Results 1 to 3 of 3

Thread: Viruses and trojans...oh my!

  1. 2008-02-25, 05:35 #1
    Doom Saber
    Doom Saber is offline
    Member
    Join Date
    Jun 2007
    Posts
    64

    Default Viruses and trojans...oh my!

    My computer has recently been infected by some viruses

    Below is the kaspersky virus scan log and below that is the hijackthis log:

    Kaspersky log:

    ----------------KASPERSKY ONLINE SCANNER REPORTKASPERSKY ONLINE SCANNER REPORT
    Sunday, February 24, 2008 3:34:16 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build
    2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 24/02/2008
    Kaspersky Anti-Virus database records: 577856


    Scan Settings
    Scan using the following antivirus databaseextended
    Scan Archivestrue
    Scan Mail Basestrue

    Scan TargetMy Computer
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan Statistics
    Total number of scanned objects228173
    Number of viruses found3
    Number of infected objects11
    Number of suspicious objects0
    Duration of the scan process03:16:39

    Infected Object NameVirus NameLast Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Dr
    Watson\user.dmp Object is locked skipped

    C:\System Volume Information\MountPointManagerRemoteDatabase Object is
    locked skipped

    C:\System Volume
    Information\_restore{0BF11B87-840E-4BF1-9320-D00968AFFBDD}\RP1\A0000190.exe/WISE0008.BIN
    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped

    C:\System Volume
    Information\_restore{0BF11B87-840E-4BF1-9320-D00968AFFBDD}\RP1\A0000190.exe/WISE0009.BIN
    Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped

    C:\System Volume
    Information\_restore{0BF11B87-840E-4BF1-9320-D00968AFFBDD}\RP1\A0000190.exe
    WiseSFX: infected - 2 skipped

    D:\System Volume Information\MountPointManagerRemoteDatabase Object is
    locked skipped

    D:\System Volume Information\OP_CACHE.ATR Object is locked skipped

    D:\System Volume Information\OP_CACHE.IDX Object is locked skipped

    F:\Documents and Settings\Administrator.DON\Cookies\index.dat Object is
    locked skipped

    F:\Documents and Settings\Administrator.DON\Local Settings\Application
    Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    F:\Documents and Settings\Administrator.DON\Local Settings\Application
    Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\History\History.IE5\index.dat Object is locked skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\History\History.IE5\MSHist012008022420080225\index.dat Object is
    locked skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\Temp\NER1.tmp\Toolbar.exe Infected:
    not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\Temp\NER3.tmp\Toolbar.exe Infected:
    not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\Temp\NER753.tmp\Toolbar.exe Infected:
    not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\Temp\NeroDemo11606\Toolbar.exe Infected:
    not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\Temp\OiUninstaller.exe/data0002 Infected:
    not-a-virus:AdWare.Win32.PurityScan.gr skipped

    F:\Documents and Settings\Administrator.DON\Local
    Settings\Temp\OiUninstaller.exe NSIS: infected - 1 skipped

    F:\Documents and Settings\Administrator.DON\Local Settings\Temporary
    Internet Files\Content.IE5\index.dat Object is locked skipped

    F:\Documents and Settings\Administrator.DON\NTUSER.DAT Object is locked
    skipped

    F:\Documents and Settings\Administrator.DON\ntuser.dat.LOG Object is
    locked skipped

    F:\Documents and Settings\All Users\Application Data\Microsoft\Dr
    Watson\user.dmp Object is locked skipped

    F:\Documents and Settings\All Users.WINDOWS\Application
    Data\avg7\Log\emc.log Object is locked skipped

    F:\Documents and Settings\All Users.WINDOWS\Application
    Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

    F:\Documents and Settings\All Users.WINDOWS\Application
    Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat
    Object is locked skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\Local
    Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked
    skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\Local
    Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is
    locked skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\Local
    Settings\History\History.IE5\index.dat Object is locked skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\Local
    Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked
    skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is
    locked skipped

    F:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object
    is locked skipped

    F:\Documents and Settings\NetworkService.NT AUTHORITY\Local
    Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked
    skipped

    F:\Documents and Settings\NetworkService.NT AUTHORITY\Local
    Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is
    locked skipped

    F:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is
    locked skipped

    F:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG
    Object is locked skipped

    F:\System Volume Information\MountPointManagerRemoteDatabase Object is
    locked skipped

    F:\System Volume Information\OP_CACHE.ATR Object is locked skipped

    F:\System Volume Information\OP_CACHE.IDX Object is locked skipped

    F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    F:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{DC5D9B18-8C65-4BD2-ADDF-B68EFD09CD6E}.crmlog
    Object is locked skipped

    F:\WINDOWS\SchedLgU.Txt Object is locked skipped

    F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked
    skipped

    F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

    F:\WINDOWS\system32\config\default Object is locked skipped

    F:\WINDOWS\system32\config\default.LOG Object is locked skipped

    F:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

    F:\WINDOWS\system32\config\SAM Object is locked skipped

    F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

    F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    F:\WINDOWS\system32\config\SECURITY Object is locked skipped

    F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

    F:\WINDOWS\system32\config\software Object is locked skipped

    F:\WINDOWS\system32\config\software.LOG Object is locked skipped

    F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

    F:\WINDOWS\system32\config\system Object is locked skipped

    F:\WINDOWS\system32\config\system.LOG Object is locked skipped

    F:\WINDOWS\system32\h323log.txt Object is locked skipped

    F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

    F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked
    skipped

    F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked
    skipped

    F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked
    skipped

    F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked
    skipped

    F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked
    skipped

    F:\WINDOWS\Temp\bca4e2da.$$$ Object is locked skipped

    F:\WINDOWS\Temp\fa56d7ec.$$$ Object is locked skipped

    F:\WINDOWS\WindowsUpdate.log Object is locked skipped

    G:\Downloads\Nero7\Nero-7.5.9.0A_eng.exe/Toolbar.exe Infected:
    not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

    G:\Downloads\Nero7\Nero-7.5.9.0A_eng.exe RAR: infected - 1 skipped

    G:\System Volume Information\MountPointManagerRemoteDatabase Object is
    locked skipped

    G:\System Volume Information\OP_CACHE.ATR Object is locked skipped

    G:\System Volume Information\OP_CACHE.IDX Object is locked skipped

    H:\System Volume Information\MountPointManagerRemoteDatabase Object is
    locked skipped

    H:\System Volume Information\OP_CACHE.ATR Object is locked skipped

    H:\System Volume Information\OP_CACHE.IDX Object is locked skipped

    Scan process completed.
    ----------

    Hijackthis log:

    -------------
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:32:32 PM, on 2/24/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\system32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\ehome\ehtray.exe
    F:\Program Files\iTunes\iTunesHelper.exe
    F:\WINDOWS\system32\RUNDLL32.EXE
    F:\WINDOWS\RTHDCPL.EXE
    F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    F:\Program Files\Messenger\msmsgs.exe
    F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    F:\Program Files\WinZip\WZQKPICK.EXE
    F:\WINDOWS\system32\spoolsv.exe
    F:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    F:\WINDOWS\eHome\ehRecvr.exe
    F:\WINDOWS\eHome\ehSched.exe
    F:\WINDOWS\system32\nvsvc32.exe
    F:\Program Files\iPod\bin\iPodService.exe
    F:\WINDOWS\system32\dllhost.exe
    F:\WINDOWS\eHome\ehmsas.exe
    F:\WINDOWS\system32\wuauclt.exe
    F:\Program Files\Internet Explorer\IEXPLORE.EXE
    H:\Guild Wars\Gw.exe
    F:\Program Files\Internet Explorer\iexplore.exe
    F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - F:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 5339 bytes
    -----
  2. 2008-02-26, 14:25 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hi Doom Saber

    Please download ATF Cleaner by Atribune and save
    it to desktop.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

    If you use Firefox browser

    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit to close ATF-Cleaner.

    Re-scan with kaspersky.

    Post:

    - a fresh HijackThis log
    - kaspersky report
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
  3. 2008-03-02, 11:21 #3
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Due to the lack of feedback this Topic is closed.

    If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

    Everyone else please begin a New Topic.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules