uspoor

Disk Continuously Churning - Mal/spyware? Hjt Log[RESOLVED]

Recommended Posts

My disk is always running whenever I use my PC nowadays. I have been referencing some questionable web sites over the past month, but nothing I can pin the consistent disk activity to.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:22:01 PM, on 8/27/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ngvpnmgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\coolpro2\coolpro2.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [intelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CTXFIREG] CTxfiReg.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [Craigslist Notifier] "C:\Program Files\WMF Technologies\Craigslist Notifier\CLNotifier.exe" min

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://vpn1.hawaiianair.com/preauthWSC/winxp/AXXPEE.dll

O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://vpn1.hawaiianair.com/postauthI/epi.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1190720458093

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe (file missing)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9641 bytes

Share this post


Link to post
Share on other sites

Hello and Welcome to the forums. :)

I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today.

Step 1

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Step 2

Please do an online scan with Kaspersky WebScanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

  • The program will install and then begin downloading the latest definition files.
  • Once they are downloaded, the database will be updated.
    Please accept any ActiveX or Java notifications
  • After the files have been updated, go to the left side of the page under the Scan section and select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Share this post


Link to post
Share on other sites

Hi,

Here's the log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Sunday, August 31, 2008

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Sunday, August 31, 2008 19:59:52

Records in database: 1172205

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

Scan statistics:

Files scanned: 153732

Threat name: 9

Infected objects: 21

Suspicious objects: 14

Duration of the scan: 07:51:33

File name / Threat name / Threats count

C:\Backup\2003_A30406_1420 040103 Miscellaneous\Mail\HOL\Incoming, 3rd quarter 2002 Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Backup\2003_A3211_1205 021103 backup\Miscellaneous\Mail\HOL\Incoming, 3rd quarter 2002 Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Backup\2004\3rd qtr backup 2004\WINDOWS\Desktop\Miscellaneous\Mail\HOL\Third quarter 2004\Incoming Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Backup\2004\backup 2004 qtr 2 0704\Q204\Mail\HOL\Incoming, second quarter 2004 Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives111.txt Suspicious: Exploit.HTML.Iframe.FileDownload 2

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives206.txt Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives\2000-2004.txt Infected: Email-Worm.VBS.KakWorm 3

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives\2000-2004.txt Suspicious: Exploit.HTML.Iframe.FileDownload 2

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives\2000.txt Infected: Email-Worm.VBS.KakWorm 3

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex list\2000-2004.txt Infected: Email-Worm.VBS.KakWorm 3

C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex list\2000-2004.txt Suspicious: Exploit.HTML.Iframe.FileDownload 2

C:\Documents and Settings\Chris\.housecall\Quarantine\rlls.dll.bac_a02748 Infected: not-a-virus:AdWare.Win32.RK.e 1

C:\Documents and Settings\Chris\.housecall6.6\Quarantine\firstload&co acount maker.exe.bac_a01352 Infected: Backdoor.Win32.Ciadoor.13.y 1

C:\Documents and Settings\Chris\Desktop\2005\1st 2005\Ampex list\2000-2004.txt Infected: Email-Worm.VBS.KakWorm 3

C:\Documents and Settings\Chris\Desktop\already backed up\2006\3Q2006\Ampex Archive\ampex_list_2000.txt Infected: Email-Worm.VBS.KakWorm 3

C:\Documents and Settings\Chris\Desktop\already backed up\2006\3Q2006\Ampex Archive\ampex_list_2001.txt Suspicious: Exploit.HTML.Iframe.FileDownload 2

C:\Documents and Settings\Chris\Desktop\already backed up\2006\3Q2006\Ampex Archive\ampex_list_2002.txt Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Documents and Settings\Chris\Desktop\already backed up\2006\3Q2006\Ampex Archive\ampex_list_2002.txt Infected: Email-Worm.Win32.Klez.h 1

C:\Documents and Settings\Chris\Desktop\already backed up\2006\3Q2006\Ampex Archive\ampex_list_2005.txt Infected: Trojan-Spy.HTML.Bayfraud.hn 1

C:\Program Files\BitComet\Downloads\DVD and CD Authoring Tools\AOA DVD ripper 3.9.5 + crack.rar Infected: Trojan-Dropper.Win32.Delf.yb 1

C:\Program Files\BitComet\Downloads\DVD and CD Authoring Tools\dvdRIPPER TO xvid & DIVX Fairuse.Wizard.v2.4.rar Infected: not-a-virus:AdWare.Win32.Rabio.av 1

The selected area was scanned.

Share this post


Link to post
Share on other sites

Hello again,

Before I go deleting, are you aware of these Ampex backups being infected? Are they of importance to you?

Share this post


Link to post
Share on other sites

Hi,

I didn't notice that.

I have already backed them up to disc in the past (CD and/or DVD), but I want to disinfect them so I can re-archive them without the viruses/worms.

Please advise.

Share this post


Link to post
Share on other sites

Hello again,

Lets do the following to see if it will clean your archives.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Step 1:

Download the eScan Antivirus Toolkit Here. Save it to the Desktop.

Before running the program we need to update the signature files first in Step 2.

Step 2:

Updating the eScan Antivirus Toolkit with the latest files:

1.) Double-click on the mwav.exe file saved to the Desktop; it will extract the program files to a new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky.)

2.) Double-click on My Computer, double-click on the Hard Drive (usually the C:\drive), find and double-click on the Kaspersky folder; inside the Kaspersky folder, find and double-click on the kavupd.exe file. Double-clicking on the kavupd.exe file opens the Windows command prompt (DOS screen) and updates the program with all the latest signature files.

3.) After the update is complete, the bottom of the command prompt will read "Press any key to continue", press any key to close the screen. Close eScan for now. You need to also close all Windows Explorer windows (or "My Computer" windows) to allow a refresh.

4.) *Important* : in order to complete the update process, you must now do the following:

- Using Windows Explorer (or "My Computer"), go to C:\Downloads and "Copy" all files present in that folder

- "Paste" the files in C:\Kaspersky

- Allow the overwriting of existing files, when prompted

- Close Windows Explorer

Please do not run a scan with the eScan Antivirus Toolkit utility yet.

Step 3:

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Step 4:

From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:

1.) To run the eScan Antivirus Toolkit program, look for a file called mwavscan.com inside the C:\Kaspersky folder.

2.) Double-click on the mwavscan.com file; this will open the eScan program.

3.) With the eScan interface on your Desktop, make sure that these boxes under Scan Option are checked : Memory, Registry, Startup Folders, System Folders, Services.

4.) Check the Drive box, this will enable the All Local Drives radio button below it. Make sure it is activated.

5.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.

6.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. When the scan has finished it will read Scan Completed. Do not Exit the tool just yet.

7.) Open a new NotePad file (click on "Start" >> "All Programs" >>"Accessories" >> "NotePad"), then Copy/Paste the content of the Virus Log Information window into that file, and save it. eScan also creates a full log inside the C:\Kaspersky folder (named mwav.log), but it is huge and cannot be posted on a forum. Please post the content of the log you have saved (into NotePad) in your next reply, once all steps are completed.

Reboot your computer into normal Windows.

Share this post


Link to post
Share on other sites

Hi,

File C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives111.txt infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.

File C:\Backup\January through April 2005 backup\Electronic Circuits\Ampex\Ampex archives206.txt infected by "Exploit.HTML.Iframe.FileDownload" Virus. Action Taken: File Renamed.

File C:\Documents and Settings\Chris\.housecall\Quarantine\rlls.dll.bac_a02748 tagged as not-a-virus:AdWare.Win32.RK.e. No Action Taken.

File C:\Documents and Settings\Chris\.housecall6.6\Quarantine\firstload&co acount maker.exe.bac_a01352 infected by "Backdoor.Win32.Ciadoor.13.y" Virus. Action Taken: File Renamed.

Share this post


Link to post
Share on other sites

Hello again,

Well it didn't clean the files as I thought it would. Lets try a different scanner to make sure we aren't getting false positives.

Lets run an F-Secure online scan for Viruses, Spyware and RootKits:

  • Go to http://support.f-secure.com/enu/home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan

  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Notes:

  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take several hours, so please be patient

Share this post


Link to post
Share on other sites

Hi again,

Scanning Report

Tuesday, September 02, 2008 19:26:28 - 00:19:06

Computer name:

Scanning type: Scan system for malware, rootkits

Target: C:\

--------------------------------------------------------------------------------

Result: 10 malware found

TrackingCookie.2o7 (spyware)

System

TrackingCookie.Adrevolver (spyware)

System

TrackingCookie.Advertising (spyware)

System

TrackingCookie.Atdmt (spyware)

System

TrackingCookie.Doubleclick (spyware)

System

TrackingCookie.Mediaplex (spyware)

System

TrackingCookie.Specificclick (spyware)

System

TrackingCookie.Webtrends (spyware)

System

TrackingCookie.Yieldmanager (spyware)

System

W32/Malware (virus)

C:\PROGRAM FILES\SPYWAREBLASTER\SBAUTOUPDATE.EXE (Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 90782

System: 5710

Not scanned: 8

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

None: 10

Submitted: 1

Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3AD391678A806EC4D691E83AAA393B6F_50E417E0-E461-474B-96E2-077B80325612

--------------------------------------------------------------------------------

Options

Scanning engines:

F-Secure USS: 2.30.0

F-Secure Hydra: 2.8.8110, 2008-09-03

F-Secure AVP: 7.0.171, 2008-09-03

F-Secure Pegasus: 1.20.0, 2008-04-14

F-Secure Blacklight: 1.0.68

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use Advanced heuristics

Share this post


Link to post
Share on other sites

Nice job your log looks clean!

Please use the following suggestions to help prevent reinfection.

Also, you may delete any tools I had you download during the cleaning process.

System Restore maintains a backup of your programs and may also backup infections, so please reset it to make a clean Restore Point.

Please do this:

On the Desktop, right-click My Computer > click Properties > click the System Restore tab.

Check Turn off System Restore.

Click Apply > a window will pop up and ask if you really want to turn it off > click Yes.

Please wait a few moments to let it clear.

Now please remove the check from Turn off System Restore.

Click Apply, and then click OK.

System Restore will be working again and will have a new Restore Point.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.

Malwarebytes' Anti-Malware - A very powerful tool which searches and kills malware that infects your system.

**Tutorial on installing & using this product can be found HERE**

SpywareBlaster - Great prevention tool to keep malware from installing on your system.

**Tutorial on installing & using this product can be found HERE**

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

**Tutorial on installing & using this product can be found HERE**

ZonedOut - Puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Firewall A firewall is very important, in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Comodo, Online Armor, or Outpost.

**Tutorial on Firewalls can be found HERE**

It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like SpywareBlaster and IE-Spyads do not conflict with any of these since they don't have a real time scanning engine that would conflict.

Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

It is also highly recommended to stay on top of your updates at all times, for Windows and all the above mentioned applications. This will ensure that you stay protected at the maximum level possible.

Finally, I strongly recommend action-smiley-036.gifHow did I get infected in the first place? (by Tony Klein)

Good luck and safe surfing :)

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.