Free Malware Removal Forum

by **Angelicusblue** » May 13th, 2008, 2:34 pm

Hi,

I include here fresh:

-HiJackThis log
-Kaspersky scan log

My Sophos anti-virus scan is coming up clean now too.

Previously the Kas Scan showed up some virus files. They were all in files that were part of previous installations of Windows (I have recently re-installed windows XP). So I hve totally removed those folders now.
I was also told previously that some infected files (re Kas Scan) are in Windows recovery and I would be told later how to remove those.

Please let me know what the next step is.

Thank you

HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 19:26:21, on 13/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.magictaxi.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=19588
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA3715D2-6D1F-4240-8F1E-0385490BF9E5}: NameServer = 212.104.130.9 212.104.130.65
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Kas Scan Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 11, 2008 6:54:52 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 755758
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 73576
Number of viruses found: 6
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 03:58:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Agent\Logs\Agent-20080511-171141.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Remote Management System\3\Router\Logs\Router-20080511-171145.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\02a8498052953b4e3f0550fa71db3bff_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\66ac761c8d13373167da42218f15ee6c_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\92593fc095417d2c45b625eaa8022c5e_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\f89f69854d8ce4f99af37917ae155340_fa65aab1-4bb4-45f0-8f79-99263f596f27 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annelise Arnold\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Annelise Arnold\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP11\change.log Object is locked skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0005454.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0005632.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0005632.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0005895.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0005895.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006374.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.NewDotNet.d skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006374.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006374.exe/stream Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006374.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream/data0005 Infected: Packed.Win32.PolyCrypt.d skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream/data0028/Cabs.w1.cab/HyperbarSS3.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream/data0028/Cabs.w1.cab/Hyperbar.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream/data0028/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream/data0028 Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream/data0029 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{27198FE5-5785-4850-9CAF-98355BEF32C5}\RP9\A0006461.exe NSIS: infected - 7 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ANNELISE-XP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0D77C4CE-D8A1-48B6-8CBB-F2B123E5F0D9}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\ZLT0088c.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT0089c.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

by **Shaba** » May 15th, 2008, 9:45 am

Hi Angelicusblue

Like you said, all viruses in kas log are in system restore.

Do you have any other concerns?

by **Angelicusblue** » May 17th, 2008, 12:07 pm

Hi MRU Teacher

There are odd things, but I don't know what is to blame. Like it is still running very slowly generally, and I can't change my desktop picture to what I want it to be.

(I used to be a programmer a few years ago and knew my way around these machines really well, but get really frustrated now when I don't know what is going on...)

How can I remove the invections from the windows restore?
I am sure I will be able to follow if you talk me through it.

Thanks

by **Shaba** » May 17th, 2008, 12:19 pm

Hi

"I can't change my desktop picture to what I want it to be."

What error message it gives?

For general slowness, see here and post back if it helped

"How can I remove the invections from the windows restore?"

I will tell you that during final instructions

by **Angelicusblue** » May 17th, 2008, 3:22 pm

Hi

"I can't change my desktop picture to what I want it to be."

What error message it gives?

- It doesn't give me any message at all. It just totally ignores me. It allowes me to browse to find a picture, I pick it, and it just returns to the desktop properties box without the picture. I have tried copying the picture into the folder where win stores the rest of the desktop pictures and the same thing happens. It doesn't come up on the list and doesn't allow me to use it.

Also, another thing I forgot to mention, my system clock keeps on re-setting. I will keep an eye on when this happens. Today I did run the Update from within Sophos anti-virus again (it wants to do this every time I start the machine). I don't know if it is that or not.

Thanks.

by **Shaba** » May 17th, 2008, 3:31 pm

Hi

This should work regarding desktop issue.

It clock keeps on re-setting, it might be due to low CMOS battery.

by **Angelicusblue** » May 20th, 2008, 6:11 pm

Thanks I will give it a go and let you know.

by **Shaba** » May 21st, 2008, 4:34 am

Hi

OK, let me know how it went

by **Shaba** » May 26th, 2008, 5:50 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.

Free Malware Removal Forum

Am I in the clear yet?

Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Re: Am I in the clear yet?

Who is online