PDA

View Full Version : Assorted Virus Leftovers?



Mono Loco
2008-02-14, 16:54
Hi, folks:

This is my first post - um...2nd, actually, but the 1st for which I followed the protocol (sorry, I got too anxious before and made poor assumptions trying to minimize
your assistance/time, as I tried to take the burden).

I am hopeful that you can help me help my mother's neighbor's friend! I have been working on this for many hours (days), trying to resolve it without pestering anyone else, but I'm stumped. The PC is now useable (was not when I received it), but it is still slow and "startdrv.exe" keeps
coming back to haunt me. I believe I was able to clean-up the "wsnpoem" problem that Spybot had detected, but I'm still not convinced that there aren't remnants of it lurking
about. Also, AntiSpyStorm and InternetSpeedMonitor were two problems that I was trying to uninstall - it looks like I had minimal results. Finally, the "patient" has PC-Cillin Internet Security 14 installed (updated) and has in Quarantine a file named "runtime.sys". I don't know if this is pertinent, but I thought I should mention it. Anyway, there are SEVERAL problems detected by Kaspersky's scanner that will need to be addressed. Please note that drive E: listed in the Kaspersky scan log is a thumb/flash drive and has been removed from the PC (and its files deleted, too).

Before I came to this forum, I had already dumped the System Restore - it is still off. I now realize that doing so without your advice was not the best idea. Next Time I'll come to you first!

Also, please forgive the odd-looking formatting - I did not have Word Wrap checked and I left the logs "as is". However, I tried to make this introduction easier to read ... but, actually, I might have made it more awkward. I don't know. I don't know what it will look like until I see it posted. (?) I'm tired , frustrated, and helpless!!!!! God Bless you guys.

I await your gospel - T.I.A.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 9:10:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/02/2008
Kaspersky Anti-Virus database records: 565487
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 47310
Number of viruses found: 10
Number of infected objects: 22
Number of suspicious objects: 14
Duration of the scan process: 00:30:51

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip/wbeCheck.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AdBreak4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/vxddsk.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk1.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk10.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk3.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk5.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk7.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1745544055-3354780791-3455041725-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1745544055-3354780791-3455041725-500u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1745544055-3354780791-3455041725-500.log Object is locked skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-3aa1ecdc.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-3aa1ecdc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-5243c8e7.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-5243c8e7.zip ZIP: infected - 1 skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-6fe050f5.zip/TakePrivileges.class Infected: Trojan-Downloader.Java.OpenConnection.ak skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-6fe050f5.zip/SuperMSClassLoader.class Infected: Trojan.Java.ClassLoader.aq skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-6fe050f5.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ak skipped
C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ms0311.jar-64b2bbdc-6fe050f5.zip ZIP: infected - 3 skipped
C:\Documents and Settings\jessie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jessie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jessie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jessie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jessie\Local Settings\History\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\jessie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jessie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jessie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\info.exe Infected: Trojan-Downloader.Win32.Searcher.e skipped
C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1.tmp Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\2.tmp Infected: Trojan-Downloader.Win32.Agent.dpe skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\6.tmp Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\7.tmp Infected: Trojan-Downloader.Win32.Agent.dpe skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Techie_Scott\backups\backup-20080214-013722-708.dll Infected: Trojan-Downloader.Win32.Small.fqe skipped
C:\Techie_Scott\MaryLouFriend.doc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8FB82C38-F9B3-421F-9296-44F8570C65EC}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ip6fw.sys Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iphelp.dll Infected: Trojan-Downloader.Win32.Small.fqe skipped
C:\WINDOWS\system32\rsh.dll Infected: Trojan-Downloader.Win32.Small.fqe skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\woodtype.dll Infected: Trojan-Spy.Win32.Banker.gts skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\wsusupd.exe Infected: Trojan-Downloader.Win32.Searcher.e skipped
E:\MaryLou\SmitfraudFix.2exe.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\MaryLou\SmitfraudFix.2exe.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\MaryLou\SmitfraudFix.2exe.exe RarSFX: infected - 2 skipped
E:\MaryLou\avenger.exe Object is locked skipped

Scan process completed.
--------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:17 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell AIO Printer 946\dlcimon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dlcicoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Techie_Scott\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=0070105
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dlcimon.exe] "C:\Program Files\Dell AIO Printer 946\dlcimon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6733 bytes
------------------------------------

pskelley
2008-02-15, 16:32
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

HJT is showing only some leftovers to clean, so you must have done some good. This one: startdrv.exe Is a trojan: http://www.bleepingcomputer.com/startups/startdrv-18061.html

Let's clean what Kaspersky shows us first:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

C:\Documents and Settings\jessie\Application Data\Sun\Java\Deployment\cache\ <<< clean the contents of your Java cache
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

C:\Program Files\Trend Micro\Internet Security 14\Quarantine\ <<< delete the contents of the TM quarantine folder

C:\Techie_Scott\backups\ <<< delete that folder

(delete the files in red)

C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\iphelp.dll
C:\WINDOWS\system32\rsh.dll
C:\WINDOWS\system32\woodtype.dll
C:\info.exe
C:\wsusupd.exe

(you may need viewing files and folders enabled to see some files)
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

If any of those files give you trouble, use this tool and instructions.
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:05:17 AM, on 2/14/2008

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and run a new Kaspersky online scan and give me a report. I do not need to see a clean scan.

Thanks...Phil

Mono Loco
2008-02-16, 08:29
Can it be?
Scan Statistics:
Total number of scanned objects: 46296
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:33:13

Looks like we're done, no?
Spybot also detects no nasties now.
PC is behaving nicely and I'm looking forward to calling the owner and telling her that it's done! (and now my wife gets her living room back, for I can put away the "work station" tha's been cluttering up the area for nearly a WEEK) I really should have posted a help request earlier, but I didn't want to trouble you folks without trying to clean it myself first - I got pretty far, but ... oh well, THANK YOU, so much for getting this monkey off my back!


I have a quick question.
As the "Kaspersky" on-line scanner is the virus scanner of choice, can I assume that Kaspersky's antivirus program is the top recommendation for purchase? The PC that you helped me clean did have Trend Micro's Internet Security 14 installed but it was apparently vulnerable to infection. The owner's subscription is paid until Jan. 2009, but should I advise her to uninstall this "Internet Security" and purchase and install Kasperky? (she is retired, on a fixed income, and money is an issue).

pskelley
2008-02-16, 14:51
I try to stick with freeware products myself and personally use a free version of AVG Antivirus by Grisoft. The internet is no longer a safe place, especially since organized crime started chasing the $$$, see just a bit of information:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/

Understand the user did not have to do anything to get infected but go to the wrong website with Java program (or others) out of date. Use Google for answers to questions like you have asked, here is information to get you started:
http://www.google.com/search?hl=en&q=best+antivirus+programs&btnG=Google+Search
Since $$$ may be an issue, here are free programs to consider:
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

While Kaspersky is rated highly, I personally believe more important is that the user keep the program up to date and run it as suggested. Layered protection will also help and that will be well covered in the links I provide.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Mono Loco
2008-02-18, 15:29
Great - or, grateful !!!!

After the PC was clean, I downloaded all MS Critical updates, including IE7. Her ISP's browser did not like THAT. I had software conflicts that I had to address, but it finally made it off my livingroom floor and back to its owner.

You've earned some more Kharma points, Phil.

AGAIN, thanks for help - it is not taken for granted, but deeply appreciated. In fact, now I've got to see about how to make a donation. My usual "fee" for helping people fix their PCs is "invite my wife and me over for a dinner some night", but this lady gave me some cash. I'd like to send some of it your way - deservedly so.

Be Well,
Scott

pskelley
2008-02-18, 15:45
You are not talking about aohell are you? Thanks for the feedback and the Kharma points, I can use those as I created a load of bad ones early in life and I am still trying to work that out:sad:

We are volunteers, but I did put a link to donations in closing information. I know it has to cost plenty to run a place like this, especially since Patrick gives Spybot S&D away. http://en.wikipedia.org/wiki/Patrick_Michael_Kolla

Phil

Mono Loco
2008-02-18, 16:19
SBC/Yahoo Browser.

I will certainly send Mr. Kolla a donation.
I've loaded his program on dozens on friends' and family members' PCs and my original donation was a l-o-n-g time ago - I'm overdue.


Cheers,
Scott

pskelley
2008-02-18, 16:26
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

You see that service running? If they are not using the service I would consider disabling the service at least.

Mono Loco
2008-02-18, 18:18
I actually uninstalled her AOL software, as she NEVER used it, never wanted it, and never even knew she had it!
I don't know if it came pre-loaded from Dell or whatever - in any case, it's gone now. Nonetheless, I can check to see if the uninstallation removed that service all together (as I'd like to hope it should have).