutralize ADware.
  • Detect & Neutralize Viral infections.
  • Detect & Neutralize Unwanted IE Add-Ons.
  • Detect & Restore File Type Changes.
  • Automatically Filter Unwanted Cookies.
  • Avoid Start Page Hijacking.
  • Detect changes to HOSTS & critical system files.
  • Kill Multiple Tasks that replicate each other, in a single step!
  • Stop programs that repeatedly add themselves to your Startup List!
Starting with WinPatrol 9.5 PLUS users also get the addition of Real-time Infiltration Detection so they'll know immediately when changes are made to critical system areas. WinPatrol Free is not demo or trial software. You're welcome to use it as long as you like.
You can download WinPatrol here
WinPatrol FAQ

SiteHound by Firetrust

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
  • Fraudulent claims or scams
  • Offensive material
  • Security vulnerabilities
  • Spyware or Adware
  • Spam related material
  • or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

• Adult • Spyware • Spam Advertising • Phishing • Possible scam or fraud • Misleading or False Advertising
• Pharming • Rogue or Suspect Product • Adware • Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Product Info & Download: SiteHound Toolbar

For advanced users : ProcessGuard

ProcessGuard blocks rootkits, prevents spyware, guards your computer from DLL trojans...
For more information take a moment to read the Introduction and the Known Attacks information pages.
You can download Process Guard here

For advanced users : System Safety Monitor

System Safety Monitor (SSM) allows you to track down Microsoft Windows operating system activity in real-time and to prevent undesirable actions from various malware and spyware programs. SSM's main goal is to discover and block malicious actions of any application.
For more information take a moment to read the Main features of the program.
You can download SSM here

Use an AntiVirus Software

It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See the link below for a listing of some online & their stand-alone antivirus programs.
Computer Safety On line - Anti-Virus
http://www.malwareremoval.com/forum/viewtopic.php?p=53#53

Update your Anti Virus Software

It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall

I can not stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below.
Computer Safety On line - Software Firewalls
http://www.malwareremoval.com/forum/viewtopic.php?p=56#56
A tutorial on Understanding and Using Firewalls can be found here

Additional Information

For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link.

A very nice collection of tutorials is available at Bleeping Computer
http://www.bleepingcomputer.com/tutorials/

Finally, after following up on all these recommendations, why not run Jason Levine's Browser Security Tests ?
They will provide you with an insight on how vulnerable you might still be to a number of common exploits.
http://www.jasons-toolbox.com/BrowserSecurity/

Happy surf. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby NonSuch » June 26th, 2007, 12:10 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27301
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 40 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware