Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

log from my laptop

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

log from my laptop

Unread postby masternitro » February 20th, 2009, 3:17 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:27:50, on 20/02/2009
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\PGP\PGPservice.exe
C:\WINNT\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\fxstaller.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\PGP\PGPtray.exe
C:\Program Files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows UDP Control Center] fxstaller.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPtray.exe
O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - Networks Associates Technology, Inc. - C:\WINNT\System32\PGPsdkServ.exe
O23 - Service: PGPService - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\PGP\PGPservice.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 5553 bytes
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm
Advertisement
Register to Remove

Re: log from my laptop

Unread postby peku006 » March 1st, 2009, 10:18 am

Hello and welcome to Malware Removal.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Please continue to respond until I give you the "All Clear"

If you follow these instructions, everything should go smoothly.

1 - Scan With ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Temporarily Disable Anti-virus

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 1st, 2009, 10:56 am

Hey peku006

The combofix log:
ComboFix 09-02-28.01 - mbuuren 01/03/2009 15:24:31.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.3.1252.1.1033.18.255.85 [GMT 1:00]
Running from: d:\documents and settings\mbuuren\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\winnt\fxstaller.exe
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2009-02-01 to 2009-03-01 )))))))))))))))))))))))))))))))
.

2009-03-01 15:29 . 16,384 c:\winnt\system32\Perflib_Perfdata_4a4.dat
2009-03-01 15:29 . 09-03-01 15:29 16,384 --a----t- c:\winnt\system32\Perflib_Perfdata_254.dat
2009-02-20 19:27 . 09-02-20 19:27 <DIR> d-------- c:\program files\Trend Micro
2009-02-20 19:04 . 09-02-20 19:03 410,984 --a------ c:\winnt\system32\deploytk.dll
2009-02-20 19:00 . 09-02-20 19:00 <DIR> d----c--- c:\winnt\system32\DRVSTORE
2009-02-20 19:00 . 09-02-20 18:59 64,160 --a------ c:\winnt\system32\drivers\Lbd.sys
2009-02-20 18:50 . 09-02-20 18:50 <DIR> d-------- d:\documents and settings\All Users\Application Data\Lavasoft
2009-02-20 18:50 . 09-02-20 18:50 <DIR> d--h-c--- d:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-20 18:50 . 09-02-20 18:50 <DIR> d-------- c:\program files\Lavasoft
2009-02-20 18:49 . 09-02-20 18:49 <DIR> d-------- c:\winnt\winsxs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-20 18:03 --------- d-----w c:\program files\Java
2008-08-18 15:35 24 ----a-w d:\documents and settings\mbuuren\jagex_runescape_preferences.dat
2007-07-21 11:45 16,256 ----a-w d:\documents and settings\mbuuren\Application Data\GDIPFONTCACHEV1.DAT
2005-10-27 11:26 271 ---ha-w c:\program files\desktop.ini
2005-10-27 11:26 21,952 ---ha-w c:\program files\folder.htt
1999-12-07 15:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.

------- Sigcheck -------

99-12-07 16:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c c:\winnt\system32\svchost.exe
99-12-07 16:00 7952 9e64ad53cfd9da2d22e8a924f8c6e62c c:\winnt\system32\dllcache\svchost.exe

02-07-22 14:05 405264 4dc317a74845603f6d2b0b325aa234c6 c:\winnt\$NtUninstallKB835732$\user32.dll
04-03-24 03:17 403216 6ae59f325971f7d151a50a4e00e04dc0 c:\winnt\$NtUninstallKB840987$\user32.dll
04-03-24 03:17 403216 6ae59f325971f7d151a50a4e00e04dc0 c:\winnt\$NtUninstallKB841533$\user32.dll
04-03-24 03:17 403216 6ae59f325971f7d151a50a4e00e04dc0 c:\winnt\$NtUninstallKB890859$\user32.dll
05-03-12 08:54 380688 05cb047c49480a2157911b0a1c7e4c10 c:\winnt\system32\USER32.DLL
05-03-12 08:54 380688 05cb047c49480a2157911b0a1c7e4c10 c:\winnt\system32\dllcache\USER32.DLL

02-07-22 14:05 68368 30cd43c6903f8e9829871e9eeb6babf5 c:\winnt\system32\ws2_32.dll
02-07-22 14:05 68368 30cd43c6903f8e9829871e9eeb6babf5 c:\winnt\system32\dllcache\ws2_32.dll

01-12-03 12:55 581632 3778734752fa22add1d52d7f3a9ca3b5 c:\winnt\system32\wininet.dll
01-12-03 12:55 581632 3778734752fa22add1d52d7f3a9ca3b5 c:\winnt\system32\dllcache\wininet.dll

02-07-22 14:05 329456 8b3cfa597a7b4ae984b8b7f21feff037 c:\winnt\$NtUninstallKB893066$\tcpip.sys
05-05-12 11:25 320176 4800519c7b6a6fa2212f1f14781430a6 c:\winnt\system32\dllcache\tcpip.sys
05-05-12 11:25 320176 4800519c7b6a6fa2212f1f14781430a6 c:\winnt\system32\drivers\tcpip.sys

02-07-22 14:05 178960 96a7495c924cf3fb1d0f857093b6f61f c:\winnt\$NtUninstallKB835732$\winlogon.exe
04-03-11 03:37 181520 563b3de5b6ee842cffa8813f9ef4cb5c c:\winnt\$NtUninstallKB840987$\winlogon.exe
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\$NtUninstallKB841533$\winlogon.exe
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\$NtUninstallKB890859$\winlogon.exe
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\system32\WINLOGON.EXE
04-08-24 23:59 182544 5922e8055eb439a58ef29530d8567a40 c:\winnt\system32\dllcache\WINLOGON.EXE

02-07-22 14:05 167344 880e0a9b181c05ab45f282ceec47b6b4 c:\winnt\system32\dllcache\ndis.sys
02-07-22 14:05 167344 880e0a9b181c05ab45f282ceec47b6b4 c:\winnt\system32\drivers\ndis.sys

02-07-22 14:05 1687360 08888c725e9ac9f3c8767546d0338b1c c:\winnt\$NtUninstallKB835732$\ntkrnlpa.exe
04-02-26 00:55 1699264 831ba187b86d6ded01d81a9594ed20e2 c:\winnt\$NtUninstallKB840987$\ntkrnlpa.exe
04-06-17 18:15 1703744 f7005c5a9d3cdd606d0c18f5477a929e c:\winnt\$NtUninstallKB890859$\ntkrnlpa.exe
05-03-02 10:49 1713280 3be4786a7e50f7ae4ac9f1b23a057835 c:\winnt\Driver Cache\i386\ntkrnlpa.exe
05-03-02 10:49 1713280 3be4786a7e50f7ae4ac9f1b23a057835 c:\winnt\system32\NTKRNLPA.EXE
05-03-02 10:49 1713280 3be4786a7e50f7ae4ac9f1b23a057835 c:\winnt\system32\dllcache\ntkrnlpa.exe

02-07-22 14:05 1712720 1be931a7bb06c089812029603ae9fe88 c:\winnt\$NtUninstallKB835732$\ntoskrnl.exe
04-03-11 03:37 1726032 fd0d750e6a9af878f3d21b12854c6806 c:\winnt\$NtUninstallKB840987$\ntoskrnl.exe
04-06-17 18:14 1680960 6ace8cc01d1232947c4ce3789fce9d51 c:\winnt\$NtUninstallKB890859$\ntoskrnl.exe
05-03-02 10:48 1690496 47880add9f1e5467f1f4536c76674166 c:\winnt\Driver Cache\i386\ntoskrnl.exe
05-03-02 10:48 1690496 47880add9f1e5467f1f4536c76674166 c:\winnt\system32\NTOSKRNL.EXE
05-03-02 10:48 1690496 47880add9f1e5467f1f4536c76674166 c:\winnt\system32\dllcache\ntoskrnl.exe

02-07-22 14:05 242960 51794d917250081ab41a77950cee481d c:\winnt\explorer.exe
02-07-22 14:05 242960 51794d917250081ab41a77950cee481d c:\winnt\system32\dllcache\explorer.exe

02-07-22 14:05 88848 7f164d07ba059b6e3c37c119b49b282a c:\winnt\system32\services.exe
02-07-22 14:05 88848 7f164d07ba059b6e3c37c119b49b282a c:\winnt\system32\dllcache\services.exe

02-07-22 14:05 33552 0fabc9f91eab355a6303fa540071aee7 c:\winnt\$NtUninstallKB835732$\lsass.exe
04-02-26 00:59 33552 0c13d582edaf90cbea454a1ac535b913 c:\winnt\system32\LSASS.EXE
04-02-26 00:59 33552 0c13d582edaf90cbea454a1ac535b913 c:\winnt\system32\dllcache\lsass.exe

01-02-20 13:09 8192 d36a33c21eeed5a6c1daecb7c80a1909 c:\winnt\system32\CTFMON.EXE

02-07-22 14:05 45328 bf50e306a42659938ba10218425709ab c:\winnt\system32\SPOOLSV.EXE
02-07-22 14:05 45328 bf50e306a42659938ba10218425709ab c:\winnt\system32\dllcache\spoolsv.exe

02-07-22 14:05 17680 d2c7c9f5c2623f6f7814231e278de9ff c:\winnt\system32\userinit.exe
02-07-22 14:05 17680 d2c7c9f5c2623f6f7814231e278de9ff c:\winnt\system32\dllcache\userinit.exe

02-07-22 14:05 733968 64bb009c268a573563e71971ac0f8ed7 c:\winnt\$NtUninstallKB835732$\kernel32.dll
04-03-24 03:17 742160 5e9bb22c56919870fc80444e655f8af6 c:\winnt\$NtUninstallKB840987$\kernel32.dll
04-06-18 00:05 712464 276abd5dd2053008c6c327c590dd806d c:\winnt\$NtUninstallKB841533$\kernel32.dll
04-06-22 02:35 712464 cbfc72131fb475249db3667239f3f4ea c:\winnt\$NtUninstallKB890859$\kernel32.dll
04-06-18 00:05 712464 755d6527f8429bece4ac2878dcbdd1b2 c:\winnt\Driver Cache\i386\kernel32.dll
04-06-18 00:05 712464 276abd5dd2053008c6c327c590dd806d c:\winnt\system32\KERNEL32.DLL
04-06-18 00:05 712464 755d6527f8429bece4ac2878dcbdd1b2 c:\winnt\system32\dllcache\kernel32.dll

02-07-22 14:05 13584 66fbe4b4ece98daf4cbaeec55536ccec c:\winnt\system32\powrprof.dll
02-07-22 14:05 13584 66fbe4b4ece98daf4cbaeec55536ccec c:\winnt\system32\dllcache\powrprof.dll

02-07-22 14:05 96016 f1bdfee375dec136dac53255dfca6d1c c:\winnt\system32\imm32.dll
02-07-22 14:05 96016 f1bdfee375dec136dac53255dfca6d1c c:\winnt\system32\dllcache\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="ctfmon.exe" [01-02-20 13:09 8192 c:\winnt\system32\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDPS"="c:\winnt\System32\dpmw32.exe" [00-01-21 05:47 28672]
"IgfxTray"="c:\winnt\System32\igfxtray.exe" [03-05-29 20:26 155648]
"HotKeysCmds"="c:\winnt\System32\hkcmd.exe" [03-05-29 20:14 114688]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [03-09-29 06:10 81990]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [04-08-25 02:50 139320]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [09-02-20 19:03 136600]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [09-02-20 18:59 509784]
"ZENRC Tray Icon"="zentray.exe" [01-06-15 16:21 28672 c:\winnt\system32\zentray.exe]
"NWTRAY"="NWTRAY.EXE" [02-03-12 10:37 28672 c:\winnt\system32\nwtray.exe]
"Synchronization Manager"="mobsync.exe" [99-12-07 16:00 111376 c:\winnt\system32\mobsync.exe]
"ATIModeChange"="Ati2mdxx.exe" [02-08-28 20:17 28672 c:\winnt\system32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 16:00 20752 c:\winnt\system32\internat.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
PGPtray.lnk - c:\program files\Network Associates\PGP\PGPtray.exe [2005-10-27 221184]
Sitecom Wireless Utility.lnk - c:\program files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe [2008-08-20 913408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{B4870B70-F390-11d2-9FB9-F4ED725EA20D}"= "c:\winnt\system32\NalExpEx.dll" [02-10-04 07:20 131072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"MSACM.CTRXAUD"= ctrxaud.acm
"VIDC.CTRX"= ctrxvid.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

R0 PGPPM;PGP Policy Manager;c:\winnt\system32\drivers\PGPpm.sys [2005-10-27 154176]
R1 PGPTDI;PGP TDI Driver;c:\winnt\system32\drivers\PGPTdi.sys [2005-10-27 16450]
R2 BlankScreen;HBDevice;c:\winnt\system32\drivers\blankscreen.sys [2005-10-27 4480]
R2 Kblock;Kblock;c:\winnt\system32\drivers\kblock.sys [1980-01-01 3742]
R2 Mouslock;Mouslock;c:\winnt\system32\drivers\mouslock.sys [1980-01-01 3779]
R2 PGPsdkDriver;PGPsdkDriver;c:\winnt\system32\drivers\PGPsdk.sys [2005-10-27 25600]
R2 PGPsdkServ;PGPsdkService;c:\winnt\system32\PGPsdkServ.exe [2005-10-27 77824]
R2 PGPService;PGPService;c:\program files\Network Associates\PGP\PGPservice.exe [2005-10-27 405504]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2006-01-31 24752]
R3 pgpnet;PGPnet VPN;c:\winnt\system32\drivers\PGPnet.sys [2005-10-27 40010]
R3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-01-31 49392]
S0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-02-20 64160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT
*NewlyCreated* - RASAUTO
*NewlyCreated* - SHAREDACCESS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"%ProgramFiles%\setup50.exe" /APP:OE /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Lavasoft Ad-Aware Service


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.nl/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\msafd.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\mbuuren\Application Data\Mozilla\Firefox\Profiles\yjxahxaf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.nl/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-01 15:30:33
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\winnt\system32\Perflib_Perfdata_300.dat 16384 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\NRDWIN32.dll
c:\winnt\system32\msv1_0.dll
c:\winnt\System32\AXNMAS~1.OCX
c:\winnt\System32\AXNMAS~2.OCX
.
Completion time: 2009-03-01 15:33:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-01 14:32:31

Pre-Run: 2,482,980,352 bytes free
Post-Run: 2,438,882,816 bytes free

181


new Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:01, on 01/03/2009
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\PGP\PGPservice.exe
C:\WINNT\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\PGP\PGPtray.exe
C:\Program Files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe
C:\WINNT\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPtray.exe
O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - Networks Associates Technology, Inc. - C:\WINNT\System32\PGPsdkServ.exe
O23 - Service: PGPService - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\PGP\PGPservice.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 5739 bytes


Thanks
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm

Re: log from my laptop

Unread postby peku006 » March 1st, 2009, 12:08 pm

Hi masternitro

1 - Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform full scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found here:

    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


2 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
How's the computer running now? Any problems?

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 1st, 2009, 1:03 pm

Malwarebytes' Anti-Malware 1.34
Database versie: 1813
Windows 5.0.2195 Service Pack 3

01/03/2009 17:39:26
mbam-log-2009-03-01 (17-39-26).txt

Scan type: Volledige Scan (C:\|D:\|)
Objecten gescand: 66094
Verstreken tijd: 8 minute(s), 36 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 1

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
C:\Qoobox\Quarantine\C\WINNT\fxstaller.exe.vir (Backdoor.Bot) -> Quarantined and deleted successfully.


Haven't found any problems with how the computer is running.
But I use a different computer to read your instructions, so I might haven't noticed them (yet).

Thanks
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm

Re: log from my laptop

Unread postby peku006 » March 1st, 2009, 1:32 pm

Hi masternitro

Looking good :)
Let's make sure we got everything

1 - Clean temp files

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

2 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 1st, 2009, 1:45 pm

peku006 wrote:Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

It says Prefetch is disabled and I can't select it.
Is this a problem or just ignore it?
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm

Re: log from my laptop

Unread postby peku006 » March 1st, 2009, 1:52 pm

Hi
just ignore it
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 1st, 2009, 2:30 pm

Hey peku I got some problems :(
ATF Cleaner says nothing got deleted. (but i had to login when I went to this site)

Kaspersky Online Scan it says it failed (see picture below and log)

Program is starting. Please wait...
Update source selected: http://www.kaspersky.com
Downloading file: packages/kos-extras.jar
Program has started.

Program database is being updated. Please wait...
Update source selected: ftp://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: http://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: http://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: http://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz
Update source selected: ftp://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml.klz
Downloading file: bases/five/avc/kavset.xml
Invalid file signature: bases/five/avc/kavset.xml
Downloading file: index/master.xml.klz

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7. [ERROR: Invalid file signature]Scan Scan statistics

Files scanned 0

Threat names 0

Infected objects 0

Suspicious objects 0

Duration of the scan 00:00:00
Start scan
Scan is running (0%)

Click the area that you want to scan in left part of the window. The scan will start automatically as soon as you select a scan area.

Last start:
Status:
Please wait, the scan may take a long time depending on the size of the selected scan area. You can continue browsing in a new Web browser window.

Now scanning:
Location:
Settings | View scan report | Stop scan
Attention: Kaspersky Online Scanner 7.0 may not run successfully while any other antivirus program is running. If you have another antivirus program installed, please turn it off before running Kaspersky Online Scanner 7.0. Scan ReportThe scan report displays information about threats detected
on your computer. - Infected object - Suspicious object
InformationWelcome to Kaspersky Online Scanner 7.0! Use the program to check your computer for viruses and other malware for free.
Benefits:

Kaspersky Lab exceptional detection rates and thorough scan
Hourly database updates available
Heuristic analysis to detect unknown malware
One-click installation



Requirements and limitations:

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command.
To begin using the program, you need to download and install the program files and the database of malware definitions. (The size of the program files depends on your operating system.) Later, Kaspersky Online Scanner 7.0 checks for the program and database updates every time you open or update the program window and, if available, downloads and installs them automatically.
In Linux, Kaspersky Online Scanner 7.0 does not scan RAM, boot sectors and MBRs, so it cannot detect malicious programs located in these areas.
In Microsoft Windows Vista, if the language you use has a character set and fonts different from English, make sure that the language selected for your default system locale and the language to display dates, times, currency, and measurements (Current format) are the same as the language you use.
Kaspersky Online Scanner 7.0 only detects malicious code that have already penetrated into your computer, so that you can delete them manually. It neither protects your computer against malicious code, nor prevents future infections. We recommend that you install a full-featured antivirus solution to protect your computer.
SupportIf you have questions, comments, or suggestions related to
Kaspersky Online Scanner 7.0, please contact us. About Kaspersky Online Scanner 7.0

Version 7.0.25.0

Database published

Operating system Microsoft Windows 2000 Professional Service Pack 3 (build 2195)

User Forum
Go to the Kaspersky Lab Forum.
Malware information
Find news and information about viruses and other threats at Viruslist.com.
View information
Warning

Kaspersky Online Scanner 7.0 is already running in another window.
SettingsDetect malicious programs of the following categories:
Viruses, Worms, Trojan Horses, Rootkits
Spyware, Adware, Dialers, and other potentially dangerous programs

Scan compound files (doesn't apply to the File scan area):
Archives
Mail databases


Picture:
Image
Image

I think it went wrong but not 100% sure. Please help me how to continue.
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm

Re: log from my laptop

Unread postby peku006 » March 1st, 2009, 2:49 pm

Hi masternitro

1 - F-Secure Online Scan

  1. Please go to F-Secure website to perform an online scan. Click on Start scanning at the bottom of the page.
  2. You may be prompted to install an ActiveX before you are able to accept the License Agreement. If prompted, please install it. After installing, the Accept button will be available.
  3. Click on Accept to accept the License Agreement.
  4. Click on Custom Scan.
    • Under Virus Scan Options, select the Scan whole system option.
    • Under Other Scan Options, select these options:
      • Scan all files
      • Scan whole system for rootkits
      • Scan whole system for spyware
      • Scan inside archives
      • Use advanced heuristics
  5. Click Start.
  6. It will start installing the scanner and virus definitions. Once the installation is done, it will start scanning automatically. This takes a while. Please be patient.
  7. Click on I want decide item by item.
  8. Under Actions, select None for all infections found.
  9. Click Next.
  10. Click on Show Report.
  11. Please copy and paste this report in your next reply.
  12. Click Finish.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the F-Secure online scanner report
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 2nd, 2009, 1:16 pm

Hey Peku006 sorry for late respond had yesterday some problems with scan ;)

Scanning Report
Monday, March 02, 2009 16:43:27 - 17:53:30

Computer name: CI00181
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 8 malware found
Exploit.Java.ByteVerify (virus)

* C:\quarantine\count[1].jar.Vir\BlackBox.class
* C:\quarantine\count[1].jar.Vir\VerifierBug.class

JS/Laume.gen2 (virus)

* C:\quarantine\game2[1].htm.Vir

Java/Byteverify.J (virus)

* C:\quarantine\count[1].jar.Vir\Dummy.class

TrackingCookie.Doubleclick (spyware)

* System

TrackingCookie.Yieldmanager (spyware)

* System

Trojan-Downloader.JS.Psyme.eb (virus)

* C:\quarantine\333333[1].htm.Vir

Trojan-Downloader.Java.OpenConnection.aa (virus)

* C:\quarantine\count[1].jar.Vir\Beyond.class

Statistics
Scanned:

* Files: 65365
* System: 2561
* Not scanned: 11

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 8
* Submitted: 0

Files not scanned:

* C:\WINNT\SYSTEM32\PERFLIB_PERFDATA_24C.DAT
* C:\WINNT\SYSTEM32\CONFIG\DEFAULT
* C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG
* C:\WINNT\SYSTEM32\CONFIG\SAM
* C:\WINNT\SYSTEM32\CONFIG\SAM.LOG
* C:\WINNT\SYSTEM32\CONFIG\SECURITY
* C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG
* C:\WINNT\SYSTEM32\CONFIG\SOFTWARE
* C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG
* C:\WINNT\SYSTEM32\CONFIG\SYSTEM
* C:\WINNT\SYSTEM32\CONFIG\SYSTEM.ALT

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 3.6.8511, 2009-03-02
* F-Secure AVP: 7.0.171, 2009-03-02
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:56:04, on 02/03/2009
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\WINNT\System32\PGPsdkServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\PGP\PGPservice.exe
C:\WINNT\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\dpmw32.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Network Associates\PGP\PGPtray.exe
C:\Program Files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe
C:\Program Files\Network Associates\VirusScan\SCAN32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPtray.exe
O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom WL-170 Wireless LAN Card\Installer\WLANUTL.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\System32\cusrvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: PGPsdkService (PGPsdkServ) - Networks Associates Technology, Inc. - C:\WINNT\System32\PGPsdkServ.exe
O23 - Service: PGPService - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\PGP\PGPservice.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe

--
End of file - 5927 bytes


Thanks
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm

Re: log from my laptop

Unread postby peku006 » March 4th, 2009, 5:12 am

Hi masternitro

Logs look good. How's the computer running now? Any problems?
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 4th, 2009, 12:10 pm

Hey Peku the computer is running good (for its age :P)
Haven't found any problems so far.
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm

Re: log from my laptop

Unread postby peku006 » March 5th, 2009, 5:16 am

Hi masternitro

Congratulations, your log looks clean! :)

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: log from my laptop

Unread postby masternitro » March 5th, 2009, 5:56 am

Thank you very much for your help :)
masternitro
Regular Member
 
Posts: 41
Joined: February 20th, 2009, 3:13 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware