Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need problem infection removed.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Dougal » November 12th, 2006, 11:45 pm

Hi Vino,

Kaspersky found something :toothy10: . Not sure what it means though so will let you do all the figureing out. :)

Here's a quick overview of what happened.

1) Removed all of Java. When removed Java 2 Runtime Environment, SE v.1.4.2_03 from Add/Remove Programs the floppy drive went a bit weird (kept trying to read the drive for a while).

2) Carried on down through the list. After scanning with AVG-AS continued with restarting the computer. While Windows was shutting down a dialog box reported an error saying that the process ccSvcHost.exe was unable to have the memory written (couldn't write it all down as it went fairly quickly).

3) No trouble with using the Kaspersky Online Scanner but while it downloaded updates and scanned the computer, NAV blocked 36 intrusion attempts (roughly the same as it has been recently).

Here are the reports.

Thanks for all the help.
Dougal


AVG Scan Report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:30:47 p.m. 13/11/2006

+ Scan result:



Nothing found.


::Report end



Kaspersky Scan Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 13, 2006 4:06:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/11/2006
Kaspersky Anti-Virus database records: 240855
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 107455
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:31:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-11-13_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1FA5EA05.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012006111320061114\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF5C25.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\_restore{DC206A7E-AC67-4C3F-AC42-580132BE718D}\RP18\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am
Advertisement
Register to Remove

Unread postby Dougal » November 12th, 2006, 11:48 pm

HJT log


Logfile of HijackThis v1.99.1
Scan saved at 4:13:34 p.m., on 13/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\rundll32.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inet.net.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8553579703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Vino Rosso » November 14th, 2006, 3:58 am

Hi Dougal

Yes, good news in that the Kaspersky scanner found something however what it found wasn't that exciting :(

The file KillWind.exe is part of a set of HP applications. Killwind, Terminator, Cloaker, Spawn and Fondlewindow executables are part of the Backweb program that HP installs on all Pavilion PCs. Because of the nature of the file, Killwind.exe can be used by malware to kill processes hence it was identified by the Kaspersky scan as 'not-a-virus'.

BackWeb started life as push technology software which enabled you to subscribe to various information channels of your choice so that your selected information channels would pop up on your screen with the latest world news, entertainment news, etc…, whatever you might have chosen. You can configure the original BackWeb to download the news for later viewing, to display the news as desktop background, ticker, or popup window.

This did not take off as well as expected and, crucially, it was also not paying for itself. As a result, BackWeb quickly went into other markets. One of the two significant ones is advertising adware where websites, ISPs, or software manufacturers include BackWeb on their site, in their ISP software, or in their software and, whenever you connect to the Internet, BackWeb also connects to retrieve advertisements which are then displayed on your screen or in your browser . The other significant one is that BackWeb is also routinely installed on new personal computers by specific computer manufacturers with the aim being that BackWeb will automatically check for vital updates to the personal computer's setup whenever the end-user connects to the web. Such manufacturers include Compaq, Hewlett-Packard, LogiTech, and Kodak; however, some of these may have stopped this practice.

Recommendation: Unless you are using BackWeb for news content, we strongly recommend uninstalling it for the following reasons:

1. It is often a serious resource hog.
2. In most cases. it is also advertising adware.
3. It slows down your Internet connection which is unacceptable if you connect by modem.
4. It has the potential for sending out information from your personal computer.

There's one line to fix in HijackThis.

1 - Run HJT Scan
Run a scan with HijackThis and tick the following entries, if present:
O4 - Startup: PowerReg Scheduler V3.exe

Close all windows except HijackThis
Select Fix Checked in HijackThis.

And there is one file I'd like you to delete.

2 - Delete File
Using Windows Explorer, delete the following file:

C:\WINDOWS\system32\h323log.txt <== this file only (see Note below)

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Note: If you are unable to see this file, it may be that it is hidden in which case please carry out the following:

3 - Show hidden files
In Windows Explorer, select Tools > Folder Options > View
Set 'Hidden files and folders' to Show hidden files and folders
Untick Hide protected operating system files.
OK

Then try deleting the file again.

OK, let's try another scan to see if we find anything.

4 - F-Secure Online Scan
Please perform an online scan with F-Secure Online Scanner Next Generation Beta by clicking >here<
You may receive an alert on the address bar at this point to install the ActiveX control.
Click on that alert and then Click Install ActiveX component.
Read the licence agreement and click Accept.
Click Custom Scan and be sure the following are checked:
  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics
When the scan completes, click the I want to decide item by item button.
For each item found, select Disinfect and click Next.
When done, click the Show Report button, then copy and paste the entire report into your next reply

5 - Check on status
After you have completed the above, please reboot and provide:
  • the F-Secure Scan report
  • a new HijackThis log
  • and a description of how your PC is behaving - what problems are you now experiencing?
Remember, if you can, it's worth printing these instructions out before you start.

Good Luck
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Dougal » November 14th, 2006, 4:32 am

Hi Vino,

Tried to delete h323log.txt but could not.

The error box said that it could not be deleted because it was being used by another program or person. Nothing else was opened and I had only just restarted the computer to start on your next set of instructions. I had only performed the scan and removal with HJT.

Thanks
Dougal
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Vino Rosso » November 15th, 2006, 4:53 am

Hi Dougal

Can you please check the content of h323log.txt

Right-click on the file and select Edit
The file will open in Notepad - it will probably be empty
If not, go to Edit > Select All
Then Copy (Ctrl+C) and Paste (Ctrl+V) the content of h323log.txt in your reply.
Close Notepad via File > Exit

Meanwhile, please continue with the remaining instructions.

Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Dougal » November 15th, 2006, 5:15 am

Hi Vino,

Nothing in the log file.

Congrats on the promotion!

Dougal
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Dougal » November 15th, 2006, 10:46 am

Hello again.

F-secure found 2 viruses, both were Win32/Smalldoor.GRU things.

Wasn't sure if F-secure was going to work at the start. Seemed to get stuck in a loop and was constantly hearing clicks. After 30 seconds or so it seemed to sort itself out though. Once the scan was finished it tried to disinfect Alexa but got stuck, so I canceled it after waiting for 10 minutes.

Just a few more things to mention.

While F-secure was scanning could see that there were some Java 2 files still present. The location was C:\Documents and Settings\Owner\Local Settings\Application Data\....
Not sure if that is significant.

When using the printer yesterday, the software was still acting strangely. Turned the printer off and was notified by the sound it makes. Then after 5 minutes it sounded off again. Hadn't even touched the computer. Sound was erratic too.

NAV acting a bit weird too. Took a long time to install a security software update. Once installed wanted to read the floppy drive several times (6-7). Restarted the computer, on startup NAV let loose a pop-up window asking if I wanted to download available updates, just had! Said no but then opened NAV and checked updates, none to download.

Not sure if this means anything. Just to let you know.

Still blocking intrusion attempts.

Here are the logs/reports.

Thanks.
Dougal


F-Secure Scan Report

Scanning Report
Wednesday, November 15, 2006 23:43:31 - 03:11:13
Computer name: BROWN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 4 malware found
Alexa (spyware)
System (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
W32/Smalldoor.GRU (virus)
C:\Program Files\RngInterstitial.dll (Submitted)
C:\Program Files\Real\RealArcade\RngInterstitial.dll (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 252451
System: 4471
Not scanned: 36
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 3
Submitted: 3
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\I386\BIOS1.RO_
C:\WINDOWS\.FILE_STORE_32\RUNESCAPE\MAIN_FILE_CACHE.DAT2
C:\Program Files\Online Services\iPrimus\ipsetup.exe\ic5B1.cab
C:\PROGRAM FILES\MICROSOFT GAMES\FLIGHT SIMULATOR 9\TEXTURE\FACES.R8
C:\PROGRAM FILES\MICROSOFT GAMES\FLIGHT SIMULATOR 9\TEXTURE\GASPUMP1.R8
C:\PROGRAM FILES\MICROSOFT GAMES\FLIGHT SIMULATOR 9\TEXTURE\NCALL.R8
C:\PROGRAM FILES\MICROSOFT GAMES\FLIGHT SIMULATOR 9\TEXTURE\PARTH.R8
C:\PROGRAM FILES\MICROSOFT GAMES\FLIGHT SIMULATOR 9\TEXTURE\SMOKE_BK.R8
C:\PROGRAM FILES\MICROSOFT GAMES\FLIGHT SIMULATOR 9\TEXTURE\SMOKE_WT.R8
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS.LOG
C:\DOCUMENTS AND SETTINGS\DEFAULT USER.LOG
C:\DOCUMENTS AND SETTINGS\OWNER\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\SPEECH\FILES\MSASR\SP_EA6EDDBFA9264BECB73E9711F49CA826.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SYMANTEC\SRTSP\SRTETMP\349545CD.TMP
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress2.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\RealDownloadExpress3.zip\sbRecovery.reg
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.BAK
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\DR WATSON\USER.DMP
D:\I386\BIOS1.RO_

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2006-11-14
F-Secure AVP: 7.0.171, 2006-11-15
F-Secure Orion: 1.2.37, 2006-11-14
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Dougal » November 15th, 2006, 10:48 am

And the HJT log


Logfile of HijackThis v1.99.1
Scan saved at 3:26:35 a.m., on 16/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inet.net.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\PRESAR~1\Presario\XPHWWRS4\plugin\bin\PCHButton.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8553579703
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Vino Rosso » November 17th, 2006, 5:15 am

Hi Dougal

Thanks for your congrats on my promotion :)

The logs aren't showing all that much. Let's try another approach.

1 - GMER
Download Gmer from >here<
  • Disconnect from internet and close running programs.
  • There is a small chance this application may crash your computer so save any work you have open.
  • Double click gmer.exe
  • Let the gmer.sys driver load if asked.
  • If it gives you a warning at the program start about rootkit activity and asks if you want to run scan... confirm OK.
  • If no warning....
    • Click "Rootkit" tab and click "Scan"
  • Once done click "Copy"
  • Open Notepad and hit "ctrl+v" to paste the log.
  • Reconnect to the internet and post the log back to this thread
Good luck

Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Dougal » November 17th, 2006, 5:58 am

Hi Vino,

Here are the results:


GMER 1.0.12.11889 - http://www.gmer.net
Rootkit scan 2006-11-17 22:54:15
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.12 ----

SSDT 82D19268 ZwAlertResumeThread
SSDT 82D18B80 ZwAlertThread
SSDT 82DC83E8 ZwAllocateVirtualMemory
SSDT 82B73160 ZwConnectPort
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS ZwCreateKey
SSDT 82CA7898 ZwCreateMutant
SSDT 82E928A0 ZwCreateThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS ZwDeleteKey
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS ZwDeleteValueKey
SSDT 82CD5500 ZwFreeVirtualMemory
SSDT 82CA7AD0 ZwImpersonateAnonymousToken
SSDT 82CA9330 ZwImpersonateThread
SSDT 82C7A8D8 ZwMapViewOfSection
SSDT 82CA7700 ZwOpenEvent
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 82D39CE8 ZwOpenProcessToken
SSDT 82CD4AB0 ZwOpenThreadToken
SSDT 82C8D178 ZwResumeThread
SSDT 82CC22F0 ZwSetContextThread
SSDT 82CD4E68 ZwSetInformationProcess
SSDT 82CBBA58 ZwSetInformationThread
SSDT \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS ZwSetValueKey
SSDT 82CA72A0 ZwSuspendProcess
SSDT 82CBA7B0 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 82CBB980 ZwTerminateThread
SSDT 82CD54C8 ZwUnmapViewOfSection
SSDT 82D86D18 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033A2A
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72033BB5
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72033A99
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033A48

---- Files - GMER 1.0.12 ----

ADS C:\Program Files\F-Prot\F-PROT.EXE:SummaryInformation
ADS C:\Program Files\F-Prot\F-PROT.EXE:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----


Thanks.
Dougal
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Dougal » November 17th, 2006, 6:12 am

Just remembered.

Not sure if the f-prot entry in the log means anything but f-prot doesn't work really. Seems to skip the main c: drive and only scans the d: drive (recovery partition).

One other thing. When I had the ZA firewall installed on the computer and attempted to open it, it would sometimes hang because the processes vsmon.exe and zlclient.exe were taking up 100% of the CPU between them. Always ended up restarting the computer and the ZA window would be open on start-up.

Finally when the computer has gone on standby today and I have brought it back on again the dial-up window for connecting to the internet appears. I also had problems last week when the computer would not go into standby mode.


Thanks
Dougal.
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Vino Rosso » November 18th, 2006, 4:44 am

Hi Dougal

Dougal wrote:Not sure if the f-prot entry in the log means anything but f-prot doesn't work really. Seems to skip the main c: drive and only scans the d: drive (recovery partition).

Thanks for letting me know.

Dougal wrote:One other thing. When I had the ZA firewall installed on the computer and attempted to open it, it would sometimes hang because the processes vsmon.exe and zlclient.exe were taking up 100% of the CPU between them. Always ended up restarting the computer and the ZA window would be open on start-up.

I think this may have been a conflict with Norton. Presumably this is no longer happening.

Dougal wrote:Finally when the computer has gone on standby today and I have brought it back on again the dial-up window for connecting to the internet appears. I also had problems last week when the computer would not go into standby mode.

Are you still having problems now with both getting into Standby mode and the internet dial-up window appearing?

Dougal, there is good news... and bad news. The good news is that I'm 99% certain that your computer is free of malware - the bad news is that it's more likely you have a hardware/software problem. I have one more thing to try after which, if nothing's revealed, I can recommend another forum for help.

1 - Bootlog
Using Windows explorer, go to C:\Windows\ntbtlog.txt
If ntbtlog.txt exists, right-click on the file and select delete.

Go to Start > Run > type msconfig
On the boot.ini tab tick the /BOOTLOG box
Click OK and OK any warnings.
Click Restart
When the PC has re-started, OK the System Configuration Utility message
Go back to the boot.ini tab and UNtick the /BOOTLOG box
Go to the General tab and click Normal Startup
Click Exit WITHOUT Restart

Using Windows Explorer, go to C:\WINDOWS\ntbtlog.txt and double-click on it
Notepad will open, copy & paste the content with your next reply.

2 - Check on status
After you have completed the above, please reboot and provide:
  • the Boot log
  • and a description of how your PC is behaving - what problems are you now experiencing?
Thanks
Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Dougal » November 18th, 2006, 6:09 am

Hi Vino,

In some ways I hope you're right, however I know that software problems aren't exactly that easy to fix either. :profileleft:

What I don't understand is why both NAV and ZA were detecting high risk worm attacks from many different IP addresses and targets on my computers registry etc. To quote NAV I receive 'MS ASN1 Integer Overflow TCP', 'MS RPCSS Attack', 'MSRPC Malicious LSASS DS Request BO (1)' and 'MS RPC LSASS DS Oversized Request'. I definitely know I'm not qualified enough to understand but I still don't get it.

As for the other problems I was having, the ZA trouble is not happening at the moment because I uninstalled it and the dial-up/standby problems haven't occured since I told you about them, which is something I guess.

However when I performed the restart to obtain a bootlog the Liveupdate window for NAV popped up on startup asking if I wished to download the updates. What fun it will be if it turns out to be software related. :D


Anyway, thanks very much for the help.

Dougal.


The Boot log

Service Pack 111 18 2006 22:32:23.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver viaide.sys
Loaded driver intelide.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver viaagp1.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver \SystemRoot\System32\DRIVERS\processr.sys
Loaded driver \SystemRoot\System32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\AGRSM.sys
Loaded driver \SystemRoot\System32\Drivers\Modem.SYS
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\PS2.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\drivers\pfc.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\DRIVERS\AvgAsCln.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \??\C:\WINDOWS\System32\Drivers\SYMEVENT.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMTDI.SYS
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\Drivers\SRTSPX.SYS
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Loaded driver \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Loaded driver \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\Drivers\SYMREDRV.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMDNS.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMNDIS.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMFW.SYS
Loaded driver \SystemRoot\System32\Drivers\SYMIDS.SYS
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20061113.031\SymIDSCo.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Loaded driver \??\C:\WINDOWS\System32\drivers\tmcomm.sys
Did not load driver \SystemRoot\System32\Drivers\SRTSPX.SYS
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061117.017\NAVEX15.SYS
Loaded driver \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20061117.017\NAVENG.SYS
Loaded driver \SystemRoot\System32\Drivers\SRTSPL.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am

Unread postby Vino Rosso » November 18th, 2006, 11:19 am

Hi Dougal

Thanks for posting the errors/warnings from NAV. My research shows that these could be down to you not having yet updated to SP2. As your system appears clean, I think it is time that you take this step.

1 - Update Windows
Visit the following Microsoft Web site: http://windowsupdate.microsoft.com
Click Express Install (Recommended)
If your computer qualifies, Windows XP SP2 will be one of the updates automatically selected. Click Install.
Review and accept the End User License Agreement (EULA).
Windows XP SP2 will be downloaded to your computer, and the Windows XP Service Pack 2 Setup Wizard will help you install it.
Further information is available at the Microsoft website >here<

Please note that Microsoft ceased supporting Service Pack 1 at the end of October 2006.

Once you have completed the update, please post back with:
  • a new HijackThis log
  • a description of how your computer is behaving
Good Luck

Vino
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)

Unread postby Dougal » November 18th, 2006, 9:42 pm

Sorry to be a pest Vino :happy3: ,

but I just thought I should run through with you about what the logs in Zonealarm were like. I deleted them all but have a few hardcopies written down. I used the Whois databases on the internet to track down the locations of the IP addresses.

207.172.48.166 (RCN Corporation, Herndon, VA, U.S.)
200.161.64.210 (Telecomunicacoes de Sau Paulo, Sau Paulo, Brazil)
43.168.222.24 (Japan Inet, Chiyoda-ku, Tokyo, Japan)
61.129.113.239 (Shanghai Global Network Co. Ltd., China)
61.136.186.46 (ChinaNet - Hubei Province network, China Telecom, China)
61.57.132.230 (Extra-Lan Technologies Co. Ltd., Shindian City, Taiwan)
24.121.162.125 (Cable Vision of Parker, Cable-AZ-Parker 7) Using ARIN database.
60.0.14.198 (China Network Communications Group Corporation, Hebei Province, Beijing, China)

The logs also had what looked like internet web addresses but when I put them in the address bar they went nowhere. Some looked a bit suspect but I can't remember any of the addresses now. Here are a couple I wrote down but they aren't as suspect as some of the others.

dial.dyn.146.145.surfsterisp.com
ns2.she.com
ns.bamgroup.com

Just thought it might add something. Should I reinstall ZA and get some better log details? Anyway, I'm getting ready to install SP2 and will wait for your reply.

Thanks.
Dougal.
Dougal
Regular Member
 
Posts: 27
Joined: November 6th, 2006, 7:26 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 300 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware