lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Following malware removal instructions, have some questions.

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Following malware removal instructions, have some questions.




Reply
Page 2 of 2 1 2
 
Thread Tools
  #11  
Old 15th Feb 2008, 20:39
Member Group
  
Default Following malware removal instructions, have some questions.

I copied and pasted exactly what was there, but I have a feeling nothing happened: when I entered the code and ran the program, it gave me a bunch of error messages. Anyhow here is the log, let me know how to proceed.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////
Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Qurteyl

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Gdcp

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Qwyem

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Kae

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Pdx

Syntax error in line --- does not appear to be a valid registry path. Line will be ignored.
Error code: 0
Line: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Plz

//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Service s\gunhcrar
*******************
Script file located at: \??\C:\Documents and Settings\bxyaorns.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

Completed script processing.
*******************
Finished! Terminate.
  #12  
Old 15th Feb 2008, 20:54
Moderator Group
  
Default Following malware removal instructions, have some questions.

Lets try this. You will need to delete each one separately.

Download RegASSASSIN.exe to the desktop.

Open RegAssassin and copy the Registry Keys below one at a time then paste it in RegAssassins window and click Delete.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Qurteyl HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Gdcp HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Qwyem HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Kae HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Pdx HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Plz

Let me know how that works.
__________________
  #13  
Old 18th Feb 2008, 10:21
Member Group
  
Default Following malware removal instructions, have some questions.

So every time I dropped a registry key in, it came up with this message:
The registry key you have specified does not exist or is not visible to RegASSASSIN. This could be caused by a set permission that does not allow RegASSASSIN to see it, would you like to continue?

I opted for yes, and then it would tell me that the registry key had been successfully deleted. So did it work?
  #14  
Old 18th Feb 2008, 10:31
Moderator Group
  
Default Following malware removal instructions, have some questions.

Download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open
    • main.txt <- this one will be maximized
    • and extra.txt <- this one will be minimized
  • Add the contents of main.txt in your post.
  • Also add extra.txt to your post.
  • The text from these files may exceed the maximum post length for this forum, and may need to be sent over 2 or more posts. Please ensure all text is posted.

What DSS will do:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
__________________
  #15  
Old 18th Feb 2008, 17:39
Member Group
  
Default Following malware removal instructions, have some questions.

Main:

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-02-18 17:11:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
35: 2008-02-19 00:12:50 UTC - RP323 - Deckard's System Scanner Restore Point
34: 2008-02-14 19:02:42 UTC - RP322 - ComboFix created restore point
33: 2008-02-14 02:06:55 UTC - RP321 - ComboFix created restore point
32: 2008-02-13 17:35:14 UTC - RP320 - Software Distribution Service 3.0
31: 2008-02-12 19:05:14 UTC - RP319 - System Checkpoint

-- First Restore Point --
1: 2008-01-16 03:07:16 UTC - RP289 - Installed Belkin Wireless G Plus MIMO USB Network Adapter

Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 256 MiB (512 MiB recommended).

-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:17 PM, on 2/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\sniper.exe\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com/s/sp?r=al&cf=sp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://myspace-857.vo.llnwd.net/0029...99462857_m.gif
O24 - Desktop Component 1: (no name) - http://myspace-979.vo.llnwd.net/0032...20417979_m.jpg
--
End of file - 7605 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\sniper.exe\backups\) ---------
backup-20080207-211709-109 O2 - BHO: (no name) - {37F27A15-E3A4-912B-A038-EF2B2893DFCE} - (no file)
backup-20080207-211709-288 O2 - BHO: (no name) - {AF7B6EBD-AD0C-8F88-0C22-FE9AF3FF4D96} - (no file)
backup-20080207-211709-822 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080207-211709-904 O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
backup-20080207-211712-744 O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
backup-20080207-211715-795 O20 - AppInit_DLLs: WIKI.DLL
backup-20080213-142344-759 R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
-- File Associations -----------------------------------------------------------
All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 DVDVRRdr_xp - c:\windows\system32\drivers\dvdvrrdr_xp.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys (file missing)
S3 catchme - c:\docume~1\admini~1.fre\locals~1\temp\catchme.sys (file missing)
S3 FA411 (NETGEAR FA411 PCMCIA Mobile Adapter) - c:\windows\system32\drivers\fa411nd5.sys <Not Verified; NETGEAR Inc.; NETGEAR FA411 PCMCIA Mobile Adapter>
S3 TnIDriver - c:\docume~1\admini~1.fre\locals~1\temp\tni178.tmp (file missing)
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.

-- Device Manager: Disabled ----------------------------------------------------
Class GUID:
Description: Network Controller
Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00011028&REV_02\4&39A 85202&0&18F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_14E4&DEV_4320&SUBSYS_00011028&REV_02\4&39A 85202&0&18F0
Service:

-- Scheduled Tasks -------------------------------------------------------------
2008-02-09 03:30:04 442 --a------ C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job

-- Files created between 2008-01-18 and 2008-02-18 -----------------------------
2008-02-13 19:05:20 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-02-13 19:05:20 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-02-13 19:05:20 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-02-13 19:05:20 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-02-12 19:29:21 0 d-------- C:\WINDOWS\ERUNT
2008-02-07 21:19:30 0 dr-h----- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Recent
2008-02-06 17:07:49 0 d-------- C:\Program Files\VS Revo Group
2008-02-05 11:47:13 0 d-------- C:\Program Files\Lavasoft
2008-02-05 11:46:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-04 11:30:50 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Grisoft
2008-02-04 11:29:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-04 10:35:39 0 d-------- C:\Program Files\Trend Micro
2008-02-03 21:24:23 0 d-------- C:\Program Files\EsetOnlineScanner
2008-01-31 21:48:39 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-31 21:47:18 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-01-31 21:47:17 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\SUPERAntiSpyware.com
2008-01-31 21:44:23 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 21:28:50 0 d-------- C:\Program Files\CCleaner
2008-01-30 23:35:44 0 d-------- C:\Program Files\Spybot - Search & Destroy2
2008-01-29 22:48:03 159744 --a------ C:\WINDOWS\system32\hasher.dll <Not Verified; ; hasher Dynamic Link Library>
2008-01-29 22:47:57 0 d-------- C:\Program Files\Trisnap Technologies
2008-01-29 18:22:20 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\DoctorWeb
2008-01-24 10:18:57 0 d-------- C:\Program Files\Alwil Software
2008-01-23 19:19:05 0 d-------- C:\WINDOWS\network diagnostic
2008-01-23 19:00:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-01-23 18:29:32 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\RegistrySmart
2008-01-20 23:48:17 0 d-------- C:\Program Files\Common Files\Symantec Shared

-- Find3M Report ---------------------------------------------------------------
2008-02-13 19:09:50 0 d-------- C:\Program Files\Common Files
2008-02-05 11:03:30 0 d-------- C:\Program Files\Java
2008-01-21 15:11:31 0 d-------- C:\Program Files\Absolute Poker
2008-01-16 00:49:09 0 d-------- C:\Program Files\Common Files\fmrf
2008-01-15 23:26:18 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Image Zone Express
2008-01-15 20:07:17 0 d-------- C:\Program Files\Belkin
2008-01-14 23:21:29 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Roxio
2008-01-10 19:54:02 0 d-------- C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Snapfish
2007-12-15 19:09:42 44605 --a------ C:\logfile

-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [08/04/2004 12:56 AM]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [04/05/2005 09:05 PM]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [08/27/2003 02:20 PM]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [03/14/2006 04:52 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [12/04/2007 06:00 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [06/14/2007 03:44 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\D]
AutoRun\command- D:\start.exe


-- End of Deckard's System Scanner: finished at 2008-02-18 17:27:26 ------------

Extra:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) M processor 1300MHz
Percentage of Memory in Use: 79%
Physical Memory (total/avail): 255.23 MiB / 53.6 MiB
Pagefile Memory (total/avail): 616.25 MiB / 300.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.11 MiB
C: is Fixed (NTFS) - 18.63 GiB total, 3.83 GiB free.
D: is CDROM (CDFS)
\\.\PHYSICALDRIVE0 - IC25N020ATCS04-0 - 18.63 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 18.63 GiB - C:

-- Security Center -------------------------------------------------------------
AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.
AV: avast! antivirus 4.7.1098 [VPS 080218-0] v4.7.1098 (ALWIL Software)
[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\DomainProfile\Authoriz edApplications\List]
[HKLM\System\CurrentControlSet\Services\SharedAcces s\Parameters\FirewallPolicy\StandardProfile\Author izedApplications\List]

-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data
CLASSPATH=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FREAKSHO-BHQ934
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator.FREAKSHO-BHQ934
LOGONSERVER=\\FREAKSHO-BHQ934
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\sys tem32\wbem;C:\Program Files\ATI Technologies\ATI Control Panel;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WS F;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_04\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1.FRE\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1.FRE\LOCALS~1\Temp
USERDOMAIN=FREAKSHO-BHQ934
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator.FREAKSHO-BHQ934
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------
clucker (admin)
Administrator.FREAKSHO-BHQ934 (admin)

-- Add/Remove Programs ---------------------------------------------------------
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcView 3D Analyst --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\arcview\DeIsL4.isu
ArcView Image Analysis --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\arcview\DeIsL3.isu
ArcView Spatial Analyst --> C:\WINDOWS\uninst.exe -fC:\ESRI\AV_GIS30\arcview\DeIsL2.isu
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,Run Setup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Belkin Wireless G Plus MIMO USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ct or.dll,LaunchSetup "C:\Program Files\Belkin\F5D9050\Setup.exe" -l0x9
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
ESET Online Scanner --> C:\WINDOWS\system32\OnlineScannerUninstaller.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java(TM) SE Development Kit 6 Update 4 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160040}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Administrator.FREAKSHO-BHQ934\Application Data\Move Networks\ie_bin\Uninst.exe
Revo Uninstaller 1.42 --> C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy2\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}

-- Application Event Log -------------------------------------------------------
Event Record #/Type2640 / Error
Event Submitted/Written: 02/18/2008 05:22:42 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.co...uthrootseq.txt> with error: The specified server cannot perform the requested operation.
Event Record #/Type2639 / Error
Event Submitted/Written: 02/18/2008 05:22:42 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.co...uthrootseq.txt> with error: This operation returned because the timeout period expired.
Event Record #/Type2634 / Warning
Event Submitted/Written: 02/18/2008 01:01:17 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type2629 / Warning
Event Submitted/Written: 02/15/2008 09:58:29 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.
Event Record #/Type2624 / Warning
Event Submitted/Written: 02/15/2008 08:17:19 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------
Event Record #/Type4080 / Error
Event Submitted/Written: 02/18/2008 04:53:17 PM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The AVG Anti-Spyware Guard service hung on starting.
Event Record #/Type4079 / Error
Event Submitted/Written: 02/18/2008 04:52:23 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Infrared Monitor service depends on the IrDA Protocol service which failed to start because of the following error:
%%2
Event Record #/Type4078 / Error
Event Submitted/Written: 02/18/2008 04:52:20 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The IrDA Protocol service failed to start due to the following error:
%%2
Event Record #/Type4076 / Warning
Event Submitted/Written: 02/18/2008 04:49:34 PM / 02/18/2008 04:50:00 PM
Event ID/Source: 4 / b57w2k
Event Description:
Broadcom 570x Gigabit Integrated Controller: The network link is down. Check to make sure the network cable is properly connected.
Event Record #/Type4052 / Error
Event Submitted/Written: 02/18/2008 09:18:52 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The AVG Anti-Spyware Guard service hung on starting.

-- End of Deckard's System Scanner: finished at 2008-02-18 17:27:26 ------------
  #16  
Old 18th Feb 2008, 23:00
Moderator Group
  
Default Following malware removal instructions, have some questions.

Everything looks fine now. How is the computer now?



Time to do some cleanup and secure the work you have done.
  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.


The above procedure will:
  • Delete:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it)

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • When finished exit out of OTMoveIt2

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
__________________
  #17  
Old 19th Feb 2008, 18:06
Member Group
  
Default Following malware removal instructions, have some questions.

I went to test my activeX and I got the message that my ActiveX is not supported. It only told me on the website that it could be my browser, but I am using IE7 as my browser not one that they list as not recognizing ActiveX. What do I do about this?
  #18  
Old 19th Feb 2008, 18:18
Moderator Group
  
Default Following malware removal instructions, have some questions.

That is odd. I get that message using Firefox but never in IE.

Let me look into it.
__________________
Reply
Page 2 of 2 1 2

Register

Bookmarks

Similar Threads
Thread Thread Starter Forum Replies Last Post
Malware Removal Steps Completed. Log Inclosed. koolfilter Virus, Spyware & Security 3 17th Aug 2009 16:56
Malware Removal Logs - Bad Times Paul4763 Virus, Spyware & Security 9 12th Aug 2009 18:06
Logs from Malware Removal Guide, Please Advise koolfilter Virus, Spyware & Security 2 16th Feb 2009 21:32
Help with malware removal joeshcosmo Virus, Spyware & Security 3 22nd Jan 2009 11:48
Malware Removal - Help VNani Virus, Spyware & Security 23 9th Apr 2008 17:29
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.